some progress on HID injection

2025-07-15 01:23:42 -07:00 · 2019-02-20 12:24:05 +01:00 · 2019-02-20 12:24:05 +01:00 · e0853ade9b
commit e0853ade9b
parent 6458a438db
5 changed files with 2254 additions and 38 deletions
--- a/modules/hid_recon/hid_builders.go
+++ b/modules/hid_recon/hid_builders.go
@ -0,0 +1,13 @@
+package hid_recon
+
+import (
+	"github.com/bettercap/bettercap/network"
+)
+
+type FrameBuilder interface {
+	BuildFrames(commands []Command)
+}
+
+var FrameBuilders = map[network.HIDType]FrameBuilder{
+	network.HIDTypeLogitech: LogitechBuilder{},
+}
--- a/modules/hid_recon/hid_command.go
+++ b/modules/hid_recon/hid_command.go
@ -0,0 +1,11 @@
+package hid_recon
+
+type Frame []byte
+
+type Command struct {
+	Mode   byte
+	HID    byte
+	Char   string
+	Sleep  byte
+	Frames []Frame
+}
--- a/modules/hid_recon/hid_keymaps.go
+++ b/modules/hid_recon/hid_keymaps.go
--- a/modules/hid_recon/hid_logitech.go
+++ b/modules/hid_recon/hid_logitech.go
@ -0,0 +1,8 @@
+package hid_recon
+
+type LogitechBuilder struct {
+}
+
+func (b LogitechBuilder) BuildFrames(commands []Command) {
+
+}
--- a/modules/hid_recon/hid_recon.go
+++ b/modules/hid_recon/hid_recon.go
@ -1,6 +1,7 @@
 package hid_recon

 import (
+	"fmt"
 	"sync"
 	"time"

@ -30,6 +31,7 @@ type HIDRecon struct {
 	pingPayload  []byte
 	inSniffMode  bool
 	inPromMode   bool
+	keyMap       string
 	selector     *utils.ViewSelector
 }

@ -50,6 +52,7 @@ func NewHIDRecon(s *session.Session) *HIDRecon {
 		inSniffMode:   false,
 		inPromMode:    false,
 		pingPayload:   []byte{0x0f, 0x0f, 0x0f, 0x0f},
+		keyMap:        "us",
 	}

 	mod.AddHandler(session.NewModuleHandler("hid.recon on", "",
@ -137,6 +140,12 @@ func (mod *HIDRecon) setSniffMode(mode string) error {
 	return nil
 }

+func (mod *HIDRecon) isSniffing() bool {
+	mod.sniffLock.Lock()
+	defer mod.sniffLock.Unlock()
+	return mod.sniffAddrRaw != nil
+}
+
 func (mod *HIDRecon) doHopping() {
 	if mod.inPromMode == false {
 		if err := mod.dongle.EnterPromiscMode(); err != nil {
@ -185,38 +194,69 @@ func (mod *HIDRecon) doPing() {
 			}
 		}
 	}
+
+	dev, found := mod.Session.HID.Get(mod.sniffAddr)
+	if found == false {
+		mod.Warning("could not find HID device %s", mod.sniffAddr)
+		return
 	}

-func (mod *HIDRecon) Start() error {
-	if err := mod.Configure(); err != nil {
-		return err
+	builder, found := FrameBuilders[dev.Type]
+	if found == false {
+		mod.Warning("HID frame injection is not supported for device type %s", dev.Type.String())
+		return
 	}

-	return mod.SetRunning(true, func() {
-		mod.waitGroup.Add(1)
-		defer mod.waitGroup.Done()
+	str := "hello world"
+	cmds := make([]Command, 0)
+	keyMap := KeyMapFor(mod.keyMap)
+	if keyMap == nil {
+		mod.Warning("could not find keymap for '%s' layout", mod.keyMap)
+		return
+	}

-		mod.Info("hopping on %d channels every %s", nrf24.TopChannel, mod.hopPeriod)
-		for mod.Running() {
-			isSniffing := mod.sniffAddrRaw != nil
-			if !isSniffing {
-				mod.doHopping()
+	for _, c := range str {
+		ch := fmt.Sprintf("%c", c)
+		if m, found := keyMap[ch]; found {
+			cmds = append(cmds, Command{
+				Char: ch,
+				HID:  m.HID,
+				Mode: m.Mode,
+			})
 		} else {
-				mod.doPing()
+			mod.Warning("could not find HID command for '%c'", ch)
+			return
+		}
 	}

-			buf, err := mod.dongle.ReceivePayload()
-			if err != nil {
-				mod.Warning("error receiving payload from channel %d: %v", mod.channel, err)
-				continue
+	builder.BuildFrames(cmds)
+
+	mod.Info("injecting %d HID commands ...", len(cmds))
+
+	numFrames := 0
+	szFrames := 0
+
+	for i, cmd := range cmds {
+		for j, frame := range cmd.Frames {
+			numFrames++
+			if err := mod.dongle.TransmitPayload(frame, 250, 1); err != nil {
+				mod.Error("error sending frame #%d of HID command #%d: %v", j, i, err)
+				return
+			} else if cmd.Sleep > 0 {
+				szFrames += len(frame)
+				mod.Debug("sleeping %dms after frame #%d of command #%d ...", cmd.Sleep, j, i)
+				time.Sleep(time.Duration(cmd.Sleep) * time.Millisecond)
+			}
+		}
 	}

-			sz := len(buf)
-			if isSniffing {
-				if sz > 0 && buf[0] == 0x00 {
+	mod.Info("send %d frames for %d bytes total", numFrames, szFrames)
+}
+
+func (mod *HIDRecon) onSniffedBuffer(buf []byte) {
+	if sz := len(buf); sz > 0 && buf[0] == 0x00 {
 		buf = buf[1:]
 		mod.Debug("sniffed payload %x for %s", buf, mod.sniffAddr)
-
 		if dev, found := mod.Session.HID.Get(mod.sniffAddr); found {
 			dev.LastSeen = time.Now()
 			dev.AddPayload(buf)
@ -225,8 +265,10 @@ func (mod *HIDRecon) Start() error {
 			mod.Warning("got a payload for unknown device %s", mod.sniffAddr)
 		}
 	}
-			} else {
-				if sz >= 5 {
+}
+
+func (mod *HIDRecon) onDeviceDetected(buf []byte) {
+	if sz := len(buf); sz >= 5 {
 		addr, payload := buf[0:5], buf[5:]
 		mod.Debug("detected device %x on channel %d (payload:%x)\n", addr, mod.channel, payload)
 		if isNew, dev := mod.Session.HID.AddIfNew(addr, mod.channel, payload); isNew {
@ -247,6 +289,35 @@ func (mod *HIDRecon) Start() error {
 		}
 	}
 }
+
+func (mod *HIDRecon) Start() error {
+	if err := mod.Configure(); err != nil {
+		return err
+	}
+
+	return mod.SetRunning(true, func() {
+		mod.waitGroup.Add(1)
+		defer mod.waitGroup.Done()
+
+		mod.Info("hopping on %d channels every %s", nrf24.TopChannel, mod.hopPeriod)
+		for mod.Running() {
+			if mod.isSniffing() {
+				mod.doPing()
+			} else {
+				mod.doHopping()
+			}
+
+			buf, err := mod.dongle.ReceivePayload()
+			if err != nil {
+				mod.Warning("error receiving payload from channel %d: %v", mod.channel, err)
+				continue
+			}
+
+			if mod.isSniffing() {
+				mod.onSniffedBuffer(buf)
+			} else {
+				mod.onDeviceDetected(buf)
+			}
 		}

 		mod.Debug("stopped")