Variants: Nano 1.0, Nano 1.2
From the publisher:
‘Nano is a keylogger dessigned for Windows platforms. It is, unlike other keylogger products, not dessigned for monitoring your own system but to monitor remote computers. However, as this behaviour is quite similar to the behaviour of a trojan horse, there are no nano binaries available – you will only get the source code. This is because nano has been coded for educational purpose only and should not be abused for any illegal activities. I presume upon the fact that nano has the solemn purpose to serve as a subject to studies for experienced coders.
Nano Development History
The nano development began just after the release of Typ0 V2.4, the first keylogger published by RS Incorporated. Whereas Typ0 was dessigned to provide as many options as possible to monitor the behaviour of an infected user, nano should be small and stealthy, more advanced and effective. While Typ0 was now able to log Internet Explorer Passwords, all visited URL’s and mouse clicks, nano should have completely different advantages. The Typ0 executable was around 350k in size, because it had not been a primary aim to reduce the size. Nano was originally ment to be around 10k in size, but during development, I realized that this was just too small. Nevertheless, nano does not become larger than 20k, compiled with all possible options. However, nano is lacking the extended functionality of Typ0 – nano was coded with the sole intention to log keystrokes and clipboard activity and send these logfiles to an email address and / or and FTP account. There is no URL monitoring, no IE passwords, no mouse clicks, nothing like that.
So, I had to start somewhere – and as a big fan of ‘Under the Hood’, I searched MSDN to find some article on reducing the size of an executable. Fortunately, I found this great article by Matt Pietrek, whome I want to give the due credit here: http://msdn.microsoft.com/msdnmag/issues/01/01/hood/default.aspx
I used LIBCTINY.LIB to replace the standard library and added my own implementation of several standard library functions here and there to reduce the size as good as possible. Second step was getting rid of most or all C++ elements in the code, I wanted to do the nano code itself in sheer C. Not just because this would make the application faster and smaller, but also to force myself not to add too complex mechanisms to the functionality. It should perform the keylogger task and send the logfiles, nothing else – but it should be perfect at doing so.
Die Hard OOP fans might not agree with me, but pure C code is not that bad if you keep separate modules for each part of the program and, most important, keep the whole thing small. And that’s what I did, I created separate mpdules for each part of the keylogger and you can see the result if you check the source files yourself.
Nano also exports some of its important functions, and you might ask yourself why – these exports have been left for later development, it might help me add a firewall bypassing mechanism some day.
After Nano was coded the way I wanted it, I dessigned the Nano editor NED which modifies the nano executable’s resources to allow an easy configuration. NED is also able to change the nano executable’s icon. Other than that, NED is based on the concept of TED which is the Typ0 editor, so I don’t think I have to lose many words about it.
Future plans for nano development include a logfile viewer for your local system and a removal tool, both of them do not exist currently.
Ok, listen up: I am assuming that only experienced coders read this file and deal with the nano code. I will not go into every obvious detail but only explain the basic usage here. Anyone who doesn’t get it should leave it.
The Nano executable can be compiled with various options to control the size even better. The configuration file can be found in the nano directory and it is named ‘nanocfg.h’. This file also includes detailed instructions about how to configure nano. To modify the compiled code, macros can be enabled or disabled to add or leave out support for certain nano features. For instance, you can only define the NANO_NT macro to leave out support for Windows ME and earlier Windows versions. Of course, you have to enable support for at least one OS. Further options include: – Include support for uploading logfiles to an FTP Server – Include support for sending logfiles by email
Pretty self-explanatory I think. You can indeed remove both the support for FTP uploads and Email from nano, thus the logfiles would merely be stored on the computer.
These macros are only the lowest layer of configuration, though. The core nano configuration is stored inside a string table resource stored inside the nano executable. You can, of course, change the resource script that is used when nano is compiled and linked to set up your standard configuration, but it is easier to use the nano editor (NED: ned.exe) to alter the configuration of the executable directly. NED provides a more or less user-friendly GUI, which, along with this readme, should allow you to set up your nano executable as you want it. Once you execute NED, you should be able to open your nano executable from the File menu and NED will load it’s configuration data. Let’s see what kind of configuration you can do.
This is the name that nano will use for the service name and for almost everything else that requires a name. So, if you do not want nano to look like it is nano, name it however you like. If nano runs on a non-NT system, the autostart registry key will have this name as well.
This string is only relevant on Windows NT machines. Nano will install itself as a service on NT and this string will be used as a description for the service.
Registry Key Name
Nano uses the Registry key HKEY_LOCAL_MACHINE to store logfiles. The registry key name is actually the subkey that should be used to store the logfiles. You can also configure nano to store the logfiles within a subkey that is more than one level deep by separating the subkeys by backslashes: SECURITY\Keylogger\Nano If nano is running as a service, it will not be able to create new keys directly in HKEY_LOCAL_MACHINE. If nano is unable to create the subkey you specified, it will at first try to create that subkey in HKEY_LOCAL_MACHINE\Software and if this is not possible either (ie. when you did not specify a correct format for the subkey), the logfiles will be stored in HKEY_LOCAL_MACHINE directly.
Logfile Title Format
Each Logfile will have a title – this title will be the filename for FTP-uploaded HTML files and it will be the subject in any emails that contain a nano logfile. You should choose the logfile title wisely as every title should be unique for each logfile and since it should be a possible filename as well. You can ensure that each logfile has a unique title by inserting several variables to the logfile format:
%u – Inserts the currently logged user. Attention: If Nano installs itself as a service, this will always show up as ‘SYSTEM’ (without the quotes) in the logfile format.
%t – The current time in format HH:MM:SS
%d – The current date, for instance ‘August 12, 2003’
(if there are sincere requests to add more variables, I will do so. send any requests for more logfile title variables to firstname.lastname@example.org)
Logfile Size (KB)
This simply specifies the logfile size in kilobytes. If a logfile would exceed this size, a new one is created and the old one is, depending on your configuration, sent to your email, uploaded to your FTP or simply kept on HD (if both send mechanisms are disabled.)
Log injected Keys
Under Windows NT, nano uses a low level keyboard hook to log keystrokes. By using this hook, nano can determine whether a keystroke actually came from the user (he pressed a key) or if the keytap was injected by another application. Injecting keys is also used by Anti-Keylogger software to probe for keyloggers, so I would usually not check this checkbox. I decided to leav it as an option, though.
If nano cannot access the internet, it will usually try to autodial internet accounts on the machine it is installed on. By enabling the stealth option, you can prevent nano from doing so.
This is the pathname that nano will install itself to. You can use environment variables within this string. Open the console and type ‘env’ to get a list of environment variables on your system. On all Windows platforms, you can use %WINDIR% as a placeholder for the windows directory.
You can both upload the logfiles to an FTP server and / or let nano send them to you by email. I actually don’t think I have to say much about this part of the configuration as you should know what you have to enter to the FTP fields if you have an FTP account and since the email mechansim has been heaviely improved – you do not need to specify a mail server or anything of that sort, nano will do an MX lookup to find the destination mail server and directly send mail to you.
Further NED Goodies
? These options are not all you can do with NED. In the File menu, you will find an entry that says ‘Save Backup File’, for instance. The backup file that is created this way stores all the cruicial information relevant to removal – It is HIGHLY RECOMMENDED that you ALWAYS create a backup file before you install Nano on any system. Unless you know exactly what nano does, it is hardly possible to remove it without a backup file later.
Finally, there is the Editor menu with the possibility to select a different icon for the nano executable and the logfile dessign setup. Both these options are not important for the functionality of nano, but they are nice goodies.
Change Keylogger Icon
You can open ICO, EXE and DLL files and chose one of their icons to be used as the new icon for your nano executable. This icon will be stored as a resource inside the nano executable and the explorer will display it when the executable is shown in an explorer window. You can also chose not to use any icon for nano – this keeps the size small, but it might not have the effect you wanted since the explorer will display the executable file as the typicall, odd, empty-window-icon.
Change Logfile Dessing
Nano logfiles use HTML and you can easiely set up the colors for the HTML elements. I thought it would be a nice goodie, it is basically just for fun. And not everyone likes the lime green I apreciate so much …
There is no nano removal tool yet, and therefore I expect everyone who compiles and uses the file to be 100% aware of what is going on.
It was, as always, a pleasure to code this little program and I hope that you can find it any useful. I had some difficulties during the development that finally made me discard some of the ideas I had had for nano initially – but some people always help me out and I thought they deserve some greetings here:
Thanks so very much to OpioN , he helped me constantly with source code, ideas, and an immense enthusiasm – that’s really awesome and it means a lot to me. Thanks man.
Mad props to IqLord, almost the only person on the WWW except me who posts stuff on my site frequently (and it is damn good stuff) – thanks for your support and your influence on me … I bought a book about Assembly the other day and a reference, I will start to read it in one or two weeks when I am on vacation again =).
Thanks also to Joã¯ Henrique for getting into touch with me as soon as the first word about nano was officially spoken, offering his help and suggestions. I apreciate that a lot.
There are much more people out there who would deserve credit for their endless wisdom and coolness, and you guys know who you are – so excuse me when I don’t name every single one. I could forget to mention important persons … like ph33r, for instance.
As always, feel free to ask me any questions regarding source code, use, etc: email@example.com
Stay clean, don’t forget and always remember: You can’t beat the feeling – always coca cola. ~ rattlesnake’
Nano manual removal:
aboutdlg.cpp, aboutdlg.h, alloc.cpp, alloc2.cpp, allocsup.cpp, atol.cpp, changelog.txt, connectdlg.cpp, connectdlg.h, crt0twin.cpp, dib.cpp, dib.h, dllwrap.cpp, dllwrap.h, dns.cpp, dns.h, eml.cpp, eml.h, global.h, gpl.txt, icondlg.cpp, icondlg.h, icons.cpp, icons.h, initterm.cpp, initterm.h, isctype.cpp, klg.cpp, klg.h, libctiny.lib, log.cpp, log.h, logdesigndlg.cpp, logdesigndlg.h, logviewdlg.cpp, logviewdlg.h, memset.cpp, nano.aps, nano.cpp, nano.dsp, nano.dsw, nano.exe, nano.ncb, nano.opt, nano.plg, nano.rc, nanoadminpanel.cpp, nanoadminpanel.h, nanoagent.clw, nanoagent.cpp, nanoagent.dsp, nanoagent.exe, nanoagent.h, nanoagent.rc, nanoagent.rc2, nanoagentdlg.cpp, nanoagentdlg.h, nanocfg.h, nanoeditorpanel.cpp, nanoeditorpanel.h, ned.aps, ned.clw, ned.dsp, ned.ncb, ned.opt, ned.rc, neddlg.cpp, newdel.cpp, processdll.cpp, processdll.h, psapi.h, ptrarray.h, rand.cpp, resource.h, rmtmp.bat, servicedll.cpp, servicedll.h,
snapshotdll.cpp, snapshotdll.h, sprintf.cpp, std.cpp, std.h, stdafx.cpp, stdafx.h, struplwr.cpp, svc.cpp, svc.h, webbrowser2.cpp, webbrowser2.h, winres9x.cpp, winres9x.def, winres9x.dsp, winres9x.h, winres9x.rc, winresdll.cpp, winresdll.h