Skip to content

Instantly share code, notes, and snippets.

@djnnvx

djnnvx/WORKSHOP.md

Last active March 8, 2023 11:35
Show Gist options
  • Save djnnvx/f8b31d3304f042fb131ca6d4d2725621 to your computer and use it in GitHub Desktop.
Save djnnvx/f8b31d3304f042fb131ca6d4d2725621 to your computer and use it in GitHub Desktop.
Download ZIP
Beginner workshoop: Create your own keylogger
Raw
requirements.txt
pynput==1.7.4
sockets==1.0.0
pycryptodome==3.14.1
pandas==1.0.5
pyinstaller==4.9.0
Raw
WORKSHOP.md

PyLogger

In this Workshop you 'll learn :

✔️ How to spy on all the keystrokes of a computer

✔️ How to send it to a remote server

✔️ How to transform a .py in a binary with Pyinstaller

✔️ How to obfuscate such a binary

Step 0 : Setup

In this workshop, we will be using Python, as it is much more convenient for a proof of concept. We recommend using a Python virtual environment if you plan on using dependencies:

# install the python package manager
sudo dnf install python3-pip    # or any package manager you are using

# install the virtualenv package on your machine
pip3 install virtualenv

# create a new virtualenv
virtualenv venv

# activate your virtualenv
. venv/bin/source/activate

# install the requirements
pip3 install -r requirements.txt

# leave at any time
deactivate

If you feel very confident in your abilities, you can also try to use C, but you might need to tweak some stuff to get it to work on Linux and Windows. However, it is much more fun if you want to get into binary obfusation in depth.

Step 1 : Get the keystrokes

First things first, make some researches about how can you retrieve the keystrokes in any process. Don't forget the Unix philosophy: Everything is a file !

💡 To test your program, you can either print the keystrokes on your terminal, or write it in a file.

You might notice that some characters may appear in a strange way due to keyboard configuration. Maybe you can fix this ?

  • Get the input on any active process
  • Transform the character to make it completely readable

Step 2 : TCP server

TCP / IP

You are now very sure that the program works? Great!

If it works on your machine, it can certainly work on your victim's. However, in order to retrieve it, you can code a quick TCP server with socketserver library.

  • Code a server that will send requests on the victim side
  • Code a client that will listen to requests on the hacker side that will prettify and print the received input

💡 for the sake of the Workshop, you can your server locally. You will just need to provide a local ip address.

Finishing touches

Your communication is pretty ok, but not secure at all. What happens if you receive several requests at the same time? Or you have infected several victim, your weak server wouldn't be able to handle it.

  • Use python threads to target the function where you handle the listening of your requests
  • Encrypt your communication with AES.
  • Decrypt it on the client side.

Step 3 : Pyinstaller

Pyinstaller is a python tool that will convert your python script into a binary. Why do I need to do that? - Because if the victim discovers your script, They will know exactly what you are trying to do, and how you are doing it, and worst: how to stop it.

Installation

in your terminal, run :

pip3 install pyinstaller

You can read this documentation to know how to do it.

  • Run pyinstaller on the victim script, and name it pylogger.

Step 4 : Basic Obfuscation

What is obfusation ?

Step 1

When you run the nm commmand on your binary, you must notice a huge number of lines describing all the functions that your program calls. It is bad : we don't want smart reverse engineer guys to understand exactly how our program works.

To do so, find a way to get this output :

nm: pylogger: no symbols

Step 2

Now that you removed the symbols of your binary, get this very minimal output:

pylogger:     file format elf64-x86-64
architecture: i386:x86-64, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x0000000000469cd8

and nothing else, when using the following command:

$ objdump -fs pylogger

Difficult huh ? Do some research =)

Step 3

Wow ! You have made it so far ! I don't know what did you use for accomplish the previous step, but make sure no clue can appear when use a simple strings command on your keylogger...

Step 4

Ok, what we have made is cute but... We can always try to debug the program. If a researcher attemps to debug your program, he will be quick to understand what it does and find a mitigation !

Here are a few approaches you can try:

  • implement a sigaction that will make SIGTRAP useless
  • terminate the program each time we call a debugger on it.
  • lie on the section header table (Look it up!)
  • /proc/self/status

Going further

Congratulations, you're all done ! Here are a few things you can improve.

  • Look into CVEs against the target system, to have root privileges on your program. A good starting point on Linux is the pwnkit vulnerability. You can find plenty of Proof-Of-Concepts on Github !

  • A nicer interface would also be nice, maybe you don't want to sit by your SocketServer all day..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment