public void ProcessKeylog(dotnet_keylogger.keylog K)
{
if (this.Name != K.WindowTitle)
{
throw new System.Exception("Keylog application name does not match Application obj name");
}
if (this.StartTime == DateTime.MinValue)
{
this.StartTime = K.Timestamp;
}
this.EndTime = K.Timestamp;
this.KeylogCount++;
}
private Boolean readKeylog(String ApplicationRegex = ".*", String ProcessRegex = ".*", String SessionRegex = ".*")
{
while (!keylogQ.isEmpty())
{
bool _match;
try
{
latest_keylog = keylogQ.Retrieve();
if (!this.Sessions.Last().AddKeylog(latest_keylog, user))
{
// Session wants to be closed, time for a new one
this.Sessions.Add(new Session(Sessions.Count));
this.Sessions.Last().AddKeylog(latest_keylog, user);
}
_match = true;
if (SessionRegex != ".*")
{
if (!(Regex.Match(latest_keylog.Session.ToString(), SessionRegex)).Success)
{
_match = false;
}
}
if (ApplicationRegex != ".*")
{
if (!(Regex.Match(latest_keylog.WindowName, ProcessRegex)).Success)
{
_match = false;
}
}
if (ProcessRegex != ".*")
{
if (!(Regex.Match(latest_keylog.WindowTitle.ToString(), ProcessRegex)).Success)
{
_match = false;
}
}
if (_match)
{
keylogs.Enqueue(latest_keylog);
return(true); // We have an event, time to go
}
}
catch
{
//ignore
}
}
return(false); // Couldn't find an event, time to return false
}
public bool AddKeylog(dotnet_keylogger.keylog Keylog, string User)
{
if (this.Closed)
{
throw new SystemException("Session is closed");
}
if (this.Keylogs != null)
{
if ((Keylog.Timestamp - this.Keylogs.Last().Timestamp).TotalSeconds > this.MaxAge)
{
// Too old, time to close
this.Close();
return(false);
}
if (User != this.User)
{
// Diff user, time to close
this.Close();
return(false);
}
}
else
{
this.Keylogs = new List <dotnet_keylogger.keylog>();
this.StartTime = Keylog.Timestamp;
this.User = User;
}
this.Keylogs.Add(Keylog);
this.KeylogCount++;
Keylog.Session = this.Index;
if (!this.ContainsApplication(Keylog.WindowTitle))
{
this.Applications.Add(Keylog.WindowTitle, new Application(Keylog.WindowTitle));
this.ApplicationCount++;
}
this.Applications[Keylog.WindowTitle].ProcessKeylog(Keylog);
return(true);
}
private static IntPtr HookCallback(int nCode, IntPtr wParam, IntPtr lParam)
{
/* https://msdn.microsoft.com/en-us/library/windows/desktop/ms644985(v=vs.85).aspx
* Params:
* nCode : if greater than ZERO, return the result of CallNextHookEx
* wParam : WM_KEYDOWN; WM_KEYUP, WM_SYSKEYDOWN or WM_SYSKEYUP
* lParam :
*/
/* https://docs.microsoft.com/en-us/windows/desktop/api/winuser/ns-winuser-tagkbdllhookstruct
* lParams struct:
* DWORD vkCode = Virtual Key code https://docs.microsoft.com/en-us/windows/desktop/inputdev/virtual-key-codes
* DWORD scanCode = Hardware scan code for the key
* DWORD flags = 8 bit code describing various events
* bits of note:
* 0: Is it an extended key?
* 1: If the key injection comes from a lower integirty process?
* 4: Was the key injected?
* 5: Is the ALT key down? Useless
* 7: Transition (0 if pressed, 1 if released)
* DWORD time = timestamp equivelant to GetMessageTime
* ULONG_PTR dwExtraInfo = Pointer to extra info
*/
if (nCode >= 0 && control.state == true)
{
long diff = 0;
int vkCode = Marshal.ReadInt32(lParam);
int scanCode = Marshal.ReadInt32(lParam + 4);
int flags = Marshal.ReadInt32(lParam + 8);
/// Skip repeat messages if a key if its being held down
if (scanCode == lastScanCode && flags == lastFlags)
{
return(CallNextHookEx(_hookID, nCode, wParam, lParam));
}
else
{
lastScanCode = scanCode; lastFlags = flags;
}
int timestamp = Marshal.ReadInt32(lParam + 12);
if (currentTime.Year == 1)
{
currentTime = DateTime.UtcNow;
}
else
{
if (timestamp < lastMsgTime)
{
diff = (timestamp + (2147483647 - lastMsgTime));
} //long max wrap
else
{
diff = timestamp - lastMsgTime;
}
currentTime = currentTime.AddMilliseconds(diff);
}
lastMsgTime = timestamp;
int kflags = 0x00000000;
if (wParam == (IntPtr)WM_SYSKEYDOWN)
{
switch (vkCode)
{
case (int)VirtualKeyStates.VK_LALT:
left_alt = 1;
break;
case (int)VirtualKeyStates.VK_RALT:
if (right_alt == 1)
{
return(CallNextHookEx(_hookID, nCode, wParam, lParam));
}
right_alt = 1;
break;
case (int)VirtualKeyStates.VK_LCON:
/// Some weird bug where right alt send alternating ralt and lcon
if (right_alt == 1)
{
return(CallNextHookEx(_hookID, nCode, wParam, lParam));
}
break;
}
}
if (wParam == (IntPtr)WM_KEYDOWN)
{
switch (vkCode)
{
case (int)VirtualKeyStates.VK_CAPITAL:
caps = 1 - caps;
break;
case (int)VirtualKeyStates.VK_NUM:
num = 1 - num;
break;
case (int)VirtualKeyStates.VK_SCROLL:
scroll = 1 - scroll;
break;
case (int)VirtualKeyStates.VK_LSHIFT:
left_shift = 1;
break;
case (int)VirtualKeyStates.VK_RSHIFT:
right_shift = 1;
break;
case (int)VirtualKeyStates.VK_LWIN:
win = 1;
break;
}
}
if (wParam == (IntPtr)WM_KEYUP)
{
switch (vkCode)
{
case (int)VirtualKeyStates.VK_LSHIFT:
left_shift = 0;
break;
case (int)VirtualKeyStates.VK_RSHIFT:
right_shift = 0;
break;
case (int)VirtualKeyStates.VK_LWIN:
win = 0;
break;
case (int)VirtualKeyStates.VK_LALT:
left_alt = 0;
break;
case (int)VirtualKeyStates.VK_RALT:
right_alt = 0;
break;
}
}
kflags += scroll << 7;
kflags += num << 6;
kflags += caps << 5;
kflags += left_alt << 4;
kflags += right_alt << 3;
kflags += left_shift << 2;
kflags += right_shift << 1;
kflags += win;
keylog K = new keylog(currentTime, diff, lParam, (byte)kflags, GetActiveWindowTitle(), GetActiveWindowName());
kQ.Add(K);
}
return(CallNextHookEx(_hookID, nCode, wParam, lParam));
}
public void Add(keylog k)
{
this.keylogs.Enqueue(k);
}
public Feature(double Value, dotnet_keylogger.keylog Keylog, string User)
{
this.Value = Value;
this.Keylog = Keylog;
this.User = User;
}
private static String FeatureToLine(dotnet_keylogger.keylog keylog, string feature, int seqNo)
{
return(String.Join(dotnet_keylogger.keylog.delimeter.ToString(), new string[] { keylog.Timestamp.ToString("o"), user, seqNo.ToString(), keylog.Key, feature }));
}