Key logger topic.

[hutch--]

The general drift is that keyloggers are not acceptable here simply because we have no way of knowing what they will be used for. We do know what they can be misused for and the problem from an admin point of view is that there is no way to draw the distinction between a task of the type you mention having something to do with parental control and another person writing a keylogger as part of a suite of trojans to get credit card information or other personal details.

Please let's NOT get into poltics of if parents SHOULD use Key Loggers to monitor childrens internet habbits, can we please see if anyone here can show HOW to make this work in MASM32, thank you.

Its not the politics of parents that is the problem, its the politics of keyloggers. Now without making any criticism of the task that the new member "ZOverLord" is undertaking, I would ask on behalf of the forum admin that this area be well left alone as it will not be accepted as postings in the forum.

[ZOverLord]

I am sorry, I did NOT mean to offend anyone.

So, may I ask this question instead.

Is it possible to use MASM32 to build a port monitor using  HOOK procedure say for port 25 that will inform and log of any access by program on that port without using a DLL? and as single exe file?

Again, I am sorry if I broke any rules, I was just trying to show a working example in C++ that did no logging of any kind so that it might have been easier to see what I meant.

[hutch--]

Just so we understand the question, are you needing to monitor a hardware port or a Winsock port ? A hardware port would be a pain as you need a device driver to access it where a winsock port would not be all that big a deal if you know your way around winsock programming.

[ZOverLord]

A Winsock Port.

I would like to know if there is a way to hook log any attempt by a program to open port 25, and would like to place the HOOK procedure to do so in a masm32 exe without using a dll.

[WinCC]

ZOverLord :

Try using the sesarch function , I´m sure you find something.

[ZOverLord]

ZOverLord :

Try using the sesarch function , I´m sure you find something.

I Looked but see nothing that shows how to use masm32 like c++ can be used where the HOOK procedure resides in the exe without the need of using memory based loading/sharing  or a dll.

If you think you can find a link that does show how, please post it because I have been looking for weeks and found nothing.

[sluggy]

I Looked but see nothing that shows how to use masm32 like c++ can be used where the HOOK procedure resides in the exe without the need of using memory based loading/sharing  or a dll.

How exactly do you want this code to run? Are you looking to patch an already existing exe file, or make a new one? Why don't you want a dll?

[ZOverLord]

I Looked but see nothing that shows how to use masm32 like c++ can be used where the HOOK procedure resides in the exe without the need of using memory based loading/sharing  or a dll.

How exactly do you want this code to run? Are you looking to patch an already existing exe file, or make a new one? Why don't you want a dll?

I would like to create a new one, and I don't want a dll because I am trying to keep the code all in one program. Much Like what can be done in C++.

If nobody wants to help, I will just do it in C++, sorry I even asked.

It really is sad that the original question is a simple one, that seems not possible, because I have seached the web and this forum, I saw 2 threads, ALL with no actual solution and filled with questions of Why?

Actually I avoided this forum because of that, BUT I took the chance to try, and I see I was correct.

Not telling anyone what to do, but....being a progammer for 27+ years on non 386 based systems, I have never needed to defend myself for asking a techncal question.

At this point, I am sorry I asked actually.

[hutch--]

ZOverLord,

We live in a world where script kiddies write malicious code and use any excuse they can to get assistance in the process. With this forum being located in the US, I am personally responsible for any illegal code so the question will always get asked as I don't intend to be the patsy for anyone. Now as it is evident that you don't fit the "script kiddie" description and have at last made sense of what you are after, see if I have it right.

You want to monitor a winsock port for activity either in or out and you want to be able to do this from within an EXE file rather than using a DLL ?

[ZOverLord]

ZOverLord,

We live in a world where script kiddies write malicious code and use any excuse they can to get assistance in the process. With this forum being located in the US, I am personally responsible for any illegal code so the question will always get asked as I don't intend to be the patsy for anyone. Now as it is evident that you don't fit the "script kiddie" description and have at last made sense of what you are after, see if I have it right.

You want to monitor a winsock port for activity either in or out and you want to be able to do this from within an EXE file rather than using a DLL ?

Correct,

Yes Hutch but I fail to see how this applies, I mean my God are the feds going to shut your site down because there is an example of how to use a HOOK procedure in an exe without the need for a dll to monitor a socket?

If so they had better start with Microsoft first.

When I was in the Air Force, 49 now, I had a TS SSIR clearance, I just think that this is a little over the top for such a simple question.

I know you have no idea of who I am or if I am 12 years old, BUT......I am not asking for some illegal code, the only reason I even included the ORIGINAL example in C++ is because it was a working example, and all it did was use a console window to display keystrokes, I did that with the knowledge that it was a far cry from some program with logging ability or stealth.

This question has been asked twice on your forum alone, since April, and NOBODY really answered the question.

Which leads me to believe that:

1. It can't be done using MASM32, or
2. That nobody has tried.

I am an adult and well aware of what BAD Kiddies are out there, but your forum is the place to ask about MASM32 questions, that's why I posted the question here.

The other two posts about this here really did not give a working example of what they wanted to do in MASM32, which I think confused others, this is why i tried to use something harmless so this would not happen.

It's just a little insulting when there are many ways to explain how this can be done without violating national security and all the responses so far are WHY do you? Or use a search engine! Or Power users HERE already KNOW these things.

We all have Ego's but Geeze.

I guess this is not possible using MASM32, because if it were, the two other posts would have been answered, we could have saved alot of banter if this was just stated as such.

It's public knowledge that this can be done in C++ , and documented ALL over Microsoft web sites, sadly they are all C++ examples.

If my intent was to do harm, I already know how to do this in C++, why would I waste peoples time and mine trying to PULL-TEETH here to see if it can be done in MASM32?

I am Not asking if this is POSSIBLE, I already know it is with C++, I am asking if it can be done using MASM32, HUGE Difference, even the last 2 posters here on this subject did not know how to do it in C++, I do, so I would hope that somehow shows I am not looking for METHODS, I am only looking for CONVERSION from C++ to MASM32.

[AeroASM]

The hook function must be in a DLL because Windows must inject it into the address space of every process. One option would be embed the dll into the exe as a resource and extract it at runtime.

Please would you repost your C++ code and listing ( as a zip)? I did not get a chance to look at it.

hutch: If hooks are in Windows ( and documented) then they must be legal. If they are legal then it is perfectly alright to ask questions about how to implement them efficiently, is it not?

[ZOverLord]

The hook function must be in a DLL because Windows must inject it into the address space of every process. One option would be embed the dll into the exe as a resource and extract it at runtime.

Please would you repost your C++ code and listing ( as a zip)? I did not get a chance to look at it.

hutch: If hooks are in Windows ( and documented) then they must be legal. If they are legal then it is perfectly alright to ask questions about how to implement them efficiently, is it not?

Thanks

Yes I would Like to, but It's Hutches site so I can't without his permission.

I can say that it is NOT true that the HOOK procedure needs to be in a dll in c++, the working example I posted proved that and that's why I used it, and it only showed each key entered in a console window, I used the example because it was not harmfu, had no logging ability, and had no stealth, I also included the Dumppe output, the Microsoft Disasm from compile time as well as dumpbin output.

[AeroASM]

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/abouthooks.asp

A global hook procedure can be called in the context of any application in the same desktop as the calling thread, so the procedure must be in a separate dynamic-link library (DLL) module.

WHat kind of hook are you using?

[ZOverLord]

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/abouthooks.asp

A global hook procedure can be called in the context of any application in the same desktop as the calling thread, so the procedure must be in a separate dynamic-link library (DLL) module.

WHat kind of hook are you using?

As a Test, because I wanted to make sure it really worked and the best way to do so, I felt, was to test it with a keyboard hook, so I could prove easily ("Testing the concept from mutliple sources using sockets would have been more complicated to create many mutiple sources of input to make sure it really worked")

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/lowlevelkeyboardproc.asp

[sluggy]

ZOverlord,
please stop sulking about what has happened. We have an iron clad policy on this for a reason - we get wannabe hackers and crackers through here on a weekly basis using all sorts of excuses to get this information, and they can be VERY inventive. You have shown up, we don't know you from a bar of soap, and you have instantly launched into asking questions about keyloggers. Put yourself in our shoes: would you not be suspicious, even though there is a lot of information out there already?

Like you say, this sort of information is not top secret. We are not protecting any egos by referring to "power users". "Power users" was probably the wrong phrase to use - "experienced Windows coders" would have been better. But the fact that this knowledge is "out there" doesn't prevent people from being prosecuted in US courts under the various stupid and onerous US laws such as the DMCA or the Homeland Security Act. This is why we are not particularly friendly when people ask about keyloggers. Also think about the thousands (or millions) of people who have lost thousands of dollars because of illegal use of keyloggers. So that is the reason for that policy of this forum, like it or leave it, it is not negotiable. As for the post you originally linked to, White Scorpion is known to dabble in hacking/cracking under the guise of "security research". Don't try to second guess the decisions of the moderation team. In any case, that was one of the few times White Scorpion *did* get an answer.

In the example you posted, the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input. You can read the official doco on it here and here. Note that this is a *keyboard* hook, and has nothing to do with the socket hooking that you were also talking about - that is a different subject and i would suggest you start a different post about it.

If you want assistance translating your original C++ post into asm, then make a start and ask questions when you get stuck, we are not going to write it for you. You will not be able to write a port filter/logger without using a dll, and using an example of a low level keyboard hook to illustrate your question is like comparing apples with oranges. C/C++ can abstract things so that keyboard input and port 25 input both look the same at function level, but it is a different kettle of fish at the asm level, you can't always rely on libraries and stdin, you have to code some of this yourself. What you could do though is use an existing C library for monitoring the port, and just call it from asm, but once again you cannot do a port filter as just a stand-alone exe.

The last thing that may help you: try visiting the network section at sysinternals.com, they have an application called TDIMon that does what you want. These guys used to have the source code available for their apps, you may still be able to track it down.