Hey guyz!
Today we have a new category of malware to work upon. The KEYLOGGERS! They come under category of Spywares which as name suggests are meant to carry reconnaissance on victim. The keylogger capture and store keys pressed by victim on his/her computer. As most of us carry extensive amount of our work on our computers, these type malware are indeed nasty a a lot as far as privacy and confidentiality of our information is concerned.
Based on the samples of keylogger malware that I have analysed so far, they can utilize any one of the following two category of methodology to capture keystrokes:
- Polling method
- Hooking method
In Hooking method the malware registers/hooks its custom method to execute once any key is pressed by user. This is possible by use of SetWindowsHookExA Windows API call which registers the callback with OS. This method uses OS event and messaging technique to record all the keys press events in the system.
The sample we have for today utilizes a Hooking method for its malicious functionality. So with this primer, lets dive right into our sample.
Static Info:
Strings:
- [SHIFT]
- [ENTER]
- [BACKSPACE]
- [TAB]
- [CTRL]
- [DEL]
- [CAPS LOCK]
- [Window:
- practicalmalwareanalysis.log
APIs:
- FindWindowA
- CallNextHookEx
- SetWindowsHookExA
- UnhookWindowsHookEx
- WriteFile
- CreateFileA
- LoadLibraryA
- GetForegroundWindow
- GetWindowTextA
- FindWindowA
The presence of descriptive strings for non printable ASCII characters such as above gives a hint about the purpose of this malware. This is why Static analysis is so important for us since it saves a crucial time for triage and guides us to what to look for during Dynamic analysis. The quick thing we can do here if we arr in a hurry[which as a malware analyst we always are] is to look for log file in which keys are stored and any remote connection url to ship this file to. Both of these artifacts act as a great Host and Network based signatures.
Now lets open up IDA to analyze code of this malware.
The main function is located at 401803 which can easily be identified by three pushes before a call instruction as shown below:
code snippet of call to Main at 401803
Once we open the Main function we notice following code construct there:
a loop with WinAPI for window hooking
This loop essentially acts as a background process where in GetMessageA is called which is essential to receive keystroke events generated by OS. To cover its track, the malware removes the hooked method from call chain using UnhookWindowsEx method and comes out of loop. Note that program must call GetMessageA; other wise, Windows would not deliver the messages to the process’s hook function.
Please note the SetWindowHookExA function call before loop begins:
It has 3 parameters: a type of hook[0D in this case indicates it as WH_KEYBOARD_LL type], hook function to be executed once a key is entered and a handle to module in which hook function is stored. In this sample, malware utilizes function fn as hook method which is stored in same exe file thus handle to same exe is passed as last parameter. So function fn will be executed for every key pressed by user.
Let's look into function fn
The important code to look for in this function is where malware recognizes the key pressed by user and writes the appropriate notation in the log file. This function call can be found as sub_40:
Let's open this function as well. Well, this is a big function indeed, and it needs to be big if it has to recognize the key and write to file as we expect it to.
The big size of the function is by the virtue of large jump table that it has to use to detect key pressed. Usually, a malware has to record following keys:
- printable characters : abc....xyz,ABC...XYZ,01...9
- non printable control characters: CAPS,SHIFT,SPACE etc
This count normally runs into over 70-80, and that is why we have such a large jump table in keyloggers:
Now lets proceed with analysis of code snippets:
open log file
set file pointer to end file so that new content is appended to it
if current window which user is interacting with is different that recorded in log file that add this window name to file as can be seen from \r\n[Window:<buffer>]\r\n string
this switch case uses key value as index into jump table
As can be seen appropriate notation is written into file based on key
Our hook function fn must call CallNextHookEx WinAPI function so that next hook function which also has registered for given event[in this case key press event] is executed.
This is essential for normal processing of system. For ex: If user is typing into Notepad and if hooked function of malware in the middle does not call CallNextHookEx, then notepad will not receive key strokes from user.
Now let us run this malware to see if our analysis is correct. Note that malware creates log file in the current working directory, so you will notice practicalmalwareanalysis.log file at place where you have placed your malware.
After immediately executing malware we do not see any log file in the current directory:
But once we type anywhere through keyboard immediately our fn function is executed and we see .log file appeared:
Lets say I open my facebook account through internet explorer. If malware is functioning right, then it must record all my key strokes. And it indeed has:
Since my VM is not connected to internet, we see the message in the window title recorded by malware. It has recorded all my activity in the log.
So ends our quick analysis of keylogger. In the next post we will see how to check if your system is infested with such keylogger.
Until then cheers!
