Undetected keylogger - problems and solutions ?!

[Sethioz]

i finally looked into this, what many have asked > how to make undetected keylogger ?
well my idea have always been that you make it in pc which does not have anti-virus (or disabled it) and then find the signature that triggers the alert on AVs.
so i splitted the keylogger into lots of pieces (about 200) and scanned them. ofcourse i got several problems and its quite confusing.
in the beginning of the .exe i found "MZE" if i change either M or Z, then it will become undetected, but it won't run either.
so i assume that MZE + something is the signature, but its quite hard to find what causes the alert.

i used ardamax keylogger to make the keylogger and i implanted it into other program.

if anybody has better ideas, post them up !
so far i haven't managed to make it undetectable and working, but i only tested one method. just posted it, so ppl can put their ideas here (and solutions maybe).


UPDATE:
i also tried to pack it with upx, but it still got detected.

UPDATE:
..MZ is the signature for executable. so it makes no sense. AV seem to be detecting executable itself.
maybe i missed something or split in wrong place, i dunno. i'll try to take a look in it again.

[Ritterkreuzträger]

Prooly you know about this one, but anyways:
I didt used ardamax , so im not sure, but i did one KG undetectable in this way:
Changed signatures (Assembly info) with Resource Hacker, i.m. stuff like "company name", "version" etc
Owned some libraries files in HEX (for example FILE.DLL and i did it looks like fIllE.dLl , but u prooly need to test each .DLL because some of them prooly may own ur KG)
And also, u may already noticed, in some places there are huge spaces(zeros) between stuff in HEX. You can put here whatever you want into it, useless shit i mean, this can own some poor AVs. And if u found out in HEX begginings of one "function" and its end, u cant fill space between functions with zeros, and fill it with some shit too, this really helps.
For addition i want to say ive heard somewhere thing about Avira AV, its seems like detecting some "viruses"(afterall its ofthe false positive) thru icon, so i can advice u to change it too.
And 1 hint, not about keylogger itself, when u put ur KG into archive, i recomended you to put it in to ZIP(its has some special encryption, so untill ur KG staying in archive it will hide it from some AVs) with "name encrypting" function, of course with compressing, then compress is stronger - then detection is lower.

[Sethioz]

i actually never chcked it with reshacker, should do it.
try on ardamax and see if it works.

as about zip/rar. as long as you enable encryption, it will be undetectable, but as soon as you unpack, it gets detected obviously.

[Ritterkreuzträger]

Some AVs (like NOD32, and others with epic anal injection to the system) may not detect virus on scan after method what ive wrote here, but they WILL detect it on runtime by PE Headers. Im not well in such stuff, but ive googled it and found out the script on VB\C++ for making PE Realign, i think it can be "injected" into the file with OllyDBG, so someone should try it

Code: Select all

Option Explicit

Private Const IMAGE_DOS_SIGNATURE           As Long = &H5A4D&
Private Const IMAGE_NT_SIGNATURE            As Long = &H4550&
Private Const IMAGE_NT_OPTIONAL_HDR32_MAGIC As Long = &H10B&

Private Const SIZE_DOS_HEADER               As Long = &H40
Private Const SIZE_NT_HEADERS               As Long = &HF8
Private Const SIZE_SECTION_HEADER           As Long = &H28

Private Type IMAGE_DOS_HEADER
    e_magic                     As Integer
    e_cblp                      As Integer
    e_cp                        As Integer
    e_crlc                      As Integer
    e_cparhdr                   As Integer
    e_minalloc                  As Integer
    e_maxalloc                  As Integer
    e_ss                        As Integer
    e_sp                        As Integer
    e_csum                      As Integer
    e_ip                        As Integer
    e_cs                        As Integer
    e_lfarlc                    As Integer
    e_ovno                      As Integer
    e_res(0 To 3)               As Integer
    e_oemid                     As Integer
    e_oeminfo                   As Integer
    e_res2(0 To 9)              As Integer
    e_lfanew                    As Long
End Type

Private Type IMAGE_FILE_HEADER
    Machine                     As Integer
    NumberOfSections            As Integer
    TimeDateStamp               As Long
    PointerToSymbolTable        As Long
    NumberOfSymbols             As Long
    SizeOfOptionalHeader        As Integer
    characteristics             As Integer
End Type

Private Type IMAGE_DATA_DIRECTORY
    VirtualAddress              As Long
    Size                        As Long
End Type

Private Type IMAGE_OPTIONAL_HEADER
    Magic                       As Integer
    MajorLinkerVersion          As Byte
    MinorLinkerVersion          As Byte
    SizeOfCode                  As Long
    SizeOfInitializedData       As Long
    SizeOfUnitializedData       As Long
    AddressOfEntryPoint         As Long
    BaseOfCode                  As Long
    BaseOfData                  As Long
    ImageBase                   As Long
    SectionAlignment            As Long
    FileAlignment               As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion           As Integer
    MinorImageVersion           As Integer
    MajorSubsystemVersion       As Integer
    MinorSubsystemVersion       As Integer
    W32VersionValue             As Long
    SizeOfImage                 As Long
    SizeOfHeaders               As Long
    CheckSum                    As Long
    SubSystem                   As Integer
    DllCharacteristics          As Integer
    SizeOfStackReserve          As Long
    SizeOfStackCommit           As Long
    SizeOfHeapReserve           As Long
    SizeOfHeapCommit            As Long
    LoaderFlags                 As Long
    NumberOfRvaAndSizes         As Long
    DataDirectory(0 To 15)      As IMAGE_DATA_DIRECTORY
End Type

Private Type IMAGE_NT_HEADERS
    Signature                   As Long
    FileHeader                  As IMAGE_FILE_HEADER
    OptionalHeader              As IMAGE_OPTIONAL_HEADER
End Type

Private Type IMAGE_SECTION_HEADER
    SecName                     As String * 8
    VirtualSize                 As Long
    VirtualAddress              As Long
    SizeOfRawData               As Long
    PointerToRawData            As Long
    PointerToRelocations        As Long
    PointerToLinenumbers        As Long
    NumberOfRelocations         As Integer
    NumberOfLinenumbers         As Integer
    characteristics             As Long
End Type

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Src As Any, ByVal L As Long)

'---------------------------------------------------------------------------------------
' Purpose   : Realign PE From File
' Params    : In sSrcFile, Source File to be patched
'             In optional, Destination file, if no specified will be the same as Source
'             In bPreserveAlignment, preserve block alignment
'             Returns True on succeed
'---------------------------------------------------------------------------------------
Public Function RealignPEFromFile( _
       ByVal sSrcFile As String, _
       Optional sDstFile As String, _
       Optional bPreserveAlignment As Boolean = True) As Boolean

    Dim bvData() As Byte
    
    On Local Error GoTo RealignPEFromFile_Error

    If sDstFile = vbNullString Then
        sDstFile = sSrcFile
    End If
    
    Open sSrcFile For Binary Access Read As #1
    ReDim bvData(LOF(1) - 1)
    Get #1, , bvData()
    Close
    
    If RealignPEFromBytes(bvData, bPreserveAlignment) Then
        Open sDstFile For Binary Access Write As #1
        Put #1, , bvData()
        Close
    End If

    RealignPEFromFile = True

    On Error GoTo 0
    Exit Function

RealignPEFromFile_Error:

End Function

'---------------------------------------------------------------------------------------
' Purpose   : Realign PE From Byte Array
' Params    : In bvData, byte array conatining exe file
'             In bPreserveAlignment, preserve block alignment
'             Returns True on succeed
'---------------------------------------------------------------------------------------
Public Function RealignPEFromBytes( _
       ByRef bvData() As Byte, _
       Optional bPreserveAlignment As Boolean = True) As Boolean
       
    Dim lSize                   As Long
    Dim lLastSectPos            As Long
    Dim tIMAGE_DOS_HEADER       As IMAGE_DOS_HEADER
    Dim tIMAGE_NT_HEADERS       As IMAGE_NT_HEADERS
    Dim tIMAGE_SECTION_HEADER   As IMAGE_SECTION_HEADER
    
    On Local Error GoTo RealignPEFromBytes_Error

    CopyMemory tIMAGE_DOS_HEADER, bvData(0), SIZE_DOS_HEADER

    If Not tIMAGE_DOS_HEADER.e_magic = IMAGE_DOS_SIGNATURE Then
        Exit Function
    End If
    
    CopyMemory tIMAGE_NT_HEADERS, bvData(tIMAGE_DOS_HEADER.e_lfanew), SIZE_NT_HEADERS

    If Not tIMAGE_NT_HEADERS.Signature = IMAGE_NT_SIGNATURE Then
        Exit Function
    End If
    
    If Not tIMAGE_NT_HEADERS.OptionalHeader.Magic = IMAGE_NT_OPTIONAL_HDR32_MAGIC Then
        Exit Function
    End If
       
    lLastSectPos = _
       tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + _
       (tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1) * SIZE_SECTION_HEADER
    
    CopyMemory tIMAGE_SECTION_HEADER, bvData(lLastSectPos), SIZE_SECTION_HEADER
    
    lSize = tIMAGE_SECTION_HEADER.PointerToRawData + tIMAGE_SECTION_HEADER.SizeOfRawData
    
    tIMAGE_SECTION_HEADER.SizeOfRawData = _
       tIMAGE_SECTION_HEADER.SizeOfRawData + (UBound(bvData) + 1 - lSize)
    
    CopyMemory bvData(lLastSectPos), tIMAGE_SECTION_HEADER, SIZE_SECTION_HEADER
        
    If bPreserveAlignment Then
        Dim lDataSize       As Long
        Dim lAlign          As Long
        Dim bvExtraData()   As Byte
    
        lDataSize = tIMAGE_SECTION_HEADER.SizeOfRawData - tIMAGE_NT_HEADERS.OptionalHeader.SectionAlignment

        If lDataSize > 0 Then
            lAlign = tIMAGE_SECTION_HEADER.SizeOfRawData \ tIMAGE_NT_HEADERS.OptionalHeader.SectionAlignment
            lAlign = (lAlign * tIMAGE_NT_HEADERS.OptionalHeader.SectionAlignment)
    
            ReDim bvExtraData(lDataSize - 1)
    
            CopyMemory bvExtraData(0), bvData(UBound(bvData) - lDataSize + 1), lDataSize

            ReDim Preserve bvData(UBound(bvData) - lDataSize)
            ReDim Preserve bvData(UBound(bvData) + lAlign)
    
            CopyMemory bvData(UBound(bvData) - lDataSize + 1), bvExtraData(0), lDataSize
                        
            tIMAGE_SECTION_HEADER.SizeOfRawData = _
               tIMAGE_SECTION_HEADER.SizeOfRawData + (lAlign - lDataSize)
    
            CopyMemory bvData(lLastSectPos), tIMAGE_SECTION_HEADER, SIZE_SECTION_HEADER
    
        End If
    End If
    
    RealignPEFromBytes = True

    On Error GoTo 0
    Exit Function

RealignPEFromBytes_Error:

End Function

Of course you can change PE itself, but realign is a way better on my thoughts.
If im talking nonsense now, dont blame me lol,im really epic noob in such things - i know only so simple things like Delphi, HTML, php a little etc and have a VERY small understanding of VB\C+ stuff

[Sethioz]

i googled a lot too, but nothing i didnt knew before. i still haven't tested reshacker and adding custom bytes into 00 00 areas.
this method however is something new, i knew about the headers, but not this specific thing. need to test stuff out in my virtual pc.

[TeamRetox]

does it generate sourcecode to compile? or just a binary?
if it generates sourcecode I might know a way ;)

[Sethioz]

TR can't you just write one ? it should be simple enought, just few simple functions. log the keystrokes and rip the application name if possible and then upload via FTP.

[Sethioz]

i tested the method to put random stuff into empty space, well it works, but program doesn't work. so if you test carefully and only fill some null bytes, it should work.
here's why its so annoying to test :
i have to do that in virtual machine, because i dont want it into my machine.
i need to use either local server or USB stick to transfer between virtual - my pc. its just annoying and takes time.
anybody else wants to try ?

[skull]

can you create a keylogger for all of us then?

[Sethioz]

who are you asking ?
im not a programmer, otherwise this topic wouldnt exist. also lot of developers and AV companys are keeping eye on my site, so if i would release one, they would most likely add it into av list.

[Sethioz]

I just came up with one weird, but awesome idea.
i wonder if it's possible to create a tool / batch that adds a signature into most commonly used anti-virus programs?
if they have no password enabled (no password required when changing settings), it should be easily doable by adding a specific signature into whitelist / exceptions of anti-virus.

then pack / encrypt the .exe and maybe make 2 of them, first .exe adds exception and once done, it executes your evil.exe to do whatever it was meant to do.
i might try this, shouldn't be that hard to write a small tool that does specific thing in windows, maybe it is enough to enter registry key.

[jimmaqualin]

i finally looked into this, what many have asked > how to make undetected keylogger ?
well my idea have always been that you make it in pc which does not have anti-virus (or disabled it) and then find the signature that triggers the alert on AVs.
so i splitted the keylogger into lots of pieces (about 200) and scanned them. ofcourse i got several problems and its quite confusing.
in the beginning of the .exe i found "MZE" if i change either M or Z, then it will become undetected, but it won't run either.
so i assume that MZE + something is the signature, but its quite hard to find what causes the alert.

i used ardamax keylogger to make the keylogger and i implanted it into other program.

if anybody has better ideas, post them up !
so far i haven't managed to make it undetectable and working, but i only tested one method. just posted it, so ppl can put their ideas here (and solutions maybe).


UPDATE:
i also tried to pack it with upx, but it still got detected.


UPDATE:
..MZ is the signature for executable. so it makes no sense. AV seem to be detecting executable itself.
maybe i missed something or split in wrong place, i dunno. i'll try to take a look in it again.

A software keylogger would probably record keystrokes from an O/S soft keyboard like Microsoft, depending on where exactly it hooks into the operating system.

[Sethioz]

what exactly is this post suppose to be? i know what a keylogger is, this topic is about on how to make keylogger undetectable, not about what it is..duh