USB流量分析入门——键盘流量

文章配套例题点我下载

---

USB流量分析主要包括键盘和鼠标流量。指的是获得键盘敲击键、鼠标移动和点击等等。键盘流量中数据包的数据长度一般为 8 个字节，鼠标流量中数据包的数据长度一般为 4个字节。然后再查看HID Data(或Leftover Capture Data)的数据，就是传输的USB信息。

观察发现，只有source == 1.5.1的流量具有HID字段，使用tshark提取之：

tshark -r usb.pcapng -T fields -e usbhid.data -Y 'usb.src == "1.5.1"' > usbdata.txt

在Info看到有URB_INTERRUPT in，表示USB传输数据的中断，继而就找到HID Data

提取出的数据如：

0000090000000000
0000000000000000
00000f0000000000
0000000000000000
0000040000000000
0000000000000000
0200000000000000
0000000000000000
...

其各个字节的数据含义基本固定，所以可以直接套脚本：

# 无修饰键
normalKeys = {
    # ---- 字母、数字、符号区（已存在的部分保留） ----
    "04":"a","05":"b","06":"c","07":"d","08":"e","09":"f","0a":"g","0b":"h",
    "0c":"i","0d":"j","0e":"k","0f":"l","10":"m","11":"n","12":"o","13":"p",
    "14":"q","15":"r","16":"s","17":"t","18":"u","19":"v","1a":"w","1b":"x",
    "1c":"y","1d":"z","1e":"1","1f":"2","20":"3","21":"4","22":"5","23":"6",
    "24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>",
    "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
    "32":"<NON>","33":";","34":"'","35":"`","36":",","37":".","38":"/",
    "39":"<CAP>","3a":"<F1>","3b":"<F2>","3c":"<F3>","3d":"<F4>","3e":"<F5>",
    "3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>",
    "45":"<F12>",

    # ---- 扩展功能 / 编辑 / 光标 ----
    "46":"<PRTSC>","47":"<SCRL>","48":"<PAUSE>","49":"<INS>","4a":"<HOME>",
    "4b":"<PGUP>","4c":"<DEL_FW>","4d":"<END>","4e":"<PGDN>","4f":"<RIGHT>",
    "50":"<LEFT>","51":"<DOWN>","52":"<UP>",

    # ---- 数字小键盘（Num Lock ON 时）----
    "53":"<NUM>","54":"/","55":"*","56":"-","57":"+","58":"<KP_RET>",
    "59":"1","5a":"2","5b":"3","5c":"4","5d":"5","5e":"6","5f":"7","60":"8",
    "61":"9","62":"0","63":".","67":"=",

    # ---- 语言无关 / 系统 & 应用 ----
    "64":"<NONUS\\|>","65":"<APP>","66":"<POWER>",
    "68":"<F13>","69":"<F14>","6a":"<F15>","6b":"<F16>","6c":"<F17>",
    "6d":"<F18>","6e":"<F19>","6f":"<F20>","70":"<F21>","71":"<F22>",
    "72":"<F23>","73":"<F24>","74":"<EXEC>","75":"<HELP>","76":"<MENU>",
    "77":"<SELECT>","78":"<STOP>","79":"<AGAIN>","7a":"<UNDO>",
    "7b":"<CUT>","7c":"<COPY>","7d":"<PASTE>","7e":"<FIND>","7f":"<MUTE>",
    "80":"<VOL_UP>","81":"<VOL_DN>","82":"<LOCK_CAPS>","83":"<LOCK_NUM>",
    "84":"<LOCK_SCRL>",

    # ---- 修饰键（按下时会出现在 modifier 字节，这里给出占位）----
    "e0":"<LCTL>","e1":"<LSHFT>","e2":"<LALT>","e3":"<LGUI>",
    "e4":"<RCTL>","e5":"<RSHFT>","e6":"<RALT>","e7":"<RGUI>"
}

# 按住 Shift 时产生的字符
shiftKeys = {
    # ---- 字母 ----
    "04":"A","05":"B","06":"C","07":"D","08":"E","09":"F","0a":"G","0b":"H",
    "0c":"I","0d":"J","0e":"K","0f":"L","10":"M","11":"N","12":"O","13":"P",
    "14":"Q","15":"R","16":"S","17":"T","18":"U","19":"V","1a":"W","1b":"X",
    "1c":"Y","1d":"Z",

    # ---- 数字行 ----
    "1e":"!","1f":"@","20":"#","21":"$","22":"%","23":"^","24":"&","25":"*",
    "26":"(","27":")",

    # ---- 其它符号键 ----
    "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>",
    "33":"\"", "34":":","35":"~","36":"<","37":">","38":"?",

    # ---- 其余按键 Shift 不改变含义，直接复用 normalKeys ----
    **{k:v for k,v in normalKeys.items() if k not in {
        "04","05","06","07","08","09","0a","0b","0c","0d","0e","0f","10","11",
        "12","13","14","15","16","17","18","19","1a","1b","1c","1d",
        "1e","1f","20","21","22","23","24","25","26","27",
        "2d","2e","2f","30","31","32","33","34","35","36","37","38"
    }}
}


nums = []
keys = open('usbdata.txt','rt') #打开文件
for line in keys:
    line = line.strip() #去掉换行符
    # print(line)
    if len(line)!=16: #首先过滤掉鼠标等其他设备的USB流量
         continue
    nums.append(line[0:2]+line[4:6]) #取一、三字节
keys.close()
output = ""
for n in nums:
    if n[2:4] == "00" :
        continue

    if n[2:4] in normalKeys:
        if n[0:2]=="02": #表示按下了shift
            output += shiftKeys[n[2:4]]
        else :
            output += normalKeys[n[2:4]]
    else:
        output += '[unknown]'
        
        
print('output :\n' + output)

声明：
确石如此 | 版权所有，违者必究 | 如未注明，均为原创 | 本站采用 BY-NC-SA4.0 协议进行授权 | 转载请注明原文链接