Hiding using processes

- [Speaker] Let's now look at how we build a program which uses a more sophisticated means of hiding by looking at a simple malware function written as a Windows process to intercept all keystrokes. In Microsoft, when a key on the keyboard is pressed, an event is signaled to the operating system. Windows uses its keyboard driver to read the character that's been pressed and sends it as a message to the application that's waiting for it. However, Windows also allows other processors to look at the message as it passes through the system. That's how hotkeys work. Windows does this by something known as a keyboard hook callback routine. It hooks the key that's been pressed and then calls back after processing it to pass it onto its original destination. This technique can be used to write what's known as a simple keystroke logger. This only takes a few lines of code but it's quite powerful. I've prepared a keyboard hook program called wmisvc64.cpp, which we can see here. This is a very simple program. The first five lines provide the standard setup code for a C++ program. These are followed at line seven by code which is executed when the program first starts to open an output file called intercept.txt that we'll use later to store intercepted characters. The next six lines specify a callback procedure. This is the code that's executed when a key is pressed. Events in Windows are quite granular. For instance, a key press involves two events, a key down and a key up. We only need to check one of these, so the callback routine at line 11 just checks for the WM Key Up event. When it sees this, it writes out to the output file the data associated with this event which is the internal Windows code for the character pressed on the keyboard. The final action in this routine is to pass on the event by calling the next hook in the chain, using the aptly named CallNextHookEx function, which will allow the message to resume its path to the target application. The remainder of the program is the main controlling logic for the Windows process that supports the callback routine. We don't need to go into this in detail, but do note at line 20 that we're registering a HotKey with MOD.ALT and zero times three nine which is program speak for ALT nine. When this is pressed, the program will terminate. Okay, let's see this program in action. We can compile this at the command line by entering cl wmisvc64.cpp. Okay, that's compiled and we can now run it by typing wmisvc64 and we'll now close the command window. Let's do a bit of simple forensics and look at what's running on our computer. We'll type control Alt del, open the task manager and look at the processes. There's nothing in the application list to show the interceptors running. If we scroll down to the background processes, at the very bottom, we can see wmisvc64.exe. There's little about it to distinguish it from the normal Windows system processes which are running. It's in plain sight, but it's fairly well hidden, nevertheless. Let's type some data into a notepad document. This is my secret note on writing callback routines to capture keystrokes. Okay, I'll close this. We won't save it, and I'll press ALT nine to terminate the intercept. Let's use Explorer to check the log file the Intercept program has been using. And here we see what the program has intercepted. The intercept contains our exit and also the note that we wrote. And it also contains other keyboard activities, such as ALT and shift keys, which displays various special characters. Of course, what an attacker would like to see in the Intercept they capture is our system access and banking account login. Lesson here is that if an adversary can get access to implant malware on a computer, even a simple program of a few lines and running as a normal user, it can be difficult to detect and has the ability to read everything that's typed including access codes and passwords.