___ ___ ___ ___ /\__\ /\ \ /\__\ /\ \ /::| | /::\ \ /::| | /::\ \ /:|:| | /:/\:\ \ /:|:| | /:/\:\ \ /:/|:| |__ /::\~\:\ \ /:/|:| |__ /:/ \:\ \ /:/ |:| /\__\ /:/\:\ \:\__\ /:/ |:| /\__\ /:/__/ \:\__\ \/__|:|/:/ / \/__\:\/:/ / \/__|:|/:/ / \:\ \ /:/ / |:/:/ / \::/ / |:/:/ / \:\ /:/ / |::/ / /:/ / |::/ / \:\/:/ / /:/ / /:/ / /:/ / \::/ / \/__/ \/__/ \/__/ \/__/ Next Generation Windows Keylogger Version 1.2.2.1 /--------------------\ <--> The Nano Keylogger <-----------------------------------------> \--------------------/ Nano is a keylogger dessigned for Windows platforms. It is, unlike other keylogger products, not dessigned for monitoring your own system but to monitor remote computers. However, as this behaviour is quite similar to the behaviour of a trojan horse, there are no nano binaries available - you will only get the source code. This is because nano has been coded for educational purpose only and should not be abused for any illegal activities. I presume upon the fact that nano has the solemn purpose to serve as a subject to studies for experienced coders. Moreover, nano underlies the disclaimer of .aware: http://www.awarenetwork.org Nano is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Nano is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Nano; if not, write to The Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA /--------------------------\ <--> Nano Development History <-----------------------------------> \--------------------------/ The nano development began just after the release of Typ0 V2.4, the first keylogger published by RS Incorporated. Whereas Typ0 was dessigned to provide as many options as possible to monitor the behaviour of an infected user, nano should be small and stealthy, more advanced and effective. While Typ0 was now able to log Internet Explorer Passwords, all visited URL's and mouse clicks, nano should have completely different advantages. The Typ0 executable was around 350k in size, because it had not been a primary aim to reduce the size. Nano was originally ment to be around 10k in size, but during development, I realized that this was just too small. Nevertheless, nano does not become larger than 26k, compiled with all possible options. However, nano is lacking the extended functionality of Typ0 - nano was coded with the sole intention to log keystrokes and clipboard activity and send these logfiles to an email address and / or and FTP account. There is no URL monitoring, no IE passwords, no mouse clicks, nothing like that. So, I had to start somewhere - and as a big fan of "Under the Hood", I searched MSDN to find some article on reducing the size of an executable. Fortunately, I found this great article by Matt Pietrek, whome I want to give the due credit here: http://msdn.microsoft.com/msdnmag/issues/01/01/hood/default.aspx I used LIBCTINY.LIB to replace the standard library and added my own implementation of several standard library functions here and there to reduce the size as good as possible. Second step was getting rid of most or all C++ elements in the code, I wanted to do the nano code itself in sheer C. Not just because this would make the application faster and smaller, but also to force myself not to add too complex mechanisms to the functionality. It should perform the keylogger task and send the logfiles, nothing else - but it should be perfect at doing so. Die Hard OOP fans might not agree with me, but pure C code is not that bad if you keep separate modules for each part of the program and, most important, keep the whole thing small. And that's what I did, I created separate mpdules for each part of the keylogger and you can see the result if you check the source files yourself. Nano also exports some of its important functions, and you might ask yourself why - these exports have been left for later development, it might help me add a firewall bypassing mechanism some day. After Nano was coded the way I wanted it, I dessigned the Nano editor NED which modifies the nano executable's resources to allow an easy configuration. NED is also able to change the nano executable's icon. Other than that, NED is based on the concept of TED which is the Typ0 editor, so I don't think I have to lose many words about it. Update: Version 1.1.0.1 has been released and NED has been replaced by the NanoAgent, a tool with much more options to control a copy of nano that has been installed on HD. It includes a logfile viewer, nano removal option, starting/stopping nano and it also implements the original NED functionality, as long as you execute the NanoAgent on a Windows 2k/XP/NT box. /-----------------\ <--> Usage and Setup <--------------------------------------------> \-----------------/ Ok, listen up: I am assuming that only experienced coders read this file and deal with the nano code. I will not go into every obvious detail but only explain the basic usage here. Anyone who doesn't get it should leave it. The Nano executable can be compiled with various options to control the size even better. The configuration file can be found in the nano directory and it is named "nanocfg.h". This file also includes detailed instructions about how to configure nano. To modify the compiled code, macros can be enabled or disabled to add or leave out support for certain nano features. For instance, you can only define the NANO_NT macro to leave out support for Windows ME and earlier Windows versions. Of course, you have to enable support for at least one OS. Further options include: - Include support for uploading logfiles to an FTP Server - Include support for sending logfiles by email - Include Clipboard monitoring Pretty self-explanatory I think. You can indeed remove both the support for FTP uploads and Email from nano, thus the logfiles would merely be stored on the computer. These macros are only the lowest layer of configuration, though. The core nano configuration is stored inside a string table resource stored inside the nano executable. You can, of course, change the resource script that is used when nano is compiled and linked to set up your standard configuration, but it is easier to use the NanoAgent editor feature to alter the configuration of the executable directly. NOTE: The NanoAgent's editor feature is now available on ALL Windows platforms, also on Windows 95 and 98. This editor provides a more or less user-friendly GUI, which, along with this readme, should allow you to set up your nano executable as you want it. Once you execute the NanoAgent, select the editor Tab. You should be able to open your nano executable from the Editor menu the configuration will be loaded into the form. Let's see what kind of configuration you can do. Display Name ¯¯¯¯¯¯¯¯¯¯¯¯ This is the name that nano will use for the service name and for almost everything else that requires a name. So, if you do not want nano to look like it is nano, name it however you like. If nano runs on a non-NT system, the autostart registry key will have this name as well. Service Description ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ This string is only relevant on Windows NT machines. Nano will install itself as a service on NT and this string will be used as a description for the service. Registry Key Name ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Nano uses the Registry key HKEY_LOCAL_MACHINE to store logfiles. If that key is unavailable, it will revert to HKEY_CURRENT_USER. This was added in 1.2.2.0 for low-privileged user support on Win2k3. The registry key name is actually the subkey that should be used to store the logfiles. You can also configure nano to store the logfiles within a subkey that is more than one level deep by separating the subkeys by backslashes: SECURITY\Keylogger\Nano If nano is running as a service, it will not be able to create new keys directly in HKEY_LOCAL_MACHINE. If nano is unable to create the subkey you specified, it will at first try to create that subkey in HKEY_LOCAL_MACHINE\Software and if this is not possible either (ie. when you did not specify a correct format for the subkey), the logfiles will be stored in HKEY_LOCAL_MACHINE directly. Logfile Title Format ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Each Logfile will have a title - this title will be the filename for FTP-uploaded HTML files and it will be the subject in any emails that contain a nano logfile. You should choose the logfile title wisely as every title should be unique for each logfile and since it should be a possible filename as well. You can ensure that each logfile has a unique title by inserting several variables to the logfile format: %u - Inserts the currently logged user. Attention: If Nano installs itself as a service, this will always show up as "SYSTEM" (without the quotes) in the logfile format. %c - Inserts the name of the computer that nano is running on. %t - The current time in format HH:MM:SS %d - The current date, for instance "August 12, 2003" (if there are sincere requests to add more variables, I will do so. send me any requests for more logfile title variables to my email address - see the end of this readme) Logfile Size (KB) ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ This simply specifies the logfile size in kilobytes. If a logfile would exceed this size, a new one is created and the old one is, depending on your configuration, sent to your email, uploaded to your FTP or simply kept on HD (if both send mechanisms are disabled.) log injected ¯¯¯¯¯¯¯¯¯¯¯¯ Under Windows NT, nano uses a low level keyboard hook to log keystrokes. By using this hook, nano can determine whether a keystroke actually came from the user (he pressed a key) or if the keytap was injected by another application. Injecting keys is also used by Anti-Keylogger software to probe for keyloggers, so I would usually not check this checkbox. I decided to leav it as an option, though. stealth mode ¯¯¯¯¯¯¯¯¯¯¯¯ If nano cannot access the internet, it will usually try to autodial internet accounts on the machine it is installed on. By enabling the stealth option, you can prevent nano from doing so. Nano will also generally behave more stealthy if this option is turned on. clipboard ¯¯¯¯¯¯¯¯¯ Enables Clipboard monitoring. This means, if the user copies anything to the clipboard in text format, this data will be logged. online log ¯¯¯¯¯¯¯¯¯¯ If this option is turned on, Nano will only log keystrokes when the user is currently online. I added this option because a good friend of mine requested it. Cheers dude! PASV ¯¯¯¯ This option, added in version 1.2.0.4, forces Nano to upload the logs to the specified FTP server in PASV mode. It is enabled by default as it works in most cases. suicidal ¯¯¯¯¯¯¯¯ If this option is enabled, nano deletes the original executable after it has copied itself to the specified directory and installed itself. highlight passwords ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ With this option set, nano logs keystrokes in a separate row when they are entered to a password box and thereby highlights them. Destination Path ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ This is the pathname that nano will install itself to. You can use environment variables within this string. Open the console and type "env" to get a list of environment variables on your system. On all Windows platforms, you can use %WINDIR% as a placeholder for the windows directory. The tiny button next to this text field allows you to insert some other useful environment variables. ATTENTION! Using user-specific environment variables will cause problems if nano is ran as administrator and attempts to install itself as a service. This is because services run in the context of the LOCAL SYSTEM account, and the default user's home directory and similar locations differ from the administrator's environment variables. It's on my todo list. You can both upload the logfiles to an FTP server and / or let nano send them to you by email. I actually don't think I have to say much about this part of the configuration as you should know what you have to enter to the FTP fields if you have an FTP account and since the email mechansim has been heaviely improved - you do not need to specify a mail server or anything of that sort, nano will do an MX lookup to find the destination mail server and directly send mail to you. /------------------------\ <--> Further Editor Goodies <-------------------------------------> \------------------------/ Install With These Settings ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ It is also possible to install Nano from the editor screen directly. This is the only feature that has a built-in "Are-you-sure" popup message to prevent people from unintentionally infecting themselves. Backup File ¯¯¯¯¯¯¯¯¯¯¯ These options are not all you can do with the editor. In the menu, you will find an entry that says "Save Backup File", for instance. The backup file that is created this way stores all the cruicial information relevant to removal - It is HIGHLY RECOMMENDED that you ALWAYS create a backup file before you install Nano on any system. Unless you know exactly what nano does, it is hardly possible to remove it without a backup file later. Change Keylogger Icon ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ In the Editor menu, an entry exists that will show a dialog that allows you to select a different icon for the nano executable. You can open ICO, EXE and DLL files and chose one of their icons to be used as the new icon for your nano executable. This icon will be stored as a resource inside the nano executable and the explorer will display it when the executable is shown in an explorer window. You can also chose not to use any icon for nano - this keeps the size small, but it might not have the effect you wanted since the explorer will display the executable file as the typicall, odd, empty-window-icon. Change Logfile Design ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Nano logfiles use HTML and you can easiely set up the colors for the HTML elements. I thought it would be a nice goodie, it is basically just for fun. And not everyone likes the lime green I apreciate so much ... Edit Fake Error Message ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Nano can display a fake error message after it has installed itself on the system. This little dialog allows you to specify the contents of this message box. You can also disable the option and nano will be quiet during installation. I stole this idea from Sub7, to be honest. /--------------------------\ <--> NanoAgent Administration <-----------------------------------> \--------------------------/ The first Tab of NanoAgent is available on all Windows platforms and it allows you to connect to an existing instance of nano. To connect to a nano copy, you have multiple options. After clicking the "connect" button, you have these options: 1. Connect to nano by reading important configuration from a backup file (the effectively best and most secure way) 2. Connect to nano by reading important configuration from the nano executable itself. You need to know where it hides, and the executable may not have been packed with UPX or similar programs. 3. Connect to nano by selecting the running nano process from a list of currently running tasks. In this case, NanoAgent will try to read the configuration from the executable that was used to create the process, therefore it is limited, like option 2. 4. Search the process list for a process that seems to be a running instance of nano. Note: It is possible to connect to an instance of Nano that is running on a remote computer, yes. But PLEASE, do not get me wrong! This feature only works on Windows NT 5.0 (which is, Win2k and XP) networks when you are logged on with a global administrator account! Once you are successfully connected to an instance of Nano, you can start or stop nano keylogging, view and remove existing logfiles, or remove nano from the system. This should be everything you can desire - for any suggestions, drop me an email. /-------------\ <--> Final Words <------------------------------------------------> \-------------/ It was, as always, a pleasure to code this little program and I hope that you can find it any useful. I had some difficulties during the development that finally made me discard some of the ideas I had had for nano initially - but some people always help me out and I thought they deserve some greetings here: Thanks so very much to OpioN , he helped me constantly with source code, ideas, and an immense enthusiasm - that's really awesome and it means a lot to me. Thanks man. Mad props to IqLord, almost the only person on the WWW except me who posts stuff on my site frequently (and it is damn good stuff) - thanks for your support and your influence on me ... I bought a book about Assembly the other day and a reference, I will start to read it in one or two weeks when I am on vacation again =). Thanks to all the guys that helped with suggestions on the old Nano board, like cubababa and harry. Thanks also to João Henrique for getting into touch with me as soon as the first word about nano was officially spoken, offering his help and suggestions. I apreciate that a lot. There are much more people out there who would deserve credit for their endless wisdom and coolness, and you guys know who you are - so excuse me when I don't name every single one. I could forget to mention important persons ... like ph33r, for instance. As always, feel free to ask me any questions regarding source code, use, etc: rattle(at)awarenetwork(dot)org Stay clean, don't forget and always remember: You can't beat the feeling - always coca cola. ~ rattle