This post is part of the series of Practical Malware Analysis Exercises.
The MD5 hash, a7f21e412022554d187d6a876a3c08ac
, identifies this executable as the
payload from Lab12-02. There are many signs indicative of keylogging functionality.
Strings include[TAB]
and[CAPS LOCK]
. Imported functions include the ability to:
- Set and remove Windows event hooks.
- Get the foreground window text.
- Create and terminate processes.
- Create and write files.
- Load arbitrary library functions.
IDA verified that this is a usermode hooking keylogger. The hook calls the keystroke log routine at 4010A7, whenever a key press (WM_SYSKEYDOWN or WM_KEYDOWN) event is detected.
Non-printable keystrokes are converted using a large jump table, meaning that a switch
statement was used. The picture below shows code for converting the [BACKSPACE]
and
[TAB]
keystrokes.
The main function hooks low level keyboard events by calling
SetWindowsHookEx
at 40105B, with the idHook
parameter set to
WH_KEYBOARD_LL
(0Dh). The hook code will be called whenever a WH_KEYBOARD_LL
event is processed.
The program logs window titles and keystrokes to the cleartext file
practicalmalwareanalysis.log
, in the working directory. The keystroke logging
function does this at 4010C7, calling
CreateFileA
each time.