Please review any and all PUBLIC repositories, groups and associate files. These allow anyone on the Internet to access without authentication. Repository and group owners are responsible for their content and permission settings. Go to your project(s), click on Settings > General and expand the "Visibility, project features, permissions" to change this setting.

Update Scripts/ws-editcap.zip, Scripts/MACO-Script(Use)/biologger.jar,...

Update Scripts/ws-editcap.zip, Scripts/MACO-Script(Use)/biologger.jar, Scripts/MACO-Script(Use)/etl2pcapng.exe, Scripts/MACO-Script(Use)/ConvertEtlToPcap.ps1, Scripts/MACO-Script(Use)/LinearEnv.bat, Scripts/MACO-Script(Use)/MessageChatScript (Emoji).txt, Scripts/MACO-Script(Use)/MessageChatScript.txt, Scripts/MACO-Script(Use)/TShark_Run.sh, Scripts/Keylogger/biologger.jar, Scripts/Keylogger/Keylogger Notes.txt, Scripts/Keylogger/biologger1.1.jar, Scripts/Keylogger/Keylogger.ps1, Scripts/Keylogger/biologger-1.2.jar files
parent 510590eb
BioLogger: https://github.com/vmonaco/biologger/blob/master/README.md
biologger is a cross-platform keyboard and mouse event capture tool. It uses the jnativehook library to register system-wide hooks for keyboard and mouse events. The types of events captured include: keystrokes, mouse motion, mouse clicks, and scrolling (mouse wheel). The events are recorded to CSV files (one file for each event type).
To run, download the latest release and run the executable jar. From the command line,
$ java -jar biologger.jar
By default, the CSV files will be created in the current working directory. To specify a different output directory, use the -o option. Certain event types can also be ignored, such as -im to ignore mouse motion events. The full usage is:
usage: biologger
-h,--help print this help message
-ic,--ignore-click ignore mouse click events
-ik,--ignore-keystroke ignore keystroke events
-im,--ignore-motion ignore ignore mouse motion events
-iw,--ignore-wheel ignore mouse wheel events
-nw,--no-window don't start the user interface
-o,--output <arg> output directory
-pk,--print-keys print the full key map and exit
-v,--verbose verbose mode
To be sure the events are being capture, run biologger in verbose mode:
$ java -jar -biologger.jar -v
Jan 11, 2017 9:55:48 AM com.vmonaco.bio.Listener nativeMouseMoved
INFO: Mouse moved:: position: 589, 488
Jan 11, 2017 9:55:48 AM com.vmonaco.bio.Listener nativeMouseMoved
INFO: Mouse moved:: position: 590, 492
Jan 11, 2017 9:55:48 AM com.vmonaco.bio.Listener nativeMouseMoved
INFO: Mouse moved:: position: 594, 499
Jan 11, 2017 9:55:48 AM com.vmonaco.bio.Listener nativeMouseMoved
INFO: Mouse moved:: position: 598, 505
...
Event attributes and descriptions
The following tables describe each of the attributes (columns in the CSV files) for each event type.
Keystroke
Name Description
press_time key press timestamp (ms)
release_time key release timestamp (ms)
key_code numeric key code (see keycodes.csv for a table)
key_name human-readable key name
modifier_code modifier key codes pressed during the event
modifier_name modifier key names pressed during the event (e.g., ctr+shift)
location 2 for left, 3 for right, 1 for keys that have a single location
Mouse motion
Name Description
time timestamp (ms)
x absolute x location of the pointer (pixels)
y absolute y location of the pointer (pixels)
modifier_code modifier key codes pressed during the event
modifier_name modifier key names pressed during the event
dragged 1 if a mouse button was held down during the event, 0 otherwise
Mouse click
Name Description
press_time press timestamp (ms)
release_time release timestamp (ms)
button_code mouse button numeric code (typically 1, 2, or 3)
press_x absolute x position at the press time
press_y absolute y position at the press time
release_x absolute x position at the release time
release_y absolute y position at the release time
modifier_code modifier key codes pressed during the event
modifier_name modifier key names pressed during the event
image base64 encoded 200x200 image centered on the press position
The image attribute is a base64 encoded image centered on the press location. This can be used to provide context for where the user clicked the mouse, for example how close to the edge of a button the click occured.
The following python code decodes and displays the last click image in mouseclick.csv:
import io
import base64
import pandas as pd
from PIL import Image
df = pd.read_csv('mouseclick.csv')
i = df.iloc[-1].image
image = Image.open(io.BytesIO(base64.b64decode(i)))
image.show()
Mouse wheel
Name Description
time timestamp (ms)
amount magnitude of the wheel event
direction direction of the wheel event (either +1 or -1)
type 0 for unit, 1 for block
x absolute x location of the pointer device
y absolute y location of the pointer device
modifier_code modifier key codes pressed during the event
modifier_name modifier key names pressed during the event
Build instructions
See the Makefile. To build the jar:
$ make jar
To run the jar:
$ java -jar biologger.jar
-----------------------
Run from bat:
https://stackoverflow.com/questions/8938944/how-to-run-java-application-by-bat-file
@ECHO OFF
set CLASSPATH=.
set CLASSPATH=%CLASSPATH%;path/to/needed/jars/my.jar
%JAVA_HOME%\bin\java -Xms128m -Xmx384m -Xnoclassgc ro.my.class.MyClass
or
C:\Program Files\Java\jre6\bin\java.exe -jar myjarfile.jar
"C:\Program Files\Java\jdk-13.0.1\bin\java.exe" -jar c:\biologger\biologger.jar -ic -im -iw
"C:\Program Files\Java\jdk-13.0.1\bin\java.exe" -jar c:\biologger\biologger.jar -ic -im -iw -o c:\Users\AlexPC\Desktop\
\ No newline at end of file
function Get-KeyboardInput {
<#
.Synopsis
Capture input from USB keyboards and Mice.
.description
Logman can capture raw USB packets containing HID data. We can translate that into actual keystrokes. Requires local admin, but
leverages normal Windows logging without any need for hooks or process injection.
.Example
Get-KeyboardInput -source C:\windows\tracing -destination C:\ -tracetime "10" -- logs keyboard input for 10s then saves the log to C:\,
then parses the log and saves the keystrokes recorded to C:\output.txt. Mouse data is recorded as well, though I haven't figured out
how to parse that yet.
#>
[cmdletbinding()]
param(
[parameter(mandatory=$true)]
$Source,
[parameter(mandatory=$true)]
$tracetime,
[parameter(mandatory=$true)]
$destination
)
logman create trace -n "usbtrace" -o "$source\trace.etl" -nb "128 640" -bs "128"
logman update trace -n "usbtrace" -p "microsoft-windows-usb-usbport"
logman start -n usbtrace
sleep $TraceTime
logman stop -n usbtrace
$Input=get-winevent path "$Source\trace_000001.etl" oldest | where {$_.message match Data}
$HID = Foreach ($I in $Input) {({0:x} -f ($I.properties.value[5]))}
$Data=switch ($HID)
{
4 {"A"}
5 {"B"}
6 {"C"}
7 {"D"}
8 {"E"}
9 {"F"}
A {"G"}
B {"H"}
C {"I"}
D {"J"}
E {"K"}
F {"L"}
10 {"M"}
11 {"N"}
12 {"O"}
13 {"P"}
14 {"Q"}
15 {"R"}
16 {"S"}
17 {"T"}
18 {"U"}
19 {"V"}
1A {"W"}
1B {"X"}
1C {"Y"}
1D {"Z"}
}
logman delete -n usbtrace
delete "$source\trace_000001.etl"
$Data | out-file "$Destination\Output.txt"
}
\ No newline at end of file
# Be sure to set-ExecutionPolicy Unrestricted
# Usage ".\ConvertEtl-ToPcap.ps1 -Path c:\<path\file>.etl -Destination c:\<path\file>.pcap"
# in DOS: PowerShell.exe "& {.\EtlToPcap.ps1 -Path "TestToEtl.etl" -Destination "TestToEtl.pcap}"
[CmdletBinding()]
param(
[Parameter(Position=0)]
[ValidateScript({
if( -Not ($_ | Test-Path) ){
throw "File or folder $_ does not exist"
}
if($_.Extension -ne ".etl"){
throw "Source file must be .etl file"
}
return $true
})]
[System.IO.FileInfo]$Path,
[Parameter(Position=1)]
[ValidateScript({
if( -Not ($path.DirectoryName | Test-Path) ){
throw "File or folder does not exist"
}
if($_.Extension -ne ".pcap") {
throw "Estination file must be .pcap file"
}
return $true
})]
[System.IO.FileInfo]$Destination,
[Parameter(Position=2)]
[Uint32]$MaxPacketSizeBytes = 65536)
$csharp_code = @'
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace chentiangemalc
{
public static class NetworkRoutines
{
public static long ConvertEtlToPcap(string source, string destination, UInt32 maxPacketSize)
{
int result = 0;
using (BinaryWriter writer = new BinaryWriter(File.Open(destination, FileMode.Create)))
{
UInt32 magic_number = 0xa1b2c3d4;
UInt16 version_major = 2;
UInt16 version_minor = 4;
Int32 thiszone = 0;
UInt32 sigfigs = 0;
UInt32 snaplen = maxPacketSize;
UInt32 network = 1; // LINKTYPE_ETHERNET
writer.Write(magic_number);
writer.Write(version_major);
writer.Write(version_minor);
writer.Write(thiszone);
writer.Write(sigfigs);
writer.Write(snaplen);
writer.Write(network);
long c = 0;
long t = 0;
using (var reader = new EventLogReader(source, PathType.FilePath))
{
EventRecord record;
while ((record = reader.ReadEvent()) != null)
{
c++;
t++;
if (c == 10000)
{
Console.WriteLine(String.Format("Processed {0} events with {1} packets processed",t,result));
c = 0;
}
using (record)
{
if (record.ProviderName == "Microsoft-Windows-NDIS-PacketCapture")
{
result++;
DateTime timeCreated = (DateTime)record.TimeCreated;
UInt32 ts_sec = (UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds);
UInt32 ts_usec = (UInt32)(((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalMilliseconds) - ((UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds * 1000))) * 1000;
UInt32 incl_len = (UInt32)record.Properties[2].Value;
if (incl_len > maxPacketSize)
{
Console.WriteLine(String.Format("Packet size of {0} exceeded max packet size {1}, packet ignored",incl_len,maxPacketSize));
}
UInt32 orig_len = incl_len;
writer.Write(ts_sec);
writer.Write(ts_usec);
writer.Write(incl_len);
writer.Write(orig_len);
writer.Write((byte[])record.Properties[3].Value);
}
}
}
}
}
return result;
}
}
}
'@
Add-Type -Type $csharp_code
$result = [chentiangemalc.NetworkRoutines]::ConvertEtlToPcap($Path.FullName,$Destination.FullName,$MaxPacketSizeBytes)
Write-Host "$result packets converted."
\ No newline at end of file
@ECHO OFF
pushd "%~dp0"
:: ======== Simple Auto Capture Setup Script =======================
SET Ver=1.0
:: by Jeana M. Verkempinck
:: MACO 2020 - Metadata Analysis Capstone
:: Designed to prep and tear-down Windows user enviorment to packet
:: capture using netsh and capture SSL keylog for Firefox
:: Requires: etl2pcapng.exe or .ps1 converter script in same folder.
:: ===================================================================
SET URL=NA
SET MiURL=N
SET FiOwn=N
SET Tfp=NA
TITLE AutoCapture %Ver
:: Auto check to see if batch ran with admin rights.
openfiles>nul 2>&1
if %errorlevel% EQU 0 GOTO BEGIN
CALL :BYE Certain commands will only work with elevated privlages.
:: Module to allow for a fancy menu
:DspTitle
CLS
ECHO ************************************************************
ECHO Simple Auto Capture Setup Script v.%Ver
ECHO ************************************************************
IF NOT [%1]==[] (
ECHO %*
ECHO ************************************************************
)
ECHO.
GOTO :EOF
:: Choice to set client for naming, not necessary for run.
:FiSelect
CALL :DspTitle Client Choice
CHOICE /C ABM /M "Select client currently in use: "
IF ERRORLEVEL 1 SET FiOwn=A
IF ERRORLEVEL 2 SET FiOwn=B
IF ERRORLEVEL 3 SET FiOwn=M
GOTO :EOF
:: Select which site to initiate test with on Firefox.
:URLCHOICE
CALL :DspTitle Choose URL
ECHO F - Facebook
ECHO K - Kiwi (IRC)
ECHO G - Google
CHOICE /C FKG /M "Select the site to use: "
IF ERRORLEVEL 1 SET MiURL=F&& SET URL="https://www.facebook.com/messages/"
IF ERRORLEVEL 2 SET MiURL=K&& SET URL="https://kiwiirc.com/nextclient/"
IF ERRORLEVEL 3 SET MiURL=G&& SET URL="https://hangouts.google.com/"
GOTO :EOF
:: Module to set and verify the log/folder naming convention.
:SetOut
CALL :DspTitle Verify Logfile
SET Tfp=%MiURL%%FiOwn%-%date:~10,4%%date:~4,2%%date:~7,2%
ECHO Directory to store: %userprofile%\Desktop\%Tfp%\ && ECHO.
SET /P Tfp=Filename is currently %Tfp%, type in new filename or [ENTER] to continue: || SET Tfp=%Tfp%
GOTO :EOF
:: Short script to add formatted lines to the log file.
:LogBreak
ECHO ==== Initiated %* At %TIME% on the %date% ====>> %Tfp%-Log.txt
GOTO :EOF
:: Begin setting up the capture environment
:BEGIN
:: Select the client ID and the URL
CALL :FiSelect
CALL :URLCHOICE
:MakeDir
:: Sub-lable to initiate the naming convention
CALL :SetOut
:: Make folder if it dosen't already exist, and jump into it.
IF NOT EXIST %userprofile%\Desktop\%Tfp% (
MKDIR %userprofile%\Desktop\%Tfp%
PUSHD %userprofile%\Desktop\%Tfp%
) else (
CALL :DspTitle "Error - Folder already Exists"
ECHO "Change the File Name to continue" && PAUSE
GOTO MakeDir
)
:: Initialize the log with some information useful for filtering.
CALL :LogBreak Capture
ECHO Initialized at %time% on the %date% >> %Tfp%-Log.txt
SYSTEMINFO >> %Tfp%-Log.txt
CALL :LogBreak IP-Config
netstat -ap tcp >> %Tfp%-Log.txt
:: Pause until all systems ready to begin trace.
CALL :DspTitle Trace for %URL%
ECHO Hit [ENTER] to begin trace. && PAUSE
:: ******** Actually Start the trace ********
:: Set SSL key logging
CALL :LogBreak Set SSL Key Log
CALL :DspTitle Set SSL Log
SETX SSLKEYLOGFILE %userprofile%\Desktop\%Tfp%\%Tfp%-SessionKeys.log
ECHO Set SSLKEYLOGFILE at %time% >> %Tfp%-Log.txt
ECHO. >> %Tfp%-Log.txt
:: Start the packet capture
CALL :DspTitle Starting netsh
netsh trace start persistent=no capture=yes report=no tracefile=%Tfp%.etl >> %Tfp%-Log.txt
ECHO Trace started at: %TIME% >> %Tfp%-Log.txt
ECHO. >> %Tfp%-Log.txt
:: Send Pings for monitor to help synch up captures (our local gateway: 207.140.106.1).
CALL :DspTitle Ping Synchronization
ECHO Ping ran for self synchronization. TTL set at 3. >> %Tfp%-Log.txt
ping /n 3 /i 7 207.140.106.1 >> %Tfp%-Log.txt
ECHO. >> %Tfp%-Log.txt
:: Open Firefox to the previously selected URL.
CALL :DspTitle Start Browser and Keylogger
START "" /d "%programfiles%\Mozilla Firefox" Firefox.exe "%URL%"
ECHO Browers started for %URL%. >> %Tfp%-Log.txt
ECHO. >> %Tfp%-Log.txt
:: Opening keylogger will put rest of script on hold, until keylogger closed.
CALL :DspTitle Begin Test
ECHO Test will auto-complete when the keylogger is closed.
ECHO Keylogger started at: %TIME% >> %Tfp%-Log.txt
START "" /min /wait /d "C:\Program Files\Java\jdk-13.0.1\bin" java.exe -jar c:\biologger\biologger1.2.jar -im -iw -o %userprofile%\Desktop\%Tfp%\
:: Rename the Biologger output
REN keystroke.csv %Tfp%-keystroke.csv
REN mouseclick.csv %Tfp%-keymouseclick.csv
:: Cleanup the SSL environment variable (stop logging SSL Keys)
SETX SSLKEYLOGFILE ""
ECHO Reverted SSL Keylog variable at %TIME% >> %Tfp%-Log.txt
:: Stop packet trace, called last due to how long it takes to stop.
CALL :DspTitle Merging Trace
ECHO Merging trace and generating data collection takes a few minutes.
CALL :LogBreak netsh merge
START "" /i /wait /b netsh trace stop
ECHO Finished Merge at %TIME% >> %Tfp%-Log.txt
:: Convert ETL to PCAP
CALL :DspTitle Converting ETL to PCAP
POPD
:: Using PowerShell: START "" /wait /d %userprofile%\Desktop\MACO-Script PowerShell.exe "& {".\ConvertEtlToPcap.ps1" -Path "%Tfp%.etl" -Destination "%Tfp%.pcap"}"
:: Using .EXE version:
START /wait etl2pcapng.exe %userprofile%\Desktop\%Tfp%\%Tfp%.etl %userprofile%\Desktop\%Tfp%\%Tfp%.pcapng
PUSHD %userprofile%\Desktop\%Tfp%
:: Delete CAB and ETL files, generally not needed at this point...
CHOICE /c:YN /m "Delete CAB and ETL files?: "%1
IF ERRORLEVEL 2 GOTO SkipDelCab
IF ERRORLEVEL 1 GOTO DelCab
:DelCab
DEL %Tfp%.cab
DEL %Tfp%.etl
:SkipDelCab
CALL :LogBreak Exiting
CALL :DspTitle Exiting
Call :BYE Summery: Logs created, Capture Completed and Converted to pcap.
GOTO :EOF
:BYE
:: Check what type of exit to use
ECHO %*
ECHO Exiting in:
timeout /t 5
exit
GOTO :EOF
\ No newline at end of file
===== Session [A/B/M]-DDMmmYYYY =======
A and B chat windows open
[Begin collect on A, B, and M]
A: What’s the weather like there [ENTER]
B: It’s always cold [ENTER]
A: I heard that California always had nice weather [ENTER]
B: It’s colder that I would like [ENTER]
A: It’s snowing here [PAUSE 3 seconds] and has been all day [ENTER]
B: I wouldn’t mind some seasons [PAUSE 5 seconds] [ENTER]
A: You could come out to visit [PAUSE 3 seconds] and be even colder [ENTER]
B: haha [Lauging Emoji][ENTER]
B: I might just take up on that offer [ENTER]
A: You are welcome anytime [ENTER]
A: If you were to visit, when would you come? [ENTER]
[PAUSE 5 seconds]
A: I have a break in early April [ENTER]
B: That could work [PAUSE 7 seconds, or until notification ends on A] [ENTER]
B: I’ve never been to New England in the Spring [ENTER]
A: That would be [PAUSE 5 seconds] lovely [ENTER]
[B types what A type simutaniously]
B: I’ll start looking into getting that time off work [ENTER]
A: You can stay with me [ENTER] I have plenty of room here [ENTER]
[Individually]
B: Sounds good, talk to you later.[ENTER]
A: [Thumbs Up Emoji][ENTER]
A: Bye.[ENTER]
[End collect on A and B]
\ No newline at end of file
===== Session [A/B/M]-DDMmmYYYY =======
A and B chat windows open
[Begin collect on A, B, and M]
A: What’s the weather like there [ENTER]
B: It’s always cold [ENTER]
A: I heard that California always had nice weather [ENTER]
B: It’s colder that I would like [ENTER]
A: It’s snowing here [PAUSE 3 seconds] and has been all day [ENTER]
B: I wouldn’t mind some seasons [PAUSE 5 seconds] [ENTER]
A: You could come out to visit [PAUSE 3 seconds] and be even colder [ENTER]
B: haha [ENTER]
B: I might just take up on that offer [ENTER]
A: You are welcome anytime [ENTER]
A: If you were to visit, when would you come? [ENTER]
[PAUSE 5 seconds]
A: I have a break in early April [ENTER]
B: That could work [PAUSE 7 seconds, or until notification ends on A] [ENTER]
B: I’ve never been to New England in the Spring [ENTER]
A: That would be [PAUSE 5 seconds] lovely [ENTER]
[B types what A type simutaniously]
B: I’ll start looking into getting that time off work [ENTER]
A: You can stay with me [ENTER] I have plenty of room here [ENTER]
[Individually]
B: Sounds good, talk to you later.
A: Ok, bye.
[End collect on A and B]
===== Session A1-DDMmmYYYY =======
A sending to B WITHOUT B’s window open
[Begin collect on A]
A: If you were to visit, when would you come? [ENTER]
[PAUSE 5 seconds]
A: I have a break in early April [ENTER]
[End collect on A]
===== Session B1-DDMmmYYYY =======
B opens chat window to receive A’s previous messages
[Begin collect on B]
B: That could work [PAUSE 7 seconds] [ENTER]
B: I’ve never been to New England in the Spring [ENTER]
===== Session A1a-DDMmmYYYY =======
[Begin collect on A]
[A logs in and receives B’s previous messages]
A: That would be [PAUSE 5 seconds] lovely [ENTER]
B: I’ll start looking into getting that time off work [ENTER]
A: You can stay with me [ENTER]
A: I have plenty of room here [ENTER]
[End collect on A, B, and M]
#!/bin/bash
# Quick start Tshark
# Be sure to run a chmod 755 Tshark_Run before attempting to run for first time.
dayn=$(date +%d%b%Y)
echo -n "Input a file nam of file will default to M-$dayn.pcap: "
read capname
if [$capname == ""]; then
filen="M-$dayn.pcap"
else
filen="M-$capname.pcap"
fi
echo "File name will be: $filen"
echo "Use Ctrl-c to end"
tshark -i eth0 -i eth1 -w $filen
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment