Kelloggs: A .NET keylogger

Kelloggs is a keylogger written in C# for Windows. It supports writing keystrokes to file and sending the keystrokes over the network. This program has just been sitting around on my hard drive for months, as I made it during one Saturday afternoon during the summer and never really did anything with it. The code's a little sloppy, and the method it uses to transmit keystokes uses WaterPipe (see the projects page for more information), which I haven't had time to adequately document for distribution. I'm releasing it now in the hopes that someone would find it useful in understanding how global message hooks work in Windows and how to use marshalling and p/invoke in .NET (specifically C#). Like I said above, the code is rather sloppy and there's barely any comments, but I'll give a short description of what each class does below.

How it works

  • Program.cs: The main method opens/creates a file to write the keystrokes. The path of the file is %userprofile%\installLog.txt. The commented out lines set up a connection to our test WaterPipe server to send keystrokes. Then, the keyboard message hook is created and an invisible form is made.
    The KeyLogPressed method actually does the writing of the keystroke to the file and sends the keystroke to the WaterPipe server.
  • WaterPipeSocket.cs: Implements the functionality to communicate with the WaterPipe server. Since I haven't described WaterPipe and all code that calls these functions, I won't describe in detail what this code does.
  • Logger.cs: Where most of the actual logic resides. First, it imports three functions from user32.dll to register our application to receive global messages and a function from kernel32.dll to get a handle of the module for our application. A delegate for the callback function is also declared.
    The CreateHook method calls SetWindowsHookEx, which registers our application to receive keyboard events. The DestroyHook method unregisters our application. Note that the variable "cb" points to our callback function (creatively named CallBack).
    The CallBack method is called whenever a key event occurs. Note that we only handle events for key down events. The lParam variable holds a pointer to an integer holding the key code for the key pressed. The Marshal.ReadInt32 method reads the memory location pointed to by lParam, retrieving the key code. We then asynchronously write the key press to the file and send it to the WaterPipe server by adding a call to Program.KeyLogPressed, adding it to the thread pool. If the thread pool were not utilized, the synchronous writing and sending of the keystroke would be far too slow, and highly noticeable and annoying for users. Then a call to CallNextHookEx passes the keystroke data to the next application that receives global keyboard messages. This call is very important, because if this call is not made, the user cannot type, as no other applications will receive the notification of a key being pressed.

Click here to download Kelloggs source code

A few notes

  • The reason why this program is called "Kelloggs" is because I was eating Kelloggs cereal when I was writing this program. Also, "Kelloggs" kind of sounds and looks like the words "key logs".
  • The source is distributed in a Visual Studio 2005 solution. To run the program, open the solution in Visual Studio 2005 and build the solution.
  • I take no responsibility for any damage this program might cause. So don't run it and forget to kill the process before logging in to your bank's website, or else your password will be stored plaintext in a file on your computer.

If you have any questions or comments on Kelloggs, just send me an e-mail here.



Kelloggs, by Corey J. Bonnell