LOGITacker v0.2.3-beta (with SharpLocker, see CHANGELOG)

RoganDawes · Jan 17, 2020 · d405348 · d405348
1 parent fcdd9b5
commit d405348
Show file tree

Hide file tree

Showing 13 changed files with 30,328 additions and 27,408 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,66 @@
+# LOGITacker v0.2.3-beta
+
+- added R400 presentation clicker support for covert channel
+- integrated customized version of SharpLocker
+
+[SharpLocker by Matt Pickford](https://github.com/Pickfordmatt/SharpLocker) is a fake Windows 10 LockScreen,
+which tries to steal logon user credentials.
+
+LOGITacker incorporates a heavily modified and size reduced PowerShell version of [SharpLocker (not much left
+of the original code](https://github.com/mame82/SharpLocker/tree/netassembly) according to github `488 additions and 354 
+deletions`). 
+
+What has been kept are the limitations:
+
+- Windows 10 only
+- targets 1080p resolution for main screen
+- **This version was only tested on two Win 10 boxes - so it is experimental**
+
+Improvements over legacy Version
+
+- 80 KB exe (PE-File) was converted to self-contained 15KB PowerShell payload, which could run entirely in memory
+- does not quit the UI thread of the embedding process
+- tries to display the user's real LockScreen background
+- tries to display the user's real profile picture
+- the exposed NET method (a NET class library is embedded), returns the user password input as `string` object,
+which allows further processing in PowerShell if the payload is modified accordingly
+
+## LOGITacker SharpLocker integration / HowTo
+
+SharpLocker could be invoked from a already deployed covert channel (requires knowledge of the address of an 
+injectable receiver - either because it accepts plain keystrokes or because the encryption key is known/was sniffed).
+
+From inside the covert channel shell, SharpLock could be invoked by entering `!sharplock`!
+
+Assuming the injectable receiver address is `E2:C7:94:F2:3C` a session looks like this:
+
+```
+LOGITacker (discover) $ covert_channel deploy E2:C7:94:F2:3C
+... snip ...
+
+LOGITacker (injection) $ covert_channel connnect E2:C7:94:F2:3C 
+Starting covert channel for device E2:C7:94:F2:3C
+enter '!exit' to return to normal CLI mode
+
+...snip...
+s [Version 10.0.18363.535]
+(c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.
+
+C:\Users\X770>!sharplock
+
+... snip (typed out powershell code) ...
+
+SharpLocker input: notMyRealPassword
+
+C:\Users\X770>
+```
+
+**For updates from older LOGITacker versions the command `erase_flash` has to be ran once, to re-initialize
+the flash data storage for the changed data structures. Not doing so likely causes errors during LOGITacker 
+operation**
+
+
+
 # LOGITacker v0.2.2-beta
 
 **For updates from older LOGITacker versions the command `erase_flash` has to be ran once, to re-initialize

diff --git a/apr-dongle/blank/config/sdk_config.h b/apr-dongle/blank/config/sdk_config.h
@@ -1975,7 +1975,7 @@
 // <i> Note: This value is not editable in Configuration Wizard.
 // <i> Serial number that is defined the same way like in @ref APP_USBD_STRINGS_MANUFACTURER.
 #ifndef APP_USBD_STRING_SERIAL
-#define APP_USBD_STRING_SERIAL APP_USBD_STRING_DESC("v0.2.2-beta")
+#define APP_USBD_STRING_SERIAL APP_USBD_STRING_DESC("v0.2.3-beta")
 #endif
 
 // </e>