Proof-of-concept FTP keylogger (updated in 2020) that I wrote during my free time. Written in x86-64 assembly language. Use for educational purposes only, and at your own risk!
- Runs on 64-bit Windows
- Written in pure assembly
- Only 4 KB in size
- Deploys itself to a super-hidden directory
- Records keystrokes using global hooks
- Remains persistent on user login via Windows registry
- Uploads logfiles to the specified FTP server
- Uploads logfiles to a unique directory created by the client
- Cycles through logfiles using time-based naming conventions
You may first need to temporarily disable Windows Defender. However, this can be bypassed by using dynamic encryption tools, renaming the file to a less suspicious name, etc. Running a newer version of the keylogger will automatically overwrite an older version, and vice versa.
- Open miniftp.asm and edit the username, password, and server name fields
- Assemble using ml64.exe and link.exe (see build.bat) to create miniftp.exe
- Use miniftp.exe at your own risk!
- Open up Task Manager > Find ccsvchst.exe and end task
- Open up Registry Editor > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run > Find the Startup value and delete
- Open up Registry Editor > HKEY_CURRENT_USER\Software > Find the Startup key and delete
- Open up Explorer > View > Options > View > Hidden files and folders > Make sure "Show hidden files, folders, and drives" is selected
- Open up Explorer > View > Options > View > Make sure "Hide protected operating system files" is unchecked
- Open up Explorer > View > Make sure "Hidden items" is checked
- Go to %APPDATA% and delete the Startup folder and its contents
- Delete all files that were uploaded to the FTP server
- Open up Windows Security > Virus & threat protection > Virus & threat protection settings > Manage settings > Make sure "Real-time protection" is turned off