Trying to decrypt VB .Net keyloggers - Developers

[QUOTE=Teddybeer;44164875]Got redirecting to 127.0.0.1 for all IP adresses working. Moving on to faking a mail server :v:. [editline]8th March 2014[/editline] Does not really help that I have no sample for testing.[/QUOTE] I have a folder full of them, but the ones that aren't using a generator are just simple .NET programs which present a winform to enter your username and password and then use SmtpClient to mail it off.

He didn't even try [IMG]http://i.imgur.com/KO4KxH3.png[/IMG] Password was changed 26 days ago though. Also had some weird DLL it was supposed to launch.

I don't know much about keylogging but can't they use a dummy email address to send to a secured email address?

[QUOTE=Jookia;44184424]I don't know much about keylogging but can't they use a dummy email address to send to a secured email address?[/QUOTE] Most of the times they do. Like that one obfuscated one. Also most of these aren't keyloggers at all but just send data you just input into the text boxes.

[QUOTE=aurum481;44181690]Also had some weird DLL it was supposed to launch.[/QUOTE] Many of those are text files containing random garbage or technobabble. Apparently that makes them look more legit.

[QUOTE=Jookia;44184424]I don't know much about keylogging but can't they use a dummy email address to send to a secured email address?[/QUOTE] Could? Yes. Do? Not often.

I've found a bunch of gmail logins but I don't dare logging in because afaik gmail notifies the owner of unknown IP addresses, which the guy may use to attack me. I've tried proxies but gmail doesn't work with them. Any clues?

[QUOTE=Donkie;44190691]I've found a bunch of gmail logins but I don't dare logging in because afaik gmail notifies the owner of unknown IP addresses, which the guy may use to attack me. I've tried proxies but gmail doesn't work with them. Any clues?[/QUOTE] There's not a whole lot they can do with just an IP address, especially with limited computer skills. However, if you're still worried about it then try using a VPN.

[QUOTE=Jookia;44184424]I don't know much about keylogging but can't they use a dummy email address to send to a secured email address?[/QUOTE] If they'd do it properly, e.g. by using HTTP to send the data to some PHP script on a free webhost, they wouldn't need to put any credentials on the clientside. I think I've actually seen some script kiddie malware that works that way, but it's probably more of an exception than the common rule.

[QUOTE=aurum481;44164537] That's the password btw. Culprit has his GMail in number confirmation mode. Well it was my first credential capture. Edited: damnit let me edit my post FP Edited: Oh wow we did the same one simultaneously :v:[/QUOTE] This is the kind of shit LINQPad was invented for, it allows you do that sort of shit without having to create a project that just runs a function. Example: [img]https://dl.dropboxusercontent.com/u/65721/linqpad.jpg[/img]

Does anyone here have experience with detouring .NET methods? I kinda want to create a program that runs a .NET assembly and intercepts any System.Net.Mail credentials it creates, but it seems really bothersome. Wouldn't want to post it either. As it would make whaling even obfuscated stealers require zero effort or skill, I'm pretty sure script kiddies would start using that to save themselves the time of uploading their own stealer and waiting for people to fall for it. [QUOTE=Teddybeer;44191293]That would require some thinking skills, not just copy and paste skills.[/QUOTE] You can make that copy-paste friendly just fine, but your tutorial would get a lot longer.

[QUOTE=DrTaxi;44192182]Does anyone here have experience with detouring .NET methods? I kinda want to create a program that runs a .NET assembly and intercepts any System.Net.Mail credentials it creates, but it seems really bothersome. Wouldn't want to post it either. As it would make whaling even obfuscated stealers require zero effort or skill, I'm pretty sure script kiddies would start using that to save themselves the time of uploading their own stealer and waiting for people to fall for it. You can make that copy-paste friendly just fine, but your tutorial would get a lot longer.[/QUOTE] No idea if this actually works, but you could hook the type resolver before loading and running the assembly in question. Then you should be able to insert fake versions of the classes that can create web connections. [editline]10th March 2014[/editline] Just make sure you don't accidentally activate them beforehand :v: Maybe it would be best to create a new AppDomain. [editline]10th March 2014[/editline] No, doesn't work. The event only fires if resolving the type fails. Your best bet is probably to use Mono.Reflection to rewrite all methods at runtime as necessary. (Offline rewriting with Mono.Cecil may not work since additional ones could be made using System.Reflection.) [editline]10th March 2014[/editline] The official way to do it is with the .NET profiling API, but that one is unmanaged.

Mono.Reflection seems very out of date. I'll have to look into the Profiling API then. I did find [url=http://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time]this[/url] though. It appears to work by patching the fucking JIT :v:

Couldn't you just drop a mscorlib.dll or something similar in the same folder so it takes priority and make the dll output text files?

That's quite a big library. Also, I believe this would break strong-naming, and thus couldn't be loaded.

That's kind of what I want to do, but this is .NET.

[QUOTE=DrTaxi;44194513]Mono.Reflection seems very out of date. I'll have to look into the Profiling API then. I did find [url=http://www.codeproject.com/Articles/463508/NET-CLR-Injection-Modify-IL-Code-during-Run-time]this[/url] though. It appears to work by patching the fucking JIT :v:[/QUOTE] They really need to put a JIT hook into the JITC, it's annoying to not have it available at all in a platform-independent way. (There are already a few of these things, like the method that lets you skip constructors and the one-way keep alive in ConditionalWeakTable.) I [B]really[/B] want something that lets me rewrite generic methods on instantiation, since then it would be possible to use sane duck typing without speed impact (and not the annoying stuff [I]dynamic[/I] does, which doesn't even behave as expected with generic types). [editline]11th March 2014[/editline] I think Mono.Reflection was just completed a good while ago, the features it covers are fairly small and stable.

Funny to see this thread is still going after 2 years.

i'd never even bothered to check it up untill now since it was so old but im kicking myself that I didn't sooner, looks like something fun to do after 8 hours of university lectures :v:

I am surprised I didn't see this thread earlier! I used to decompile fake keygens and shit all the time. I once stumbled across a gmail account of a French "hacker" and it was filled with keylogger dumps and various account credentials. After struggling to navigate his French interface, I deleted the whole thing. Good times. Maybe I should get back into this. I didn't realize there was a whole community built around this stuff.

I find it far funnier to send them a creepy email to their super secret log inbox. Plus, not illegal.

[QUOTE=DrTaxi;44358262]I find it far funnier to send them a creepy email to their super secret log inbox. Plus, not illegal.[/QUOTE] As if they are gonna go to the cops to tell them that someone reverse engineered their malware to break into their mailbox that collects the data

Just got own3d by this because i wasn't paying attention: [url]https://dl.dropboxusercontent.com/u/9845728/virus.7z[/url] 02080.exe phones home, so maybe somebody cares enough to dissect the thing and take it down.

[ REDACTED ]

I thought a moderator said earlier not to post those sorts of details?

[url]http://pixldrop.com/view/wTgCkIQr[/url] How Exactly do I deobfuscate this?

[QUOTE=iSigma;45007088][url]http://pixldrop.com/view/wTgCkIQr[/url] How Exactly do I deobfuscate this?[/QUOTE] Go through the code and read it. Look what does what and start renaming the variables.

Look what functions accept aka what methods/functions (that are used) are called with (arguments) [editline]5th June 2014[/editline] Also, you can Debug it (virtual machine + visual studio, set breakpoint and then step-by-step, you will see what are actual values)

So my friend got hacked by some .scr type hack. I almost fell for it before noticing the .scr extension. I fired up ILSpy and I was met with a wall of chinese characters. [IMG]http://i.imgur.com/vbmuDW5.png[/IMG] There's supposedly an assembly inside that image and it uses some convoluted shit to load that bmp it into memory and subsequently decodes it into executable code. I think I could just copy-paste the decrypting portion of code and look into it in a disassembler, but I don't think I'll be able to make any sense out of that

[QUOTE=aurum481;46811395]So my friend got hacked by some .scr type hack. I almost fell for it before noticing the .scr extension. I fired up ILSpy and I was met with a wall of chinese characters. [IMG]http://i.imgur.com/vbmuDW5.png[/IMG] There's supposedly an assembly inside that image and it uses some convoluted shit to load that bmp it into memory and subsequently decodes it into executable code. I think I could just copy-paste the decrypting portion of code and look into it in a disassembler, but I don't think I'll be able to make any sense out of that[/QUOTE] Let me guess, the domain masqueraded as screenshot website? I think some bot spammed me with that a week or two or so ago, but I couldn't be bothered to deobfuscate it. (.scr files are "screen savers", but in the end those are just normal executables.)