by ACrazzi & Shade
Written in Visual C++
Released in July 1999
Made in Russia
Hooker, the intelligent trojan keylogger
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(version 2.4)
Disclaimer
~~~~~~~~~~
This program was created in educational purposes only.
Authors do not will be liable for data loss, damages, loss
of profits for any other kind of loss while using or
misusing this program. No person or company may charge a
fee for the distribution of Hooker. Authors do not will be
liable for any kind of illegal using of this program. Hooker
may be distributed freely without any charge for it. Authors
do not mind about the disassembling of any part of code. If
you do not agree with this terms, stop using this program.
What is Hooker?
~~~~~~~~~~~~~~~
Hooker is the simple mailing trojan. Here is the list of it's
features:
- keylog function (fairly simple, not so extended like in
HookDump)
- You can define any option you can imagine - there are
tons of them
- Hooker can look for RAS-connections
- Hooker can download files from any location in internet
and start them absolutely invisible from user - you can
use hooker as intruding module for starting the bigger
trojans like NetBus or BO
- Works under any Win32 platform (Win95/98/NT)
- Well-commented sources are available for free - you can
build your very own version of hooker ;)
Trojan part is written on MS Visual C++ 5.0. MFC or any
another nonstandard libraries wasn't used. Therefore, Hooker can
be executed on any Win32 platform with minimum set of DLLs. May
be, Hooker can be compiled under Borland C or even Watcom, but
we have not tested it. I think that Hooker can be viewed as a
classical sample of trojan. And may be, someone can build smth
really good based on Hooker. And may be, he (or she) will even
credit us... :)
Installation in system
~~~~~~~~~~~~~~~~~~~~~~
During the first run Hooker moves it's body into directory
which is predefined in the configuration. You should keep in mind
following things, when you will choose the place in registry from
which Hooker will run:
HKEY_LOCAL_MACHINE - Hooker will start with any user
HKEY_CURRENT_USER - Hooker will start only with current user
\Software\Microsoft\Windows\CurrentVersoin\, and variants:
Run if there is only name of file w/o path,
Hooker must be in the directory, which is
defined in the %PATH% environment variable.
Remember, that system directory is not
defined in %PATH% by default.
RunServices file must be placed in the system directory
(if there is only name without path). Works
only under Win95/98.
RunOnce used to run file only once. During the boot,
OS will start file, then wait for it's
termination and then kill it from RunOnce.
RunServicesOnce like a RunOnce, but for system directory.
Does not work under WinNT.
Hooker can be called from RunOnce and RunServicesOnce, and
it will not pause the boot process, because it will restart
imediatelly with the Restart_ID key, where ID is the ident number
(DWORD, computed from the date and time of configuration). Hooker
will not be started only once, because it will rewrite it's sting
in RunOnce (RunServicesOnce) in a short period of time.
Keylogging
~~~~~~~~~~
Keylogging feature is very simple under Win32. It can be
done using the system hook. All you need is to redefine CallBack
function used for keypresses to yours, which must be situated in
DLL. In Hooker CallBack function writes pressed keys in little
buffer in the segment of dynamic data for this DLL. By calling of
the appropriate DLL-functions you can free this buffer or read
information from it. We recommend to give different names to
keylogging dll for every configuration you create. There are some
options for keylog which you can choose depending of the aims you
follow and preferred size of log:
- Hooker can log keypresses in the every window or only in
windows which have predefined substring in it's titles (for
example, "login", "passw", "term" etc).
- Hooker can log all keys including SHIFT, ALT, TAB, CTRL,
Caps Lock etc or log only text-keys (chars etc).
- sometimes you want to spy for pc - then set "Log windows
where nothing was pressed" feature on. Believe us, you can
get so many information just in looking the titles and links
your "victim" surfs.
If you do not want keylog feature, then just delete all
substring to search and set "Full keylog" option off.
Detecting of modem-connections.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How program can say, are you connected to internet or not?
There is no solution which can cover all the situations. If user
connects to inet using the Dial-Up Networking, then he or she is
using RAS-functions - it's the mostly used case, and in this case
RASAPI32.DLL is used. But sometimes people connects to inet via
LAN, and RAS is not used. Therefore, you must wisely set option
"RAS" - set it to on if RAS is used, and to off if not.
If connection is successfully established, Hooker logs time,
phone number, IP of user and IP of server.
Web-files downloading and executing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of programs for remote administering if countless.
BackOrifice, NetBus, DeepThroat, WinCrash... Tons... And their
weight (in kbs) is usually tons. :) Hooker's size is only 20 kb,
but it is not so complex like BO. And here goes one of the
innovating options: hooker can download and execute files from
web using http protocol. Hooker downloads file from web in the
system directory of windows and then executes it. If connection
will be crashed during the download, Hooker will redownload file
as far as possible. Check for a update performs every 30 minutes.
If you want to download file from a nonstandard http port write
addres like this: www.myhost.com/file.exe:8000
Thanks
~~~~~~
Thanks to all who tested Hooker, gave ideas and simply wrote
all that they think about us. :)
Eprst [email protected], Harmer [email protected], Alex
[email protected], Plan [email protected], ����� [email protected], Dima
[email protected], Androyd [email protected], Dark Monk
[email protected]
and to all I forgot...
Hooker, the intelligent trojan keylogger
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(history)
1.0
~~~
Just a experimental program with very weak possibilities (just a
simple keylog). Was completely rewritten in the next versions.
2.0
~~~
Now it sends a keylog. Added ripping of cached passwords (*.pwl).
Installs in registry to the user-defined path. It is possible to
define max size of a log-file, after which Hooker recreates it.
Added keylog of windows with pre-defined words in title. Added
self-destructing feature.
2.1
~~~
Added sending of log after overflow.
2.2 beta 1
~~~~~~~~~~
Fixed huge bug in keylogging - hook-function must be in DLL!
Troyan became much stable. Added feature of http-files download.
2.2 beta 2
~~~~~~~~~~
Fixed bug in function which adds system dates.
2.3 beta 1..4
~~~~~~~~~~~~~
Added detection of a RAS-connections. Fixed bug in using of
critical sections - sometimes there was conflicts of threads. Now
keylogging DLL is packed by LZW. Some minor bugs fixed.
2.3 beta 5
~~~~~~~~~~
Fixed bug with sending of keylog. If in window press only ".",
troyan wasn't able to send mail preperly (Hooker simply flood
mailbox with big amount of messages).
2.3 beta 6
~~~~~~~~~~
Little changes in sendmail-procedure. Fixed unpleasant feature:
Hooker didn't start on machine without rasapi32.dll - for example,
on WinNT, which is not using Dial-Up Networking. Now, if this dll
is not present Hooker simply do not detect RAS-connections.
2.4
~~~
No more betas! It's a release.
Fixed little bug in username and hostname detection. Added a
couple of features:
full keylog: if not checked, Hooker will log only windows, where
was keystrokes.
advanced log: if not checked, Hooker will not log extended keys
(such as "Shift", "Alt" etc).
Also fixed bug in connection by IP.
ACrazzi & Shade, 24.7.1999
Server:
size: 21 KB
MegaSecurity