Key logger topic.

[sluggy]

As a Test, because I wanted to make sure it really worked and the best way to do so, I felt, was to test it with a keyboard hook, so I could prove easily ("Testing the concept from mutliple sources using sockets would have been more complicated to create many mutiple sources of input to make sure it really worked")

For the reason i mentioned above, this is an invalid test. Keyboard hooks and port hooks are two totally different beasts.

[ZOverLord]

ZOverlord,
please stop sulking about what has happened. We have an iron clad policy on this for a reason - we get wannabe hackers and crackers through here on a weekly basis using all sorts of excuses to get this information, and they can be VERY inventive. You have shown up, we don't know you from a bar of soap, and you have instantly launched into asking questions about keyloggers. Put yourself in our shoes: would you not be suspicious, even though there is a lot of information out there already?

Like you say, this sort of information is not top secret. We are not protecting any egos by referring to "power users". "Power users" was probably the wrong phrase to use - "experienced Windows coders" would have been better. But the fact that this knowledge is "out there" doesn't prevent people from being prosecuted in US courts under the various stupid and onerous US laws such as the DMCA or the Homeland Security Act. This is why we are not particularly friendly when people ask about keyloggers. Also think about the thousands (or millions) of people who have lost thousands of dollars because of illegal use of keyloggers. So that is the reason for that policy of this forum, like it or leave it, it is not negotiable. As for the post you originally linked to, White Scorpion is known to dabble in hacking/cracking under the guise of "security research". Don't try to second guess the decisions of the moderation team. In any case, that was one of the few times White Scorpion *did* get an answer.

In the example you posted, the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input. You can read the official doco on it here and here. Note that this is a *keyboard* hook, and has nothing to do with the socket hooking that you were also talking about - that is a different subject and i would suggest you start a different post about it.

If you want assistance translating your original C++ post into asm, then make a start and ask questions when you get stuck, we are not going to write it for you. You will not be able to write a port filter/logger without using a dll, and using an example of a low level keyboard hook to illustrate your question is like comparing apples with oranges. C/C++ can abstract things so that keyboard input and port 25 input both look the same at function level, but it is a different kettle of fish at the asm level, you can't always rely on libraries and stdin, you have to code some of this yourself. What you could do though is use an existing C library for monitoring the port, and just call it from asm, but once again you cannot do a port filter as just a stand-alone exe.

The last thing that may help you: try visiting the network section at sysinternals.com, they have an application called TDIMon that does what you want. These guys used to have the source code available for their apps, you may still be able to track it down.

I am not sulking, you are the mod, so as I stated I am sorry I even asked. I can assure you this works in C++, there was no apples and oranges, The concept IS/WAS setting hooks in an EXE without the use of a DLL, the example was a METHOD to show that, nothing more, nothing less. It was used to ATTEMPT to get an answer if it could be done in MASM32, nothing more nothing less.

I can assure you that your statement of "the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input" is not correct.

Anyway, sorry to bother everyone here, I will just continue the project and in C++

Thanks for all your help and time.

PS. Please delete my ID, I have no desire to be a member of a community where the senior people seem to be not capable of understanding simple questions and being insulted at the same time.

The Keyboard example thread was deleted, and the question still stands, someday try the method in c++, it works, way to frustated to remain a member and be treated as a child because some people can't get away from KeyBoard Tangents and focus on the original question.

[sluggy]

I can assure you this works in C++, there was no apples and oranges, The concept IS/WAS setting hooks in an EXE without the use of a DLL, the example was a METHOD to show that, nothing more, nothing less. It was used to ATTEMPT to get an answer if it could be done in MASM32, nothing more nothing less.

Of course it works in C++, nobody said it doesn't. And of course it can be done in MASM, C compiles to assembly language.

I can assure you that your statement of "the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input" is not correct.

Dude, it IS correct. It starts a new thread. It receives keyboard input as part of the hook chain. It has no access to the context or memory space of the causative thread. Go and read the MSDN documentation again.

Anyway, sorry to bother everyone here, I will just continue the project and in C++

Thanks for all your help and time.

You didn't bother us, you just got off on the wrong foot. And sulked. And argued. And asked mixed questions - talking about a keyboard hook when you were actually wanting to know about a port filter. We have no problems helping you, but you are arguing against *everything* we said. A student will learn but only when he is ready. You can lead a horse to water but you can't make it drink. You couldn't see the wood because of the trees. Etc etc. We are still happy to answer questions as long as you are prepared to listen and not get temperamental. We were not insulting your considerable experience in other (unnamed) systems, but you came seeking our help and weren't prepared to listen.

In any case, if you are more comfortable with C/C++ then that is a good choice. You never did say why it had to be done in asm....

[ZOverLord]

I can assure you this works in C++, there was no apples and oranges, The concept IS/WAS setting hooks in an EXE without the use of a DLL, the example was a METHOD to show that, nothing more, nothing less. It was used to ATTEMPT to get an answer if it could be done in MASM32, nothing more nothing less.

Of course it works in C++, nobody said it doesn't. And of course it can be done in MASM, C compiles to assembly language.

I can assure you that your statement of "the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input" is not correct.

Dude, it IS correct. It starts a new thread. It receives keyboard input as part of the hook chain. It has no access to the context or memory space of the causative thread. Go and read the MSDN documentation again.

Anyway, sorry to bother everyone here, I will just continue the project and in C++

Thanks for all your help and time.

You didn't bother us, you just got off on the wrong foot. And sulked. And argued. And asked mixed questions - talking about a keyboard hook when you were actually wanting to know about a port filter. We have no problems helping you, but you are arguing against *everything* we said. A student will learn but only when he is ready. You can lead a horse to water but you can't make it drink. You couldn't see the wood because of the trees. Etc etc. We are still happy to answer questions as long as you are prepared to listen and not get temperamental. We were not insulting your considerable experience in other (unnamed) systems, but you came seeking our help and weren't prepared to listen.

In any case, if you are more comfortable with C/C++ then that is a good choice. You never did say why it had to be done in asm....

Here is the WATER now DRINK:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/lowlevelkeyboardproc.asp

Quote:

"The LowLevelKeyboardProc hook procedure is an (application-defined or library-defined callback function) used with the SetWindowsHookEx function. The system calls this function every time a new keyboard input event is about to be posted into a thread input queue. The keyboard input can come from the local keyboard driver or from calls to the keybd_event function."

If this is the way NORMAL people are treated here, please delete my ID, there is NO delete option I can find.

Glad I could teach you something, at least someone learned something, my suggestion, read more on how these low level functions work, as I kind of figured, based on incomplete answers to two other threads on this subject, NOBODY here knows if this can be done in MASM32, because NOBODY has tried it yet.

Read Up and learn how these LOW level HOOKS work now and specifically about "SetWindowsHookEx" because the SAME can be done with sockets, it just would have been very hard to use an example of that, so I used a Console Program that was short.

Way too many tangents, the inability to focus on the question asked and Insults here for me, as well as  over-inflated EGO's!

Drink up!

FYI, please tell Hutch he should REMOVE his link from his Link section HERE:

http://www.website.masmforum.com/links.htm

To Iczelion's classic site with source code, examples, tutorials and reference material.

http://win32asm.cjb.net/

Because on this PAGE there

http://spiff.tripnet.se/~iczelion/source.html

Item Number 5 is

KeyLog 1.1 ("With Source written in MASM32")

Would not want to see him ARRESTED and closed down ;-)

Double Standards? Here all I am trying to get is a questions answered, I use a Console Window that Prints Keys Typed as an example to help clarify my question. My Thread gets DELETED! Go Figure

But.......a direct link to a MASM32 Zipped Key Logger with source is OK.

OH and ITEM 4 is an INVISABILITY ROOTKIT! source included works on 9X/Win2k also in MASM32

Please delete my ID before I shoot myself for expecting any REAL help here, thanks

You guys Kill me, you must just mess with new members minds, or your EGO's are just so BIG you can't admit you don't know something, so instead you question motive or insult or tell people things that are not true, LOL

[hutch--]

When I opened this topic, I made this statement,

Its not the politics of parents that is the problem, its the politics of keyloggers. Now without making any criticism of the task that the new member "ZOverLord" is undertaking, I would ask on behalf of the forum admin that this area be well left alone as it will not be accepted as postings in the forum.

I have responded to a number of assertions that were made in the original posting that was removed.

There was another thread here ("Started in April") on this subject but...the tone was not very FRIENDLY.

1. You already know the policy here and you can be sure that repeats do not get friendlier.

Please let's NOT get into poltics of if parents SHOULD use Key Loggers to monitor childrens internet habbits, can we please see if anyone here can show HOW to make this work in MASM32, thank you.

2. With or without your argument the policy does not change.

I hope it is OK to post all this information in one post, trying to do this because it is the Campus thread for learning and wanted as many EYES as possible to try and help solve this.

3. The factor in common in your original post is that you know the forum policy but you consider that you are in a position to change this policy on the basis of your need.

Now the only advice I can pass you here is to go for a crawl through the other end of the market, virus writers, trojan authors, network hackers and the sum total of the crap that will never see the light of day here and you may just get the idea why this forum is run this way to ensure that its members are not exposed to the trash that runs riot elsewhere.

I am not sure where you regularly frequent but you can be sure that we have membership including those in admin that have heard every argument under the sun and a lot more that never made daylight and they keep coming from people who want policy change in this forum so it would support virus technology, trojan authorship, a collection of network and other security hacks and the like and the response will remain the same, this garbage will never see the light of day here.

We have made no secret that this forum is for mainstream assembler programming and that is where it will stay.

I have disabled the account that you have posted with so if you want to join the forum as a member, you will do so by taking notice of the original conditions that the forum requires.

[P1]

Port 25 is out bound e-mail traffic for an e-mail client.  So it's clear you are snooping.  On who and for what are in question.  BTW, have we mention the care and concern we have for spammers skimming e-mail addresses?

E-Mail is a protected communication right.  As an E-Mail Administrator at my place of employment, There are things I can and can not do legally.

As for an Experienced Windows Programmer, there have been freeware port monitoring tools available for years ( written in C, your language of choice ).  So what is your excuse to help us believe that your actually doing something that noble, ethical, moral and not against the intend of the rules of this forum?  ( Having clearance, is a government's way of breaking it's own rules at times, when justified, so that no one else can find out and sue the daylights out of the government. )  You can PM the answer to any Moderator.

Google is your friend for research.  So Please don't insult us with your lack of knowledge of our understanding and experience !!!

Regards,  P1  :8)

[attachment deleted by admin]

[sluggy]

Here is the WATER now DRINK:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/lowlevelkeyboardproc.asp

Quote:

"The LowLevelKeyboardProc hook procedure is an (application-defined or library-defined callback function) used with the SetWindowsHookEx function. The system calls this function every time a new keyboard input event is about to be posted into a thread input queue. The keyboard input can come from the local keyboard driver or from calls to the keybd_event function."

Yep, that is the same link i referred you to in my post. If you had bothered to read the whole page, you would have seen this:
This hook is called in the context of the thread that installed it.
As a programmer, one of the requisite skills you need is to be able to read doco properly, not just the bits that suit you.

Glad I could teach you something, at least someone learned something, my suggestion, read more on how these low level functions work, as I kind of figured, based on incomplete answers to two other threads on this subject, NOBODY here knows if this can be done in MASM32, because NOBODY has tried it yet.

There are hundreds of examples of low level keyboard hooks using MASM on the web - so your assertion that nobody has done it yet shows your lack of search skills. Here is an example of what i am talking about.

Way too many tangents, the inability to focus on the question asked and Insults here for me, as well as  over-inflated EGO's!

Your own original question was somewhat confused. And obviously your ego has been bruised because we didn't accept you at face value.

Because on this PAGE there

http://spiff.tripnet.se/~iczelion/source.html

Item Number 5 is

KeyLog 1.1 ("With Source written in MASM32")

Would not want to see him ARRESTED and closed down ;-)

Yawn. This is getting old. As pointed out to you, keyloggers are not illegal, but frequently the use of them is. And Iczelion's site is a separate entity to this one, what he chooses to host has nothing to do with this site, and does not affect the policies of this forum.