More Key Capturing
by Code-Cafe
In response to 2600's kind offer of free advertising for subscribers, I thought I'd break with (my) tradition and share some goodies I've hacked out over the last few years.
Firstly, yesterday's hack was too easy to pass up. We were given three IBM RTs (UNIX boxes), but no root passwords. You need to scrounge for a boot disk for an RT then this is what you do:
Hacking AIX Root: Boot, with the disk in, and eventually you'll get a menu. Pick item 3 (something about executing commands, or whatever). Mount the hard disks. This is done trial-and-error. The command ls /dev will show you the possible devices. This will usually work: mount /dev/hd0 /mnt which mounts the hard disk as /mnt.
Your goal is to rip out the root password, for which you'll need the editor (vi) which won't work without a /tmp directory, so simply do another mount. mount /dev/hd3 /tmp then run vi (cd /mnt/usr/bin and vi ../../etc/security/passwd) on the password file, and use the "D" (delete to end-of-line) command to trash the encrypted root password. If it's /mnt/etc/passwd (not ../../etc/security/passwd), you'll probably use the "x" command, or change the ":" to a "!" instead. Press "ZZ" to save the file, and Ctrl+Alt+Pause (reboot), or turn it off and on.
It will ask you to login. Type root, and you won't even be asked for a password. Might be an idea to make a new one up and put it in, or someone else is bound to notice and rm -rf or something. What am I doing with the RTs you ask? Well, look for the ultimate WWW server message on alt.2600 coming to a net near you soon...
Anyhow, back to the point. I read with annoyance that someone's already selling a key-recorder - annoyance, because I am too. Here are some of the tricks I've used, which should keep you TSR hackers happy for a while...
Stealth TSRs: One of the annoying things about DOS is the MEM command showing all the nasty things you're doing. Overcome this by not using the DOS TSR function (INT 27h or INT 21f31) (all numbers here are in hex - 21f31 means DOS interrupt 21h, function 31h). Instead, allocate a block of memory to call your own (INT 21f48). (I also alter the allocation strategy first (INT 21f5801#2), so I get a chunk of highish memory, not low DOS stuff), copy your TSR code into it, and then trash the PSP of the memory you allocated:
then exit.
This leaves your allocated memory there forever - it won't show up in almost every memory-printing utility, and the DOS MEM command calls your program -------, which always gets ignored by snooping people because they don't know what that means. For ultra-stealth, you could vector the memory-chain command (INT 21f52[-2]), and take control whenever you want.
Recording to Disk: Probably every hacker knows this by now, but lots of freshers keep asking me, so, this is how you do it. Vector INT 21h. Whenever you want to do a save, don't do it immediately, wait until the next call to INT 21h. Then, before you execute whatever the call is, do your disk save, and then when you're done, let the original INT 21h call continue. This works for any non-re-entrant interrupts. If you're really paranoid about being un-noticed, use a bigger buffer, and only write to disk when disk operations are called for in INT 21h (e.g., functions 39..43 incl.). Then the disk light comes on anyway, so users won't notice your activity.
Capturing Passwords: Recording keys is the best way, but everyone has left out the most obvious step. Usually, you don't care what else they type, just what their password and user ID are. My stealth password capturer obtains just this for you by simply reading everything on the screen, and only doing the key-recording when it sees the word "password" (case insensitive) on the screen. This solves the what-to-do-when-the-buffer-is-full problems of recording everything very nicely. (And hey - if the buffer is full, you've got so many passwords there, who cares if the disk light flashes for no reason. They're saved safely away for you to retrieve later.) By the way - never just "save" a naughty file. Set the date back as well, or else the clever bastards will use XTree or something to do a "Showall", and sort by date, and there's your file, for them to look at and delete!
Golden rule. Never get busted. Silver rule. Don't brag about it. Bronze rule. Never use your own account for anything but real school/work/uni work. (Is it obvious that I've learned these the hard way, or what?)
People always use the same password. Our whole university year were given sign-ons to a shitty computer-based-education thing called "Author" which was a PC/Ethernet-based thing. It took about 15 minutes messing with menu options, and rebooting etc, while madly pressing Ctrl+Break to get dropped into DOS. Another 15 minutes of snooping, and I found the access file, which I duly copied. Turns out that it contained, unencrypted, all the details of all the students in my year, including all their passwords. For the next two years, I noticed that about 50 percent of my year (all doing computing) always used the same ones, regardless of the computer they were on (usually with a single "1" as a suffix on UNIX). In case you're wondering, yes, I did get 100 percent for the CBE-based portion of that subject - serves them right for not encrypting their answers files either...
Legal Implications: I sell my hacking program PW, and I've made about $1000 so far (initially I charged $250, but I've dropped it heaps as sales have fallen off). Before I took out some major advertising for it, I consulted a lawyer to ensure that I didn't end up in the slammer, and this is what I found out: (it's 100 percent relevant to Australia, and almost certainly the same in the majority of other states and countries). Illegal computer access is almost always a crime one way or another. Suggesting to someone that they go out and commit a crime is usually also a crime (aiding and abetting). So, in order to sell a password capturing program, I must not directly suggest that you use my program to get passwords to break into a computer.
I studied the Australian legislation very carefully, and I added two more features to my capture program so that I avoided every possible thing they could throw at me. After I capture the passwords, I encrypt them (so that no one can accidentally discover the passwords that I've captured). Not doing this compromises the security of their system, and might be breaking laws in your state. Also, you don't want just anybody TYPE-ing your file, and discovering what you're up to! And lastly, in order to un-encrypt them, you need to run a utility, which itself asks for a password before it will run, just to make sure that the law can't get you on a technicality. From the user's point of view, it's best not to get caught collecting passwords, but if you are, feign ignorance, and never tell anyone how to unencrypt them. That way, they can't prove you even possess them.
.COM and .SYS, and .: A tricky problem is how to hide the installation of a recording program from a "typical" or even advanced user. My recorder is a dual-format .SYS or .COM program. The .SYS header was hacked carefully, so that it was actually executable.
(How you ask? Whack this into DEBUG, and compare with what a .SYS header is supposed to look like, then do a "U" on it. This is my Mona-Lisa of hacks:
This way, you can run it as a .COM program from AUTOEXEC.BAT, or, you can use DEVICE = in CONFIG.SYS. Note, that the DEVICE = kind of files don't have to be .SYS - they can be anything.
A beautiful idea is to rename your .SYS program to Alt+255 (an invisible hidden character - type it by pressing and holding the Alt key, then typing a 2, a 5, and another 5 on the numeric keypad, then releasing the Alt key) and add the line DEVICE =<ALT-255><SPACE>HIMEM.SYS (or whatever). It looks to anyone like this DEVICE = HIMEM.SYS but is actually running the hidden-character program (which, incidentally, you can hide with the DOS ATTRIB command) and passing it the dummy parameter HIMEM.SYS which does nothing, but fools the inquisitive.
Adding your own code to the beginning or end of an existing .COM or .SYS is a better idea, and one which I usually employ. My password capturer can manage any of these four possibilities, although you need to hack it yourself usually. Make sure you make the date the same as it was, and I try to make the size similar too - if it was 34,672 bytes, and I add 900 bytes to it, I add 100 dummy ones, so it's 35,672 now, instead of a whole different number altogether.
Anti-Virus Scum: Make sure you run whatever anti-virus things are installed on a PC whenever you mess with executables - in case it is going to warn that something has changed. That way, you can tell it that the change is O.K., and it won't alert the user. Also, make sure you test your hacks with as many different anti-virus programs as you can. I've had a few stupid AV programs mistake my new code for some virus or another, and screw things up for me.
Windows: As many of you key-recording gurus will have noticed by now, Windows cuts off the keyboard from DOS when it loads. I also sell a full-featured keyboard usage recorder which records all keypresses (DOS and Windows) silently in the background. It also records the typist's "style" (how long they held the key down for, and the delay between this and the previous key) which makes it simple to work out who typed it, as well as what was typed. The secret of the Windows crack is to monitor all "open file" commands (INT 21f8D), and when you get one for KEYBOARD.DRV, and Windows is being loaded (MOV AX,160A, INT 2F, CMP AX,0h) - another elegant bit of detective work in those three lines. (Don't expect to ever read this outside the pages of 2600, even the undocumented books don't know it!)
Then hack the subsequent read, so that the new keyboard Interrupt Service Routine (ISR) calls you before it services windows (insert an INT 99 or anything unused, which you've re-vectored to point to your code). Took me two nights to work this one out, and I thoroughly recommend it for those with the means. A damn satisfying hack! Remember to cater for WIN and WIN /S.
Recording keys is also good on your own home PC, because you can record anything that anyone other than yourself gets up to in your absence. I've got mine set up to write a new file every time it loads, in a hidden directory. I did a file sort the other day, based on the likelihood that the typist was me (based on my typing "style"), and sure enough, the last few files were things that someone else had been up to, which I didn't even notice. I've also hacked my COMMAND.COM so that it runs AUTOEXEC.BAK, not AUTOEXEC.BAT, so that if some smarty comments my key-recorder out of AUTOEXEC.BAT, they still won't disable it. If enough people ask for it, I'll write a boot-sector loader version, so even a floppy-boot won't shut it off.
Test test test. Never leave a hacked PC untested. You've always forgotten something.
Files Discussed: PW.COM, PW.SYS - My password capturing program I sell for $29, see the 2600 Marketplace ad. RECKEY.EXE - My keyboard recorder.