Skeleton-Key 'PC Unlocking' Utility by the National Authoritarians Society. DISCLAIMER: The author of this program takes ABSOLUTELY NO RESPONSIBILITY for any harm caused directly or indirectly by this program. The user assumes FULL RESPONSIBILITY for anything s/he may do with it. Please do not abuse this program - it is designed for hobbiests and security consultants who have an interest in this type of program and wish to see how easily security can be bypassed by even anyone with a good working knowledge of the system it is implemented on. Skeleton-Key is designed both to exploit and to demonstrate one of the built in weaknesses in PC-based networks. It simply goes resident in memory, and reads keystrokes as they are typed in. If the word "login" is typed (case insensitive) then it clears a 256-byte buffer and begins recording keystrokes. Once the buffer is full, it stops recording and stores the buffer until 'login' is typed again, at which point it starts over. If you haven't caught it already - the point is that if a net uses login for users to log into their accounts with, any accounts logged into will have their account name and password recorded. If a user mis-spells login, Skeleton-Key will ignore it - remember to do this when logging in to check the buffer. Checking the buffer is trivial - just run readkey.com, it will ask you whether to dump the information to a file or to the screen. If dumped to a file, the filename will be login.txt. Either way - you now have the last person's account name, password, and whatever they did first. There are some situations in which this program will not work, such as when another program takes over Int 16h or Int 09h completely.... but for the most part it is very solid. Key.COM - this is the installation file. When run, you are given a choice of methods with which to install the program in memory. These are: Int 27h MCB Manipulation Bios/Dos Manipulation The advantages/disadvantages are as follows: Int 27h: This method is a fairly standard one with which user programs can become resident. The program will go resident at the location in memory at which it is executed, and will keep the necessary size + 100h bytes for the PSP. When Mem /p or something similair is executed, the name of the file that made the program go resident will be displayed. The good thing about this is that Anti-Viral scanners and other security software will generally ignore this. The bad thing is that others may not, especially if they are looking for whatever is giving away their passwords. MCB Manipiulation: This method directly changes DOS's memory control blocks to make room for the program at the top of use memory, usually somewhere around 9fb0:0100. It ends Dos's memory chain at the block it starts out in, so once it is memory resident it will NOT show up on things like Mem /p and System Information (SI), although the decrease in memory will. This keeps most users from detecting it, but some anti-viral products may mistake this for a virus. BIOS/Dos Manipulation: This method uses BIOS to reserve 1K at the top of memory for the program. Basically it is the same as above, except that the available memory to DOS (total - including used) will decrease by one K, usually from 640k to 639k. This is noticed by some anti-viral products, and may be noted by adept users using mem or chkdsk. I'm including a demo file to test it with - check it out. If you decide to program a similar program (for some reason this one doesn't do it for ya - like if 'login' isn't the word you use) or if you need tech info, the following should help. Also check out the source code if it is included inside the file - it will be in some release versions. Regardless of the method used to go memory-resident, the memory resident portion of the program is always the same code. It hooks the regular keyboard interrupt (Int 09h) and, after each activation, it checks to see if there is a key waiting in the buffer using Int 16h, function 01, and - if so - checks it to see if login has been spelled. IF so, then it initiates the buffer and begins storing keystrokes unconditionally until it has logged 256 keystrokes. It then stops logging until login is typed again, at which point it starts over. It does not check for typing errors, so you can bypass it at this point - it is, however, case insensitive. Oh - with NDos (from reports I've heard - not verified) and at least some versions of Novell (verified) one can do this more simply just by hooking Int 21h, function 08h - Read Keyboard W/O echo. This does not work on all systems, however, so I chose a different way to implement it. Also - one stealthy technique that can be used that I declined to do in this one is to use one of the 'holes' in memory that is never, or rarely, used. Such places can be found at the top of the interrupt table, at times in video memory (dangerous - work on this technique for a while and test it before deciding to run it on the net), and in DOS buffers and the like. The advantage of this technique is that the memory available to the user does not decrease, and so obviously MEM and CHKDSK won't have a clue. The disadvantages are that there is usually a size limitation on the holes, and under some circumstances crashes may occur. Note that the beauty of this program is that one can run it in the morning, come back at any time during the day, and collect one user's worth of information without worrying about the program being present on the computer's disk. Also - no matter how tight the security is on the disks, how encrypted their passwords are, how well chosen and random the users make their passwords - it works. Always attack something at its weakest point - in this case, it is the simplistic structure of the IBM workstation. ________________________________________________________________________ This file was downloaded from the .... �������������������������������������������������Ŀ �������������������������������������������������۳ �� A D J A C E N T R E A L I T Y B B S ۳ �� ����������������������������������������� ۳ �� Forum for non-censored discussion and file ۳ �� exchange for the expierenced computer user. ۳ �� ۳ ����������������������������������������������������������Ŀ � � Cracks & Unprotects � Animations � � � Encryption � Home of SFDNC,SU, � � � Virus/Anti-Virus SFNEW and much more. � � � Virtual Reality � ACTIVE message bases � ������������������������������������������������������������ �� Call now at (615) 586-9515 ۳ �� ۳ �������������������������������������������������۳ ���������������������������������������������������