flat assembler
Message board for the users of flat assembler.

Index > Windows > How to write my keylogger onto MBR

Author
Thread Post new topic Reply to topic
luish



Joined: 26 Jan 2018
Posts: 13
luish 05 Feb 2018, 11:12
i write a keylogger that modify IVT to intercept Int9 to retrieve keystrokes however when i try to write my keylogger in MBR i kant modify the 0:24h of int 9. why in windows MBR i dont modify the IVT?
Post 05 Feb 2018, 11:12
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 05 Feb 2018, 11:35
luish wrote:
i write a keylogger that modify IVT to intercept Int9 to retrieve keystrokes however when i try to write my keylogger in MBR i kant modify the 0:24h of int 9. why in windows MBR i dont modify the IVT?

You have an error in your code at line 17.

Unless you target pre-Win95 versions, you will not gain much by intercepting Int9 handling.

Not to offend you, but either you try to do something really cool that you cannot explain or you don’t understand certain basic topics like the difference between real mode and protected mode, the OS loading process, stuff like that. Anyway, in order to get any decent help you need to formulate the task you’re trying to solve and (since you apparently have some code that doesn’t work) the solution you’ve chosen but have difficulties to implement.
Post 05 Feb 2018, 11:35
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20445
Location: In your JS exploiting you and your system
revolution 05 Feb 2018, 11:36
It you are using a version of Windows based upon NT* then you can't override or monitor the system from real mode code in the MBR.

* 2000 and later.

Anyhow, the latest version of Windows has an inbuilt keylogger that sends all the keystrokes to MS. You can ask MS for a copy.
Post 05 Feb 2018, 11:36
View user's profile Send private message Visit poster's website Reply with quote
luish



Joined: 26 Jan 2018
Posts: 13
luish 05 Feb 2018, 11:45
i already know that isn't a good idea hook int 9 however i want know why windows freeze if i try to write at 0:24h at MBR?
Post 05 Feb 2018, 11:45
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20445
Location: In your JS exploiting you and your system
revolution 05 Feb 2018, 11:50
luish wrote:
i already know that isn't a good idea hook int 9 however i want know why windows freeze if i try to write at 0:24h at MBR?
Because your code it buggy? Because your code writes to memory used by Windows? Because Windows is buggy? Because Windows detects something not right? Because Windows writes to memory used by your code? All of the above? Remember that Windows isn't expecting anything to be in the RAM except for its own MBR so it would just use memory as it wants to.

Without the source code for either Windows or your MBR it is going to be very hard to find out why. You could try running in a VM and using a host debugger or logger.
Post 05 Feb 2018, 11:50
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.