The general drift is that keyloggers are not acceptable here simply because we have no way of knowing what they will be used for. We
do know what they can be misused for and the problem from an admin point of view is that there is no way to draw the distinction between a task of the type you mention having something to do with parental control and another person writing a keylogger as part of a suite of trojans to get credit card information or other personal details.
Quote
Please let's NOT get into poltics of if parents SHOULD use Key Loggers to monitor childrens internet habbits, can we please see if anyone here can show HOW to make this work in MASM32, thank you.
Its not the politics of parents that is the problem, its the politics of keyloggers. Now without making any criticism of the task that the new member "ZOverLord" is undertaking, I would ask on behalf of the forum admin that this area be well left alone as it will not be accepted as postings in the forum.
I am sorry, I did NOT mean to offend anyone.
So, may I ask this question instead.
Is it possible to use MASM32 to build a port monitor using HOOK procedure say for port 25 that will inform and log of any access by program on that port without using a DLL? and as single exe file?
Again, I am sorry if I broke any rules, I was just trying to show a working example in C++ that did no logging of any kind so that it might have been easier to see what I meant.
Just so we understand the question, are you needing to monitor a hardware port or a Winsock port ? A hardware port would be a pain as you need a device driver to access it where a winsock port would not be all that big a deal if you know your way around winsock programming.
A Winsock Port.
I would like to know if there is a way to hook log any attempt by a program to open port 25, and would like to place the HOOK procedure to do so in a masm32 exe without using a dll.
ZOverLord :
Try using the sesarch function , I´m sure you find something.
Quote from: WinCC on December 12, 2005, 09:06:11 AM
ZOverLord :
Try using the sesarch function , I´m sure you find something.
I Looked but see nothing that shows how to use masm32 like c++ can be used where the HOOK procedure resides in the exe without the need of using memory based loading/sharing or a dll.
If you think you can find a link that does show how, please post it because I have been looking for weeks and found nothing.
Quote from: ZOverLord on December 12, 2005, 09:10:11 AM
I Looked but see nothing that shows how to use masm32 like c++ can be used where the HOOK procedure resides in the exe without the need of using memory based loading/sharing or a dll.
How exactly do you want this code to run? Are you looking to patch an already existing exe file, or make a new one? Why don't you want a dll?
Quote from: sluggy on December 12, 2005, 09:39:33 AM
Quote from: ZOverLord on December 12, 2005, 09:10:11 AM
I Looked but see nothing that shows how to use masm32 like c++ can be used where the HOOK procedure resides in the exe without the need of using memory based loading/sharing or a dll.
How exactly do you want this code to run? Are you looking to patch an already existing exe file, or make a new one? Why don't you want a dll?
I would like to create a new one, and I don't want a dll because I am trying to keep the code all in one program. Much Like what can be done in C++.
If nobody wants to help, I will just do it in C++, sorry I even asked.
It really is sad that the original question is a simple one, that seems not possible, because I have seached the web and this forum, I saw 2 threads, ALL with no actual solution and filled with questions of Why?
Actually I avoided this forum because of that, BUT I took the chance to try, and I see I was correct.
Not telling anyone what to do, but....being a progammer for 27+ years on non 386 based systems, I have never needed to defend myself for asking a techncal question.
At this point, I am sorry I asked actually.
ZOverLord,
We live in a world where script kiddies write malicious code and use any excuse they can to get assistance in the process. With this forum being located in the US, I am personally responsible for any illegal code so the question will always get asked as I don't intend to be the patsy for anyone. Now as it is evident that you don't fit the "script kiddie" description and have at last made sense of what you are after, see if I have it right.
You want to monitor a winsock port for activity either in or out and you want to be able to do this from within an EXE file rather than using a DLL ?
Quote from: hutch-- on December 12, 2005, 10:33:51 AM
ZOverLord,
We live in a world where script kiddies write malicious code and use any excuse they can to get assistance in the process. With this forum being located in the US, I am personally responsible for any illegal code so the question will always get asked as I don't intend to be the patsy for anyone. Now as it is evident that you don't fit the "script kiddie" description and have at last made sense of what you are after, see if I have it right.
You want to monitor a winsock port for activity either in or out and you want to be able to do this from within an EXE file rather than using a DLL ?
Correct,
Yes Hutch but I fail to see how this applies, I mean my God are the feds going to shut your site down because there is an example of how to use a HOOK procedure in an exe without the need for a dll to monitor a socket?
If so they had better start with Microsoft first.
When I was in the Air Force, 49 now, I had a TS SSIR clearance, I just think that this is a little over the top for such a simple question.
I know you have no idea of who I am or if I am 12 years old, BUT......I am not asking for some illegal code, the only reason I even included the ORIGINAL example in C++ is because it was a working example, and all it did was use a console window to display keystrokes, I did that with the knowledge that it was a far cry from some program with logging ability or stealth.
This question has been asked twice on your forum alone, since April, and NOBODY really answered the question.
Which leads me to believe that:
1. It can't be done using MASM32, or
2. That nobody has tried.
I am an adult and well aware of what BAD Kiddies are out there, but your forum is the place to ask about MASM32 questions, that's why I posted the question here.
The other two posts about this here really did not give a working example of what they wanted to do in MASM32, which I think confused others, this is why i tried to use something harmless so this would not happen.
It's just a little insulting when there are many ways to explain how this can be done without violating national security and all the responses so far are WHY do you? Or use a search engine! Or Power users HERE already KNOW these things.
We all have Ego's but Geeze.
I guess this is not possible using MASM32, because if it were, the two other posts would have been answered, we could have saved alot of banter if this was just stated as such.
It's public knowledge that this can be done in C++ , and documented ALL over Microsoft web sites, sadly they are all C++ examples.
If my intent was to do harm, I already know how to do this in C++, why would I waste peoples time and mine trying to PULL-TEETH here to see if it can be done in MASM32?
I am Not asking if this is POSSIBLE, I already know it is with C++, I am asking if it can be done using MASM32, HUGE Difference, even the last 2 posters here on this subject did not know how to do it in C++, I do, so I would hope that somehow shows I am not looking for METHODS, I am only looking for CONVERSION from C++ to MASM32.
The hook function must be in a DLL because Windows must inject it into the address space of every process. One option would be embed the dll into the exe as a resource and extract it at runtime.
Please would you repost your C++ code and listing ( as a zip)? I did not get a chance to look at it.
hutch: If hooks are in Windows ( and documented) then they must be legal. If they are legal then it is perfectly alright to ask questions about how to implement them efficiently, is it not?
Quote from: AeroASM on December 12, 2005, 11:33:02 AM
The hook function must be in a DLL because Windows must inject it into the address space of every process. One option would be embed the dll into the exe as a resource and extract it at runtime.
Please would you repost your C++ code and listing ( as a zip)? I did not get a chance to look at it.
hutch: If hooks are in Windows ( and documented) then they must be legal. If they are legal then it is perfectly alright to ask questions about how to implement them efficiently, is it not?
Thanks
Yes I would Like to, but It's Hutches site so I can't without his permission.
I can say that it is NOT true that the HOOK procedure needs to be in a dll in c++, the working example I posted proved that and that's why I used it, and it only showed each key entered in a console window, I used the example because it was not harmfu, had no logging ability, and had no stealth, I also included the Dumppe output, the Microsoft Disasm from compile time as well as dumpbin output.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/abouthooks.asp
Quote from: MSDN
A global hook procedure can be called in the context of any application in the same desktop as the calling thread, so the procedure must be in a separate dynamic-link library (DLL) module.
WHat kind of hook are you using?
Quote from: AeroASM on December 12, 2005, 01:22:12 PM
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/abouthooks.asp
Quote from: MSDN
A global hook procedure can be called in the context of any application in the same desktop as the calling thread, so the procedure must be in a separate dynamic-link library (DLL) module.
WHat kind of hook are you using?
As a Test, because I wanted to make sure it really worked and the best way to do so, I felt, was to test it with a keyboard hook, so I could prove easily ("Testing the concept from mutliple sources using sockets would have been more complicated to create many mutiple sources of input to make sure it really worked")
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/lowlevelkeyboardproc.asp
ZOverlord,
please stop sulking about what has happened. We have an iron clad policy on this for a reason - we get wannabe hackers and crackers through here on a weekly basis using all sorts of excuses to get this information, and they can be VERY inventive. You have shown up, we don't know you from a bar of soap, and you have instantly launched into asking questions about keyloggers. Put yourself in our shoes: would you not be suspicious, even though there is a lot of information out there already?
Like you say, this sort of information is not top secret. We are not protecting any egos by referring to "power users". "Power users" was probably the wrong phrase to use - "experienced Windows coders" would have been better. But the fact that this knowledge is "out there" doesn't prevent people from being prosecuted in US courts under the various stupid and onerous US laws such as the DMCA or the Homeland Security Act. This is why we are not particularly friendly when people ask about keyloggers. Also think about the thousands (or millions) of people who have lost thousands of dollars because of illegal use of keyloggers. So that is the reason for that policy of this forum, like it or leave it, it is not negotiable. As for the post you originally linked to, White Scorpion is known to dabble in hacking/cracking under the guise of "security research". Don't try to second guess the decisions of the moderation team. In any case, that was one of the few times White Scorpion *did* get an answer.
In the example you posted, the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input. You can read the official doco on it here (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.asp) and here (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/lowlevelkeyboardproc.asp). Note that this is a *keyboard* hook, and has nothing to do with the socket hooking that you were also talking about - that is a different subject and i would suggest you start a different post about it.
If you want assistance translating your original C++ post into asm, then make a start and ask questions when you get stuck, we are not going to write it for you. You will not be able to write a port filter/logger without using a dll, and using an example of a low level keyboard hook to illustrate your question is like comparing apples with oranges. C/C++ can abstract things so that keyboard input and port 25 input both look the same at function level, but it is a different kettle of fish at the asm level, you can't always rely on libraries and stdin, you have to code some of this yourself. What you could do though is use an existing C library for monitoring the port, and just call it from asm, but once again you cannot do a port filter as just a stand-alone exe.
The last thing that may help you: try visiting the network section at sysinternals.com (http://www.sysinternals.com/NetworkingUtilities.html), they have an application called TDIMon that does what you want. These guys used to have the source code available for their apps, you may still be able to track it down.
Quote from: ZOverLord on December 12, 2005, 01:33:06 PMAs a Test, because I wanted to make sure it really worked and the best way to do so, I felt, was to test it with a keyboard hook, so I could prove easily ("Testing the concept from mutliple sources using sockets would have been more complicated to create many mutiple sources of input to make sure it really worked")
For the reason i mentioned above, this is an invalid test. Keyboard hooks and port hooks are two totally different beasts.
Quote from: sluggy on December 12, 2005, 01:48:08 PM
ZOverlord,
please stop sulking about what has happened. We have an iron clad policy on this for a reason - we get wannabe hackers and crackers through here on a weekly basis using all sorts of excuses to get this information, and they can be VERY inventive. You have shown up, we don't know you from a bar of soap, and you have instantly launched into asking questions about keyloggers. Put yourself in our shoes: would you not be suspicious, even though there is a lot of information out there already?
Like you say, this sort of information is not top secret. We are not protecting any egos by referring to "power users". "Power users" was probably the wrong phrase to use - "experienced Windows coders" would have been better. But the fact that this knowledge is "out there" doesn't prevent people from being prosecuted in US courts under the various stupid and onerous US laws such as the DMCA or the Homeland Security Act. This is why we are not particularly friendly when people ask about keyloggers. Also think about the thousands (or millions) of people who have lost thousands of dollars because of illegal use of keyloggers. So that is the reason for that policy of this forum, like it or leave it, it is not negotiable. As for the post you originally linked to, White Scorpion is known to dabble in hacking/cracking under the guise of "security research". Don't try to second guess the decisions of the moderation team. In any case, that was one of the few times White Scorpion *did* get an answer.
In the example you posted, the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input. You can read the official doco on it here (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.asp) and here (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/lowlevelkeyboardproc.asp). Note that this is a *keyboard* hook, and has nothing to do with the socket hooking that you were also talking about - that is a different subject and i would suggest you start a different post about it.
If you want assistance translating your original C++ post into asm, then make a start and ask questions when you get stuck, we are not going to write it for you. You will not be able to write a port filter/logger without using a dll, and using an example of a low level keyboard hook to illustrate your question is like comparing apples with oranges. C/C++ can abstract things so that keyboard input and port 25 input both look the same at function level, but it is a different kettle of fish at the asm level, you can't always rely on libraries and stdin, you have to code some of this yourself. What you could do though is use an existing C library for monitoring the port, and just call it from asm, but once again you cannot do a port filter as just a stand-alone exe.
The last thing that may help you: try visiting the network section at sysinternals.com (http://www.sysinternals.com/NetworkingUtilities.html), they have an application called TDIMon that does what you want. These guys used to have the source code available for their apps, you may still be able to track it down.
I am not sulking, you are the mod, so as I stated I am sorry I even asked. I can assure you this works in C++, there was no apples and oranges, The concept IS/WAS setting hooks in an EXE without the use of a DLL, the example was a METHOD to show that, nothing more, nothing less. It was used to ATTEMPT to get an answer if it could be done in MASM32, nothing more nothing less.
I can assure you that your statement of "the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input" is not correct.
Anyway, sorry to bother everyone here, I will just continue the project and in C++
Thanks for all your help and time.
PS. Please delete my ID, I have no desire to be a member of a community where the senior people seem to be not capable of understanding simple questions and being insulted at the same time.
The Keyboard example thread was deleted, and the question still stands, someday try the method in c++, it works, way to frustated to remain a member and be treated as a child because some people can't get away from KeyBoard Tangents and focus on the original question.
Quote from: Delete on December 12, 2005, 02:08:34 PMI can assure you this works in C++, there was no apples and oranges, The concept IS/WAS setting hooks in an EXE without the use of a DLL, the example was a METHOD to show that, nothing more, nothing less. It was used to ATTEMPT to get an answer if it could be done in MASM32, nothing more nothing less.
Of course it works in C++, nobody said it doesn't. And of course it can be done in MASM, C compiles to assembly language.
QuoteI can assure you that your statement of "the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input" is not correct.
Dude, it IS correct. It starts a new thread. It receives keyboard input as part of the hook chain. It has no access to the context or memory space of the causative thread. Go and read the MSDN documentation again.
QuoteAnyway, sorry to bother everyone here, I will just continue the project and in C++
Thanks for all your help and time.
You didn't bother us, you just got off on the wrong foot. And sulked. And argued. And asked mixed questions - talking about a keyboard hook when you were actually wanting to know about a port filter. We have no problems helping you, but you are arguing against *everything* we said. A student will learn but only when he is ready. You can lead a horse to water but you can't make it drink. You couldn't see the wood because of the trees. Etc etc. We are still happy to answer questions as long as you are prepared to listen and not get temperamental. We were not insulting your considerable experience in other (unnamed) systems, but you came seeking our help and weren't prepared to listen.
In any case, if you are more comfortable with C/C++ then that is a good choice. You never did say why it had to be done in asm....
Quote from: sluggy on December 12, 2005, 02:31:31 PM
Quote from: Delete on December 12, 2005, 02:08:34 PMI can assure you this works in C++, there was no apples and oranges, The concept IS/WAS setting hooks in an EXE without the use of a DLL, the example was a METHOD to show that, nothing more, nothing less. It was used to ATTEMPT to get an answer if it could be done in MASM32, nothing more nothing less.
Of course it works in C++, nobody said it doesn't. And of course it can be done in MASM, C compiles to assembly language.
QuoteI can assure you that your statement of "the exe is faking being a dll by starting a thread that just sits there and processes. Because it is not injected, it has no access to the memory space of the hooked thread - it just gets the keyboard input" is not correct.
Dude, it IS correct. It starts a new thread. It receives keyboard input as part of the hook chain. It has no access to the context or memory space of the causative thread. Go and read the MSDN documentation again.
QuoteAnyway, sorry to bother everyone here, I will just continue the project and in C++
Thanks for all your help and time.
You didn't bother us, you just got off on the wrong foot. And sulked. And argued. And asked mixed questions - talking about a keyboard hook when you were actually wanting to know about a port filter. We have no problems helping you, but you are arguing against *everything* we said. A student will learn but only when he is ready. You can lead a horse to water but you can't make it drink. You couldn't see the wood because of the trees. Etc etc. We are still happy to answer questions as long as you are prepared to listen and not get temperamental. We were not insulting your considerable experience in other (unnamed) systems, but you came seeking our help and weren't prepared to listen.
In any case, if you are more comfortable with C/C++ then that is a good choice. You never did say why it had to be done in asm....
Here is the WATER now DRINK:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/lowlevelkeyboardproc.asp
Quote:
"The LowLevelKeyboardProc hook procedure is an
(application-defined or library-defined callback function) used with the SetWindowsHookEx function. The system calls this function every time a new keyboard input event is about to be posted into a thread input queue. The keyboard input can come from the local keyboard driver or from calls to the keybd_event function."
If this is the way NORMAL people are treated here, please delete my ID, there is NO delete option I can find.
Glad I could teach you something, at least someone learned something, my suggestion, read more on how these low level functions work, as I kind of figured, based on incomplete answers to two other threads on this subject, NOBODY here knows if this can be done in MASM32, because NOBODY has tried it yet.
Read Up and learn how these LOW level HOOKS work now and specifically about "SetWindowsHookEx" because the SAME can be done with sockets, it just would have been very hard to use an example of that, so I used a Console Program that was short.
Way too many tangents, the inability to focus on the question asked and Insults here for me, as well as over-inflated EGO's!
Drink up!
FYI, please tell Hutch he should REMOVE his link from his Link section HERE:
http://www.website.masmforum.com/links.htm
To Iczelion's classic site with source code, examples, tutorials and reference material.
http://win32asm.cjb.net/
Because on this PAGE there
http://spiff.tripnet.se/~iczelion/source.html
Item Number 5 is
KeyLog 1.1 ("With Source written in MASM32")
Would not want to see him ARRESTED and closed down ;-)
Double Standards? Here all I am trying to get is a questions answered, I use a Console Window that Prints Keys Typed as an example to help clarify my question. My Thread gets DELETED! Go Figure
But.......a direct link to a MASM32 Zipped Key Logger with source is OK.
OH and ITEM 4 is an INVISABILITY ROOTKIT! source included works on 9X/Win2k also in MASM32
Please delete my ID before I shoot myself for expecting any REAL help here, thanks
You guys Kill me, you must just mess with new members minds, or your EGO's are just so BIG you can't admit you don't know something, so instead you question motive or insult or tell people things that are not true, LOL
When I opened this topic, I made this statement,
Quote
Its not the politics of parents that is the problem, its the politics of keyloggers. Now without making any criticism of the task that the new member "ZOverLord" is undertaking, I would ask on behalf of the forum admin that this area be well left alone as it will not be accepted as postings in the forum.
I have responded to a number of assertions that were made in the original posting that was removed.
Quote
There was another thread here ("Started in April") on this subject but...the tone was not very FRIENDLY.
1. You already know the policy here and you can be sure that repeats do not get friendlier.
Quote
Please let's NOT get into poltics of if parents SHOULD use Key Loggers to monitor childrens internet habbits, can we please see if anyone here can show HOW to make this work in MASM32, thank you.
2. With or without your argument the policy does not change.
Quote
I hope it is OK to post all this information in one post, trying to do this because it is the Campus thread for learning and wanted as many EYES as possible to try and help solve this.
3. The factor in common in your original post is that you know the forum policy but you consider that you are in a position to change this policy on the basis of your need.
Now the only advice I can pass you here is to go for a crawl through the other end of the market, virus writers, trojan authors, network hackers and the sum total of the crap that will never see the light of day here and you may just get the idea why this forum is run this way to ensure that its members are not exposed to the trash that runs riot elsewhere.
I am not sure where you regularly frequent but you can be sure that we have membership including those in admin that have heard every argument under the sun and a lot more that never made daylight and they keep coming from people who want policy change in this forum so it would support virus technology, trojan authorship, a collection of network and other security hacks and the like and the response will remain the same, this garbage will never see the light of day here.
We have made no secret that this forum is for mainstream assembler programming and that is where it will stay.
I have disabled the account that you have posted with so if you want to join the forum as a member, you will do so by taking notice of the original conditions that the forum requires.
Port 25 is out bound e-mail traffic for an e-mail client. So it's clear you are snooping. On who and for what are in question. BTW, have we mention the care and concern we have for spammers skimming e-mail addresses?
E-Mail is a protected communication right. As an E-Mail Administrator at my place of employment, There are things I can and can not do legally.
As for an Experienced Windows Programmer, there have been freeware port monitoring tools available for years ( written in C, your language of choice ). So what is your excuse to help us believe that your actually doing something that noble, ethical, moral and not against the intend of the rules of this forum? ( Having clearance, is a government's way of breaking it's own rules at times, when justified, so that no one else can find out and sue the daylights out of the government. ) You can PM the answer to any Moderator.
Google is your friend for research. So Please don't insult us with your lack of knowledge of our understanding and experience !!!
Regards, P1 :8)
[attachment deleted by admin]
Quote from: DeleteMePlease on December 12, 2005, 02:49:23 PMHere is the WATER now DRINK:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/lowlevelkeyboardproc.asp
Quote:
"The LowLevelKeyboardProc hook procedure is an (application-defined or library-defined callback function) used with the SetWindowsHookEx function. The system calls this function every time a new keyboard input event is about to be posted into a thread input queue. The keyboard input can come from the local keyboard driver or from calls to the keybd_event function."
Yep, that is the same link i referred you to in my post. If you had bothered to read the whole page, you would have seen this:
This hook is called in the context of the thread that installed it.
As a programmer, one of the requisite skills you need is to be able to read doco properly, not just the bits that suit you.
QuoteGlad I could teach you something, at least someone learned something, my suggestion, read more on how these low level functions work, as I kind of figured, based on incomplete answers to two other threads on this subject, NOBODY here knows if this can be done in MASM32, because NOBODY has tried it yet.
There are hundreds of examples of low level keyboard hooks using MASM on the web - so your assertion that nobody has done it yet shows your lack of search skills. Here is an example of what i am talking about. (http://www.google.com/search?num=100&hs=wmZ&hl=en&lr=&client=opera&rls=en&q=%22WH_KEYBOARD_LL%22+%22asm%22&btnG=Search)
QuoteWay too many tangents, the inability to focus on the question asked and Insults here for me, as well as over-inflated EGO's!
Your own original question was somewhat confused. And obviously your ego has been bruised because we didn't accept you at face value.
QuoteBecause on this PAGE there
http://spiff.tripnet.se/~iczelion/source.html
Item Number 5 is
KeyLog 1.1 ("With Source written in MASM32")
Would not want to see him ARRESTED and closed down ;-)
Yawn. This is getting old. As pointed out to you, keyloggers are not illegal, but frequently
the use of them is. And Iczelion's site is a separate entity to this one, what he chooses to host has nothing to do with this site, and does not affect the policies of this forum.