Code Monkey home page Code Monkey logo

sliverkeylogger's Introduction

Sliver Keylogger

This extension to sliver was written mostly as a learning exercise image into how sliver handles extensions.

I would like to thank the entire Sliver team for there work on this public implant framework. I would especially like to thank @rkervell for answering many of my questions related to how sliver handles it extensions

how does this work

Basically it uses raw input. This has advantages and disadvantages to other common keylogging methods.

I like it because it doesn't require injecting into other binaries, nor does it require polling a given call frequently and potentially missing results.

This code is some of my own work and some of a mash of examples found around the internet.

how to build it

open the solution file using visual studio 2019, and build the x86 and x64 releases

how to load / install it

Until this is potentially included in the armory it can be built on a windows system. then the resulting $(solutiondir)\bin folder can be placed on the sliver client and extensions install <path to folder> can be run to install the extension. you may need to restart or also run extensions load <path to folder>

usage

raw_keylogger <cmdid>

the following cmdid's are valid

0 = stop
1 = start
2 = get keystrokes

if everything goes well it will look like this Screen Shot 2022-06-17 at 3 05 09 PM

lessons learned

Sliver's api has the following two main parts

typedef int (*goCallback)(const char*, int);

extern "C" {
	__declspec(dllexport) int __cdecl entrypoint(char* argsBuffer, uint32_t bufferSize, goCallback callback);
}

the implant will call the "entrypoint" as defined in the .json file. it points to your entrypoint function (doesn't have to have that name, just follow the signature)

goCallback is a function for returning output to go. its called like callback(string, string_length)

When coding the extension for now the "name" and "command_name" must match, otherwise the implant will reload your extension on every call.

As of this writing non-BOF extensions don't support strongly typed arguments, so everything provided on the cli after the command name will be sent down as a string. you have to handle it from there on the extension's native code side.

sliverkeylogger's People

Contributors

freefirex avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.