NO

Author Topic: Captain Hook  (Read 3338 times)

Jokaste

  • Guest
Captain Hook
« on: October 20, 2017, 09:35:52 PM »
A small utility hooking some windows possiblities:
1-Hook WndProc/WndProRet
2-Hook Keyboard
3-Hook Mouse
4-Hook Messages
5-Hook Dialog Input


Capture all what you are typing in a program such as Notepad++ or password entered under Google.
There is a bug in the keyboard hook, all characters are in upper case.
« Last Edit: October 21, 2017, 02:49:26 PM by Jokaste »

Jokaste

  • Guest
Re: Captain Hook
« Reply #1 on: October 21, 2017, 02:42:37 PM »

Here is an important update of the program.
It allows you to clearly see a word (password) with errors during typing.
If for example the password is Bernadotte (a French General of Napoleon became King of Sweden).
The user types Bernadottt_e at the angle of the '_' it is the BACKSPACE key, the password will appear this:
B
e
r
n
a
d
o
t
t
t
<Backspace>
e

Now the ListViews are sorted, except one, which makes the program crash, I'm looking for why.
Into the Before and After hooks, I have left  the following parameter to 0 rather than one.

Code: [Select]
HookBeforeProc            PROC   USES RDI RSI __nCode:QWORD,__wParam:WPARAM,__lParam:LPARAM PARMAREA=8*QWORD
                     LOCAL   _Stack:STACK
                     LOCAL   Reg_Rcx:QWORD
                     LOCAL   Reg_Rdx:QWORD
                     LOCAL   Reg_R8:QWORD

                     mov      Reg_Rcx,rcx
                     mov      Reg_Rdx,rdx
                     mov      Reg_R8,r8

                     test   rdx,rdx                                    ; Should be CMP RDX,1
                     jz      @NextHook                              ; JE @NextHook (to ignore the current process)
Normally it should be one, but it is not possible to use the computer and the generated files (Before.bin and After.bin) are too big!
« Last Edit: October 22, 2017, 09:22:21 AM by Jokaste »

Jokaste

  • Guest
Re: Captain Hook
« Reply #2 on: October 21, 2017, 02:55:22 PM »
I have tested the file "KeybordLowLevel.dll" with Virus Total, here is the result : https://www.virustotal.com/fr/file/376e6e2a046c1c9d055da81f4a6faac5b1af5774d1d9bd35cc9a30a7f4b75c26/analysis/1508590220/


Only 2/66 antiviruses detect something. I always said that antivirus were useless, again I'm right. The day they will be effective, let me know!


Jokaste

  • Guest
Re: Captain Hook
« Reply #3 on: October 22, 2017, 09:21:54 AM »





The program has changed its name and is now called Captain Hook.
Numerous changes to the code, especially the hook part of the keyboard.
Most of these changes concern the alignment of data and code.


Offline frankie

  • Global Moderator
  • Member
  • *****
  • Posts: 2096
Re: Captain Hook
« Reply #4 on: October 22, 2017, 10:53:21 AM »
Only 2/66 antiviruses detect something. I always said that antivirus were useless, again I'm right. The day they will be effective, let me know!

Unfortunately this is part of many company control tools and considered not a virus and not even a privacy threat.  >:(
For this reason many antivirus ignore it to avoid false positives.
« Last Edit: October 22, 2017, 12:51:49 PM by frankie »
It is better to be hated for what you are than to be loved for what you are not. - Andre Gide

Jokaste

  • Guest
Re: Captain Hook
« Reply #5 on: October 29, 2017, 05:16:44 PM »
New version
Replaced WM_MOUSEFIRST with WM_MOUSEMOVE
Removed Input, SysInput and Keyboard hooks.
The database has 992 windows messages.
« Last Edit: October 30, 2017, 10:53:45 AM by Jokaste »

Jokaste

  • Guest
Re: Captain Hook
« Reply #6 on: October 30, 2017, 11:04:17 AM »
New version.

If a call was followed by a ret I replaced with :

Code: [Select]
                     add      rsp,232
                     jmp      DefWindowProcA

Optmized branch into Keyboard.dll (substract rather cmp)
Using register for unconditional jumps.

Code: [Select]
                     sub      rax,WM_KEYDOWN
                     jz      @1

                     sub      rax,1
                     jz      @2

                     jmp      rbx

When creating a windows I replaced code that set the [rsp + xx] with movdqa

Code: [Select]
                     mov      rdx,[hInstance+rip]
                     mov      rax,rcx
                     xor      rcx,rcx
                     xorpd   xmm0,xmm0
                     shufpd   xmm0,xmm0,0
                     movdqu   [rsp + 32],xmm0
                     movdqu   [rsp + 48],xmm0
                     movdqu   [rsp + 64],xmm0
                     movdqu   [rsp + 80],xmm0
                     mov      [rsp + 80],rdx      ; hInstance
                     mov      [rsp + 64],rax      ; hWndParent
                     mov      rdx,OFFSET WC_LISTVIEW
                     mov      r8,OFFSET szNullString
                     mov      r9,WS_CHILD or LVS_NOSORTHEADER or LVS_SORTASCENDING or LVS_REPORT or LVS_SHOWSELALWAYS or LVS_SINGLESEL or WS_VISIBLE
                     call   CreateWindowExA

Two or Three XOR are replaced by one XOR followed by two MOV.

Code: [Select]
                     mov      rax,r9
                     shr      rax,16
                     and      rax,0000ffffh
                     mov      [rsp + 32],rax
                     and      r9,0000ffffh
                     mov      rcx,[hKeyboardLowLevelListview+rip]
                     xor      rdx,rdx
                     mov      r8,rdx
                     mov      QWORD PTR [rsp + 40],TRUE
                     call   MoveWindow

Tryed to have a better aligment in the data segment.