A small utility hooking some windows possiblities:
1-Hook WndProc/WndProRet
2-Hook Keyboard
3-Hook Mouse
4-Hook Messages
5-Hook Dialog Input
Capture all what you are typing in a program such as Notepad++ or password entered under Google.
There is a bug in the keyboard hook, all characters are in upper case.
Here is an important update of the program.
It allows you to clearly see a word (password) with errors during typing.
If for example the password is Bernadotte (a French General of Napoleon became King of Sweden).
The user types Bernadottt_e at the angle of the '_' it is the BACKSPACE key, the password will appear this:
B
e
r
n
a
d
o
t
t
t
<Backspace>
e
Now the ListViews are sorted, except one, which makes the program crash, I'm looking for why.
Into the Before and After hooks, I have left the following parameter to 0 rather than one.
HookBeforeProc PROC USES RDI RSI __nCode:QWORD,__wParam:WPARAM,__lParam:LPARAM PARMAREA=8*QWORD
LOCAL _Stack:STACK
LOCAL Reg_Rcx:QWORD
LOCAL Reg_Rdx:QWORD
LOCAL Reg_R8:QWORD
mov Reg_Rcx,rcx
mov Reg_Rdx,rdx
mov Reg_R8,r8
test rdx,rdx ; Should be CMP RDX,1
jz @NextHook ; JE @NextHook (to ignore the current process)
Normally it should be one, but it is not possible to use the computer and the generated files (Before.bin and After.bin) are too big!
I have tested the file "KeybordLowLevel.dll" with Virus Total, here is the result : https://www.virustotal.com/fr/file/376e6e2a046c1c9d055da81f4a6faac5b1af5774d1d9bd35cc9a30a7f4b75c26/analysis/1508590220/ (https://www.virustotal.com/fr/file/376e6e2a046c1c9d055da81f4a6faac5b1af5774d1d9bd35cc9a30a7f4b75c26/analysis/1508590220/)
Only 2/66 antiviruses detect something. I always said that antivirus were useless, again I'm right. The day they will be effective, let me know!
(http://monsite.woopic.com/383/p/riotools/img/0e2e8f05a23a0fcbeeec62061372d05a.jpg)
The program has changed its name and is now called Captain Hook.
Numerous changes to the code, especially the hook part of the keyboard.
Most of these changes concern the alignment of data and code.
Quote from: Jokaste on October 21, 2017, 02:55:22 PM
Only 2/66 antiviruses detect something. I always said that antivirus were useless, again I'm right. The day they will be effective, let me know!
Unfortunately this is part of many company control tools and considered not a virus and not even a privacy threat. >:(
For this reason many antivirus ignore it to avoid false positives.
New version
Replaced WM_MOUSEFIRST with WM_MOUSEMOVE
Removed Input, SysInput and Keyboard hooks.
The database has 992 windows messages.
New version.
If a call was followed by a ret I replaced with :
add rsp,232
jmp DefWindowProcA
Optmized branch into Keyboard.dll (substract rather cmp)
Using register for unconditional jumps.
sub rax,WM_KEYDOWN
jz @1
sub rax,1
jz @2
jmp rbx
When creating a windows I replaced code that set the [rsp + xx] with movdqa
mov rdx,[hInstance+rip]
mov rax,rcx
xor rcx,rcx
xorpd xmm0,xmm0
shufpd xmm0,xmm0,0
movdqu [rsp + 32],xmm0
movdqu [rsp + 48],xmm0
movdqu [rsp + 64],xmm0
movdqu [rsp + 80],xmm0
mov [rsp + 80],rdx ; hInstance
mov [rsp + 64],rax ; hWndParent
mov rdx,OFFSET WC_LISTVIEW
mov r8,OFFSET szNullString
mov r9,WS_CHILD or LVS_NOSORTHEADER or LVS_SORTASCENDING or LVS_REPORT or LVS_SHOWSELALWAYS or LVS_SINGLESEL or WS_VISIBLE
call CreateWindowExA
Two or Three XOR are replaced by one XOR followed by two MOV.
mov rax,r9
shr rax,16
and rax,0000ffffh
mov [rsp + 32],rax
and r9,0000ffffh
mov rcx,[hKeyboardLowLevelListview+rip]
xor rdx,rdx
mov r8,rdx
mov QWORD PTR [rsp + 40],TRUE
call MoveWindow
Tryed to have a better aligment in the data segment.