Monitoring Keystrokes
by Dr. Delam
It seems as though many people have been working on the same concept for some time now... capturing keystrokes to obtain passwords. Veghead presented a description in the Spring 1994 issue of 2600 of his IBM "Keyspy" program that is a TSR which latches BIOS interrupt 15h. I was both happy to see this and at the same time a bit surprised.
In 1990, I was living in a two bedroom apartment with four people... all BBS freaks. Wild BBS parties were an ongoing event, seemingly every day. It wasn't long before it hit me that with all the logins that took place from the apartment, if I had a way to capture keystrokes I could rule the local BBS scene... as was the case after the development of TRIP.EXE.
I made mention to Dream Pilot, an old hacker who had been programming for years (the best programmer I know) and is acquainted with one of the three men who wrote COSMOS. He wrote TRIP.EXE in assembly and decided he wanted the captures as well so he implemented encryption on the save files so I'd have to "turn-in" the captures to him. This was fine for a while, but the greed got to me and I had to either crack the encryption or develop something on my own.... I chose the latter.
The first two weeks of May 1991 I spent working on the DEPL project.
DEPL is an acronym for "Delam's Elite Password Leecher" (O.K., so I'm a little arrogant). On May 18th, I had my final version ready for distribution. DEPL is a system of four executable files written in C and an information file, all designed for stealth implementation and recovery of passwords.
DEPL.COM is the core program and is not a TSR, but a shell program which, when run, latches the keyboard hardware interrupt 9h and then executes the target program.
The three other executables are supporting programs: INSTALL.EXE, SCRAPER.EXE, and DEKODER.EXE. As the names imply, INSTALL.EXE will install the system, SCRAPER.EXE will take the captures from the system, and DEKODER.EXE will decode the captures.
When INSTALL or SCRAPER are run, they will do their work with no screen I/O, and proceed to run whatever program you point them to. This effectively makes the installation and recovery processes "stealth" in that you can have someone standing there watching as you run your "game" or whatever, and they will be none the wiser.
Unbeknownst to me, Chris BoVee, just miles away in the same state and at approximately the same time, was writing a program called KEYCOPY which also performs keystroke capturing. It wasn't until this year that I discovered KEYCOPY version 1.01, written May 23, 1991 (c) ~ 1990.
KEYCOPY is not the complicated shell system that DEPL is, but it is a TSR like Veghead's.
The following is an excerpt from the KEYCOPY.DOC file:
There exists one problem with each of these programs, and that is that when the buffer fills and the TSR or shell writes the keystrokes to disk, the drive light will come on for seemingly no reason. This can be remedied by latching the open, read/write, and close interrupts for file manipulations.
Every time one of the file events occur, check the keyboard buffer to see if there is data to be written, and write it. This way, the activities are masked by other "normal" or expected drive activities.
The only problem this poses is if the keyboard buffer fills and there are no drive activities. This is not a hard problem to solve, as drive activity is frequent for most programs and unless the person is writing a novel without an auto-save feature, very little memory needs to be allotted.
One must also remember that simply writing to a file does not ensure that the information is saved. It would be a good implementation to open, write, and close every time a drive access occurs... there have been aggravating times when someone turned off the computer without exiting the program and the entire capture was lost (such as a time I remember when a sysop had logged into his BBS remotely).
Chris BoVee's KEYCOPY can be acquired for $20 on 3.5" or 5.25" disk by writing to:
DEPL and its C source code is available free for distribution and modification. It can be found on some H/P boards (I have no idea where it has propagated to), and I was informed that it is available on The Hacker Chronicles CD-ROM. I do not know if that contains the executable only or if the source is also available.
I am presently too busy to make any further versions of DEPL, but if anyone wishes to make new versions and distribute them, they are welcome to... the intent is to give power to the hackers of the world.
About a year and a half ago, a friend of mine asked me if I'd like to help law enforcement by using my DEPL program. When I inquired about why they were interested in it, I was informed that they wanted to watch an individual who was suspected of involvement in the BCCI scandal. After realizing the implications of helping to shaft someone involved in something that big, I kindly declined to help. So as one can see, the uses are far-reaching and it is not just an issue of some type of hacker weapon in a plot to destroy the world.... Its significance depends on the intent of the user. As the programmer, I am nothing more than a toolmaker. I have no control over the bad people who want to use it for harm, and neither does the person who makes a hammer.
The mere concept of DEPL has frightened many. I was effectively kicked out of a four year school for simply discussing the program I had written in Internet mail. As a computer science major using Harris HCX-9 and DEC VAX computers to do my school work, the administrator, who was reading my e-mail, took it upon himself to shut down my accounts. I was unable to do school work and therefore received Fs in my classes. Even with letters to the president of the school, I still got shafted. I was informed that it was illegal for the administrator to read my mail, but I found there was really nothing I could do. Three years have passed and I just now received an associates degree from a junior college. My Internet access is therefore limited to the systems I hack... an endeavor I find justifiable having been financially damaged by an ignorant society.
It is my advise to those seeking a college education to avoid attending four year schools in the Melbourne, Florida area. I would also advise you to obtain as much access to the public asset known as the Internet with as many tools as possible (such as Keyspy, KEYCOPY, and DEPL). With administrators such as the one I crossed paths with in power, the Internet will never see its rightful place with every person on the planet. No one owns the Internet, nor should they. People as taxpayers have a right to use college libraries, yet Internet access has been restricted. Fight for your rights or fear the growing power of the governing bodies... it's your choice.
Files Discussed
- DP.EXE - Dream Pilot's Shell
- DEPL.COM - Dr. Delam's Shell
- INSTALL.EXE - Program to install the shell.
- SCRAPE.EXE - Program to scrape up capture file.
- DEKODER.EXE - Program to decode capture file.
- GAME1.EXE - Program 1 to cover up what you're doing.
- GAME2.EXE - Program 2 to cover up what you're doing.
- INFO.BIN - Text configuration file.
What is DEPL?
DEPL is the most sophisticated, yet simple to use method of grabbing passwords, reading private messages, and finding out how others do things that you shouldn't know how to do!
So how does it work?
To begin discussing how it works, we need to look at what each of the files are for.
DEPL.COM
DEPL.COM is the main program which all others revolve around.
DEPL.COM is a shell, and a shell being a program which runs another program from within itself. To start simple we'll give an example with DEPL's predecessor DP.EXE.
How DP.EXE Has Been Used
I want to scrape up passwords that my friend (or foe) types in while he' online with his Telix term program... so what I do is, when he's not around, rename his TELIX.EXE program to some other name, and rename DP.EXE to TELIX.EXE so when he/she runs what they think is Telix, they are actually running the shell.
Now how does Telix get run? Whatever you named it has to be known to the shell. In the case of Dream Pilot's program, DP.EXE will always look to run a program called TRIP.EXE. This means you must rename TELIX.EXE to TRIP.EXE.
The chain of events so far: Friend runs TELIX.EXE (actually DP.EXE). In turn TELIX.EXE runs TRIP.EXE (actually TELIX.EXE).
So what's going on now that we're running TRIP.EXE through TELIX.EXE? Every keystroke is being recorded! DP.EXE will create files named by date, containing all the keystrokes, encrypted. The capture files are hidden in a directory called OVERLAYS.DOS within the DOS directory. The files are hidden, remember! So what you need next is a decryptor and a way to sneak into your friend's computer to scrape up all the files so you can go back to your hovel and decrypt them to see what your friend has been typing.
With DEPL, I have eased the whole process in a couple of ways. For one, instead of having to sneak onto your friend's computer and risk being caught, I provided INSTALL.EXE and SCRAPER.EXE.
INSTALL.EXE
On the surface, INSTALL.EXE appears to be a game, but in actuality it will set up the shell doing all the necessary actions that you would have had to do to install it yourself! And the best part about it is you can run it right in front of your friend! He'll just think it's a game.
SCRAPER.EXE
Again, on the surface SCRAPER.EXE appears to be a game (or actually anything you want it to be).
SCRAPER.EXE takes care of gathering the encrypted capture file by moving it to your disk, and off of his. It also has a feature, where by changing a setting, you can restore your friend's program and remove the shell all in one go! Great if he's started to get suspicious.
Note: Make sure that the capture file you are scraping off your friend's drive is not on your disk. This causes a conflict when copying. So after scraping, and before decoding, it's a good idea to rename the capture file.
DEKODER.EXE
This one practically describes itself... it will decode the captured file for reading (to be done in the sanctity of your own cyber space).
GAME1.EXE and GAME2.EXE
GAME1.EXE is run by INSTALL.EXE when it has finished, and GAME2.EXE is run by DEKODER.EXE when it has finished.
Neither of these has to be used, and they may be a game or any other executable program.
INFO.BIN
Ahhh, finally, the info bin!
Within the info bin is contained all the information needed to make DEPL a working system.
Example: INFO.BIN contents could be:
Here's a brief description of what DEPL would do with these settings:
- Copies TELIX.EXE into the C:\DOS directory calling it VSIZE.EXE.
- Copies DEPL.COM into C:\TELIX directory calling it TELIX.EXE.
- Makes the capture file's name SWITCH.OVL, thereby all captures save into C:\TELIX\SWITCH.OVL. (Encrypted)
- Sets the INSTALL.EXE child process to be GAME1.EXE.
- Sets the SCRAPER.EXE child process to be GAME2.EXE.
- Encrypts under code 0 (feature not installed yet... it'll be in the next version).
- Causes SCRAPER.EXE, when run, to remove the shell and set things to the way they were.
- GAMEONE, GAMETWO, and TAKEALL are optional keywords. The rest are not!
When creating your custom INFO.BIN, remember to use a space after the keywords listed above.
And finally, the one file not mentioned previously:
ERROR.LOG
This is where all problems and things that may have gone wrong are stored. Bummer, eh?
Well, you wouldn't want an error to pop up on your screen while you were running your, ahem, "GAME" in front of your friend, so I provided this so you could tell what the hell went wrong.
Final Comments
Don't forget to rename INSTALL.EXE and SCRAPER.EXE to suitable names that have something to do with the programs they spawn.
The program has many possibilities for use. With some simple modifications, it could be made to not only record keystrokes, but play them back as well. For those out to swipe and infect all at once, DEPL.COM could easily be a carrier. If you have multiple users at home, you can have their passwords as well.
The possibilities are endless.