A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #2160  by CloneRanger
 Sat Aug 21, 2010 12:54 pm
Anil started a blog in 2004/5 under the name Wng_z3r0 which i used to visit from time to time - http://spyware-free.us - This is what it used to look like - http://web.archive.org/web/200707010742 ... re-free.us - can't seem to load the Rootkit page though - http://spyware-free.us/labels/rootkit.html - via - http://web.archive.org ?

Yesterday i was looking through my old internet favourites to clear out for non working links etc. I found his site has now moved to - http://wngz3r0.info

He has written a small Keylogger with source - http://wngz3r0.info/2010/07/keyloggers- ... l-to-write - that as expected is either undetected/unknown by the vendors, and i imagine lots of other people too.

Result: 0 /42 (0.0%) - http://www.virustotal.com/file-scan/rep ... 1282393199 - This file has never been reviewed by any VT Community member. Be the first one to comment on it!

Scanner results : Scanners did not find malware! - http://virscan.org/report/103eb70aed7ff ... ad5d4.html - Note: This file has been scanned before. ? Therefore, this file's scan result will not be stored in the database.

Zemana blocks it straightaway
z1.gif
z1.gif (18.49 KiB) Viewed 765 times
and Prevx won't allow it to work, as tested on HTTPS and HTTP www's.

It does work on text in documents/notepad etc. One thing i discovered with it is, it misrepresents a handful of lesser used characters for others ? Regular ones like numbers and letters and many others are fine though !

I'm not saying it's a brilliant KL as obviously it has it's faults, just found it interesting that up until now. it's slipped through the net. In it's present state it can't be hidden, so not really much of a threat, but it could still be used to trick etc "some" people no doubt.
 #2163  by EP_X0FF
 Sat Aug 21, 2010 1:32 pm
Actually it is simple demo of trivial SetWindowHookEx function. I did the same thing nine years ago. There are nothing undetectable in such stuff.
It can't be taken seriously. Thread moved to General Discussion.
 #2170  by CloneRanger
 Sat Aug 21, 2010 8:04 pm
@ EP_X0FF

Hi, by undetected i meant by ALL vendors, not actually undetectable per se ;)
I did the same thing nine years ago.
Only nine :P
 #2175  by EP_X0FF
 Sun Aug 22, 2010 4:23 am
What's the point to vendors detect sample application? They must then detect sample applications from Jeffrey Richter book chapter related to code injection and a lot of other books.
 #5306  by wng_z3r0
 Fri Mar 04, 2011 9:51 am
Thanks for taking note in my little demo. (sorry about the delayed post I just noticed this thread)

The interesting thing is that the injection works with standard user permissions, and the fact that it's trivial to create. What I'm curious about is how you could detect such a hook. I had messed around with the detours API but couldn't get anything to work properly.

As EP_X0FF noted, the actual code sample isn't really interesting. It's just a POC using a standard win32 api.

wng
 #5307  by EP_X0FF
 Fri Mar 04, 2011 10:02 am
wng_z3r0 wrote:What I'm curious about is how you could detect such a hook. I had messed around with the detours API but couldn't get anything to work properly.
http://www.wasm.ru/article.php?article=hooks_inside

Your hook will be detected as WH_KEYBOARD_LL with full path to hooker dll.

This detection feature implemented in several antirootkits including RkU.

Image