This weeks blog post will be kept relatively short: I’ll still try to share all the details of what we’ve done, why, and also share some of the testing I’ve done.
First and foremost, where we currently are in the project:
- We have successfully made a secondary download method, which works through a file that will be hidden on the computer.
What we will be doing now:
- Functionality to download that said file to the server
- Ability to properly choose between file/email delivery methods
- Testing & finding bugs?
First task is to download the keylog file to the server from the computer. Quite straightforward, we’ll add a download command to the code. This needs to be implemented on server and client side.
The server side code is quite simple. When the command is given, we just simply write the data into a file and print that the download is complete. On the client side we need a little bit more:
The if-statements. Important bits highlighted with red. Notice that the file download method is the default here, we’ve not yet implemented the ability to manually choose which one to use (soon TM). The lower part of the code is for the new functionality we’re now making, and it’s basically trying to guarantee that we’re not going to download the file by accident when it doesn’t even exist yet. Further testing for this later.
Code we use for the keylogger file. Notice that the file is made hidden on the user system so that by default it won’t be visible. Also, we should probably delete this file after each download so that it doesn’t stay on the system (actually, probably just make another command for this). Notice the global home and log_started functions. Since these are also used with the if-statements, we need to make sure the entire code can reach them.
Time for some testing with what we have. We should be able to download a text file containing the keylog data to our computers now. Let’s see:
No errors on execution 
Missed some of the test data on the initial download since I was typing past the update, sorry for a messy screenshot
Above are the test results, everything working perfectly. My test sentences were sadly cut short since I was typing past the first update, but that’s expected behavior. It still came out right on the next download, and since this is not a bug it’s not something we can or should fix.
Still need to test what happens when we download an empty file. Note that the program should not allow you to download anything when keylogging is not started, but you could still download a non-existing file after starting the keylogger.
Situation was a little unexpected. First of all, we were able to download despite not starting the keylogger: this needs to be fixed. Secondly, what we actually downloaded is some incoherent garbage: this is actually fine. I don’t particularly care too much, as long as it doesn’t crash the program or anything. Anyways, implementing a way to choose the delivery method now:
This simple code should work, though I can imagine plenty of scenarios where we might run into potential issues, but we’ll see. Testings:
Server 
Client
Somehow the command_result wasn’t defined according to the client crash message. Not sure what caused this, but it seems to be fixed on the second round of testing when I just had the whole text on one line instead of two like before:
Further testing.
Stuff working relatively well until we change the delivery method to email and then try to go back, which causes errors (Incorrect delivery method). I checked for typos in both the console and the code, but it doesn’t seem like I made a mistake on that front. However, this doesn’t work even if it’s the first and only thing we do during execution:
As we now know, something must be wrong with the if-statements, since we’re getting the result from the else: . I made two changes:
First, I changed the email statement to elif, and second, I commented out the keylogger_method = False, since I thought the problem would be one of those, though I’d hope it’s the former. During testing my suspicions were confirmed:
Everything working just well. Let’s uncomment the keylogger_method = False and see if the problem was the fact we were using two if-statements (which hopefully will be the case).
Mystery solved. Now that this is working, we can get back to testing:
Seems to be working just fine. Now I’m testing that the email function is still working:
Console 
Email outcome
Seems to be working just fine. I can’t imagine any real bugs that the program would have at this point, so we’ll just fix them as they pop up (if they do). I’m sure there are ways to break the program, but it works just fine with the intended usage (and to be honest, the user should be smart enough to use it properly!). That’s another feature added to the program.
Now let’s try to implement a timer command. This seems simple on the surface, but is a little bit more difficult than first imagined:
The first iteration. We don’t want the user to be giving anything other than int or float values, but this approach has a problem:
As we can see, all the input is going to be in string, so we can’t actually change anything. Better than crashing the program, I suppose, but still. The new and improved versions looks like this:
Now we’re trying to convert the string into an int, and if we’re unsuccessful, it’ll just say that the variable wasn’t a number. Testing:
Seems to be working. Now the keylogger feature is honestly in my mind pretty well implemented, since we have a lot of different options and ways to use the feature. Still need to test if this actually changed anything:
The emails arrived 1 minute apart:
You could say that one of them arrived at 2:25:45 and the other at 2:26:00, but trust me when I say that through testing, I’m positive that the update timer was changed to 1 minute. You can try this yourself if you’re too skeptical.
Last feature I thought of adding was the ability to remove the keylogger file. This should be relatively easy to produce:
That should be all. Going to test this now:
Didn’t work, but it’s because I put the previous piece of code in the wrong place (>2 arguments, should’ve been in the = 2 arguments part). Trying again after fixing:
Still doesn’t work, but that’s because I was trying to delete the file before the home variable was properly established. So we need to check if keylogger has been started or not before doing this. The code looks like this:
Now we’ll just test this:
Worked well until it wasn’t able to tell we started logging. I believe this is also a cause of an earlier bug, so we’ll get to fix this now. And what is the bug, you might ask? I believe that since we’re changing the log_started flag to True inside the keylogger function, it doesn’t work properly. For this reason, it’s now here:
It should now be able to tell if the keylogger was started or not properly. Testing:
Didn’t work (again) but I think I know why: the file is hidden by default. Let’s try removing the hidden aspect and also putting this whole thing inside a try: so the program gives actual feedback on what went wrong.
Now the delete function is quite sophisticated, and should work (or at least it won’t crash). Let’s test:
Still won’t work, but let’s actually give the keylogger file some data…
It removes it now successfully. It probably doesn’t matter if we remove the -H tag or not, didn’t seem to work either way. Changes I made:
Now the file will always be defined properly so it can also be deleted whenever. This also renders the requirement that keylogger needs to be on null, so I also changed this piece of code:
Now let’s test a couple of things:
Works perfectly. We were able to delete the keylogger file from a previous session on the target computer, but it didn’t allow us to delete it twice and instead told us that it doesn’t exist anymore. Next, an earlier bug I neglected to fix immediately/test:
Still doesn’t work properly. After doing this, I realized it’s because we haven’t changed the server side code at all, which is what causes this problem. The solution should be relatively simple:
Through my quick analysis I don’t find a reason why this wouldn’t work. Testing:
Almost, but I for some reason had the code check for if the keylogger started in email mode.
What it should actually look like. Well, testing again!
Almost correct again, but we get the wrong error message since the client side still has log_started checked as False. We can fix this quite easily:
Now we should be getting the proper error message as well. Testing:
Finally. Now, we just need to make sure that the download works under the correct circumstances:
Error caused by the fact that since we in a previous test removed the keylog file, we actually don’t have a new one yet. We can fix this with a try: .
We’ll try to get the same error again now.
Program doesn’t crash because of the try: (which is the important part) but we also don’t get the error message by the courtesy of our server side code.
Client error message change 
Server side changes
Now it’s checking for an error message as well on the server side. Testing again:
Perfection. We were denied the first download (when the file didn’t yet exist) but after I typed some stuff on the victim computer and tried again, we were able to download it. Just like we planned. With that, I think we’re done with the keylogger feature: in my opinion, it works great.
Wrapping up, I know I said this was going to be a short one, but I actually got a lot of testing to report so I was kind of wrong on that front. We also made more features than what I initially was thinking about, but it’s natural to keep getting good ideas while coding, so it just kind of happens.
Next week I’m not 100% sure what we’re going to be doing. It’s either one more feature, some fixing, or potentially more AV evasion. Also possible we’ll have a “week-off” where I’ll be doing less work for the project next week since it’ll be quite a busy one! But we’ll have to see. A blog post will be up regardless unless I decide to take a complete week off, so see you then!
Caius Juvonen
Caiuksen blogi 