Keyloggers

Keystroke logging (often called keylogging) is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. There are numerous keylogging methods, ranging from hardware and software-based approaches to electromagnetic and acoustic analysis.

Software-based keyloggers
These are software programs designed to work on the target computer's operating system. From a technical perspective there are five categories:
Hypervisor-based: The keylogger can theoretically reside in a malware hypervisor running underneath the operating system, which remains untouched. It effectively becomes a virtual machine. Blue Pill is a conceptual example.
Kernel based: This method is difficult both to write and to combat. Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-mode applications. They are frequently implemented as rootkits that subvert the operating system kernel and gain unauthorized access to the hardware, making them very powerful. A keylogger using this method can act as a keyboard driver for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.
API-based: These keyloggers hook keyboard APIs; the operating system then notifies the keylogger each time a key is pressed and the keylogger simply records it. APIs such as GetAsyncKeyState(), GetForegroundWindow(), etc. are used to poll the state of the keyboard or to subscribe to keyboard events. These types of keyloggers are the easiest to write, but where constant polling of each key is required, they can cause a noticeable increase in CPU usage, and can also miss the occasional key. A more recent example simply polls the BIOS for preboot authentication PINs that have not been cleared from memory.
Form Grabber based: Form Grabber-based keyloggers log web form submissions by recording the web browsing onSubmit event functions. This records form data before it is passed over the internet and bypasses https encryption.
Packet analyzers: This involves capturing network traffic associated with HTTP POST events to retrieve unencrypted passwords.

Remote access software keyloggers
These are local software keyloggers programmed with an added feature to transmit recorded data from the target computer to a monitor at a remote location. Remote communication is facilitated by one of four methods:
- Data is uploaded to a website, database or an FTP account.
- Data is periodically emailed to a pre-defined email address.
- Data is wirelessly transmitted by means of an attached hardware system.
- The software enables a remote login to the local machine via the internet or ethernet, for data logs stored   on the target machine to be accessed.
Writing simple software applications for keylogging can be trivial, and like any nefarious computer program, can be distributed as a trojan horse or as part of a virus. What is not trivial for an attacker is installing a covert keystroke logger without getting caught and downloading data that has been logged without being traced. An attacker that manually connects to a host machine to download logged keystrokes risks being traced. A trojan that sends keylogged data to a fixed e-mail address or IP address risks exposing the attacker.
Polymorphic keyloggers and crypters are difficult to detect by Anit-Virus software. Download Polymorphic Keylogger here
FUD Crypter
A Crypter is free software used to hide keyloggers or trojans from Anti Virus Software (AVs). So that they are not detected and deleted by AVs. A crypter is a program that allow users to crypt the source code of their program. AVs working by splitting the source code of an application and then search for a certain string within the source code. A Crypter simply assigns hidden values to each individual code within the source code. A crypted trojan can bypass Anti-Virus detection. Not only does this crypter hidethe source code but it will unpack the encryption once the program is executed. If you download a crypter it will look something like this:
These are the steps a Crypter takes:
- Open a given binary file
- Encrypt the data with an AES or RC4 key (change this key as you like)
- Write the encrypted data to an output file
NOTE: If it's possible learn to understand C++.

Cryper Example
Select AES or RC4 as your needs.Then Select a stub and browse to Stub Package folder. The difference between AES and RC4 Encryption System is that AES is the most secure and RC4 is fastest.
Next Select a file and Select the server file you want to make undetectable from AVs. Next Crypt it and you will get crypted.exe file created in current directory. Scan the crypted keylogger with AVs to test if it's FUD (Fully Undetectable).

NOTE: No publicly available Crypter or Binder is FUD! Crypters and Binders are FUD only if it's rarely used and not available publicly. The Al3ks_Crypter in combination with StringsEncoder make your file really 100% FUD. Download Al3ks_Crypter here
To Make your .exe FUD you will need also StringsEncoder to change strings in the source code. Download StringsEncoder here

The Stub is a Win32 application. It decrypts the binary data found in the resource of the exe. At the time of decryption, all parts of the exe are loaded into memory and is therefore invisible for the AVs. This way AVs which do only support a static code analysis (most of the AVs) do not have the chance to detect your exe. Only AVs which support dynamic code analysis are still able to detect it. But the dynamic analysis is very resource intensive so AVs running on normal end user computers don't support it.
These are the steps the Stub takes:
- Search for the resource with the type "BIN" and the name "132"
- Copy the encrypted resource data to the heap
- Decrypt data
- Run decrypted code (your exe) inside memory

File Binder
A Binder is a free software used to bind or combine two or more files in one file under one name and extension. The files to be binded can have any extension or icon. The user has choice to select the name, icon and various attributes of binded file. If a binded file contains an application ( RAT or Keylogger) the application is also runing when the actual binded file is run. When you download a binder it will look something like this:
Binders that are useful in hiding keyloggers or trojans are often detected by Anti-Virus a software and deleted as viruses. For preventing this deletion and to bypass AV detection, you need to have FUD Binder. You can obtain FUD Binder either from various Hacking forums.
NOTE: It is better to use Crypters to avoid AV detection. It is general practice to first crypt the keylogger or trojan with Crypter and then bind the crypted trojan to make it deceptive.

NOTE: No publicly available Crypter or Binder is FUD! Crypters and Binders are FUD only if it's rarely used and not available publicly. But YkZ Binder in combination with Al3ks-Crypter and StringsDecoder is really 100% FUD. Download YkZ Binder here

When Crypters and Binders publicly available the AVs have already developed a new recognition pattern to detect the Crypter or Binder. If you understand C++ you can modify the source code. Many AVs do only support static code analysis and that means when you manage to reorganise your Stub in some ways, it is FUD again because the pattern recognition of the AVs won't work anymore. For example change the encryption algorithm. There are other algorithms like Blowfish, RC6 or T-DES. Just search for C++ implementations at Google. For example http://www.cs.sunysb. edu/~algorith/implement/cryptopp/distrib/