mokhdzanifaeq/extract.rb

## extract.rb
// extracted from metasploit source code
// need to get hex stream of the buffer

VirtualKeyCodes = {
  1 => %W{ LClick },
  2 => %W{ RClick },
  3 => %W{ Cancel },
  4 => %W{ MClick },
  8 => %W{ Back  },
  9 => %W{ Tab  },
  10 => %W{ Newline },
  12 => %W{ Clear },
  13 => %W{ Return },
  16 => %W{ Shift },
  17 => %W{ Ctrl },
  18 => %W{ Alt },
  19 => %W{ Pause },
  20 => %W{ CapsLock },
  27 => %W{ Esc },
  32 => %W{ Space },
  33 => %W{ Prior },
  34 => %W{ Next },
  35 => %W{ End },
  36 => %W{ Home },
  37 => %W{ Left },
  38 => %W{ Up },
  39 => %W{ Right },
  40 => %W{ Down  },
  41 => %W{ Select },
  42 => %W{ Print },
  43 => %W{ Execute },
  44 => %W{ Snapshot },
  45 => %W{ Insert },
  46 => %W{ Delete },
  47 => %W{ Help },
  48 => %W{ 0  )},
  49 => %W{ 1  !},
  50 => %W{ 2  @},
  51 => %W{ 3  #},
  52 => %W{ 4  $},
  53 => %W{ 5  %},
  54 => %W{ 6  ^},
  55 => %W{ 7  &},
  56 => %W{ 8  *},
  57 => %W{ 9  (},
  65 => %W{ a  A},
  66 => %W{ b  B},
  67 => %W{ c  C},
  68 => %W{ d  D},
  69 => %W{ e  E},
  70 => %W{ f  F},
  71 => %W{ g  G},
  72 => %W{ h  H},
  73 => %W{ i  I},
  74 => %W{ j  J},
  75 => %W{ k  K},
  76 => %W{ l  L},
  77 => %W{ m  M},
  78 => %W{ n  N},
  79 => %W{ o  O},
  80 => %W{ p  P},
  81 => %W{ q  Q},
  82 => %W{ r  R},
  83 => %W{ s  S},
  84 => %W{ t  T},
  85 => %W{ u  U},
  86 => %W{ v  V},
  87 => %W{ w  W},
  88 => %W{ x  X},
  89 => %W{ y  Y},
  90 => %W{ z  Z},
  91 => %W{ LWin },
  92 => %W{ RWin },
  93 => %W{ Apps },
  95 => %W{ Sleep },
  96 => %W{ N0 },
  97 => %W{ N1 },
  98 => %W{ N2 },
  99 => %W{ N3 },
  100 => %W{ N4 },
  101 => %W{ N5 },
  102 => %W{ N6 },
  103 => %W{ N7 },
  104 => %W{ N8 },
  105 => %W{ N9 },
  106 => %W{ Multiply },
  107 => %W{ Add },
  108 => %W{ Separator },
  109 => %W{ Subtract },
  110 => %W{ Decimal },
  111 => %W{ Divide },
  112 => %W{ F1 },
  113 => %W{ F2 },
  114 => %W{ F3 },
  115 => %W{ F4 },
  116 => %W{ F5 },
  117 => %W{ F6 },
  118 => %W{ F7 },
  119 => %W{ F8 },
  120 => %W{ F9 },
  121 => %W{ F10 },
  122 => %W{ F11 },
  123 => %W{ F12 },
  124 => %W{ F13 },
  125 => %W{ F14 },
  126 => %W{ F15 },
  127 => %W{ F16 },
  128 => %W{ F17 },
  129 => %W{ F18 },
  130 => %W{ F19 },
  131 => %W{ F20 },
  132 => %W{ F21 },
  133 => %W{ F22 },
  134 => %W{ F23 },
  135 => %W{ F24 },
  144 => %W{ NumLock },
  145 => %W{ Scroll },
  160 => %W{ LShift },
  161 => %W{ RShift },
  162 => %W{ LCtrl },
  163 => %W{ RCtrl },
  164 => %W{ LMenu },
  165 => %W{ RMenu },
  166 => %W{ Back },
  167 => %W{ Forward },
  168 => %W{ Refresh },
  169 => %W{ Stop },
  170 => %W{ Search },
  171 => %W{ Favorites },
  172 => %W{ Home },
  176 => %W{ Forward },
  177 => %W{ Reverse },
  178 => %W{ Stop },
  179 => %W{ Play },
  186 => %W{ ;  :},
  187 => %W{ =  +},
  188 => %W{ ,  <},
  189 => %W{ -  _},
  190 => %W{ .  >},
  191 => %W{ /  ?},
  192 => %W{ '  ~},
  219 => %W| [  {|,
  220 => %W{ \  |},
  221 => %W| ]  }|,
  222 => %W{ '  Quotes},
}

def keyscan_extract(buffer_data)
  outp = ""
  buffer_data = [buffer_data].pack("H*")
  buffer_data.unpack("n*").each do |inp|
    fl = (inp & 0xff00) >> 8
    vk = (inp & 0xff)
    kc = VirtualKeyCodes[vk]
    f_shift = fl & (1<<1)
    f_ctrl  = fl & (1<<2)
    f_alt   = fl & (1<<3)
    if(kc)
      name = ((f_shift != 0 and kc.length > 1) ? kc[1] : kc[0])
      case name
      when /^.$/
        outp << name
      when /shift|click/i
      when 'Space'
        outp << " "
      else
        outp << " <#{name}> "
      end
    else
      outp << " <0x%.2x> " % vk
    end
  end
  return outp
end

// example hex stream
msg = "0101014e014f015401450101014e014f0154014501db01500141010801080108015001410144010d010d010d010d010d010d0101031003a003530131031003a00342034e035201310139031003a003430144031003a00358035203550141031003a003470101014c015a0141031003a00358034e034f01420133031003a0035201300141031003a00347035603470142031003a003470346014e010d010d010d010d010d010d010d"
puts keyscan_extract(msg)
	// extracted from metasploit source code
	// need to get hex stream of the buffer

	VirtualKeyCodes = {
	1 => %W{ LClick },
	2 => %W{ RClick },
	3 => %W{ Cancel },
	4 => %W{ MClick },
	8 => %W{ Back },
	9 => %W{ Tab },
	10 => %W{ Newline },
	12 => %W{ Clear },
	13 => %W{ Return },
	16 => %W{ Shift },
	17 => %W{ Ctrl },
	18 => %W{ Alt },
	19 => %W{ Pause },
	20 => %W{ CapsLock },
	27 => %W{ Esc },
	32 => %W{ Space },
	33 => %W{ Prior },
	34 => %W{ Next },
	35 => %W{ End },
	36 => %W{ Home },
	37 => %W{ Left },
	38 => %W{ Up },
	39 => %W{ Right },
	40 => %W{ Down },
	41 => %W{ Select },
	42 => %W{ Print },
	43 => %W{ Execute },
	44 => %W{ Snapshot },
	45 => %W{ Insert },
	46 => %W{ Delete },
	47 => %W{ Help },
	48 => %W{ 0 )},
	49 => %W{ 1 !},
	50 => %W{ 2 @},
	51 => %W{ 3 #},
	52 => %W{ 4 $},
	53 => %W{ 5 %},
	54 => %W{ 6 ^},
	55 => %W{ 7 &},
	56 => %W{ 8 *},
	57 => %W{ 9 (},
	65 => %W{ a A},
	66 => %W{ b B},
	67 => %W{ c C},
	68 => %W{ d D},
	69 => %W{ e E},
	70 => %W{ f F},
	71 => %W{ g G},
	72 => %W{ h H},
	73 => %W{ i I},
	74 => %W{ j J},
	75 => %W{ k K},
	76 => %W{ l L},
	77 => %W{ m M},
	78 => %W{ n N},
	79 => %W{ o O},
	80 => %W{ p P},
	81 => %W{ q Q},
	82 => %W{ r R},
	83 => %W{ s S},
	84 => %W{ t T},
	85 => %W{ u U},
	86 => %W{ v V},
	87 => %W{ w W},
	88 => %W{ x X},
	89 => %W{ y Y},
	90 => %W{ z Z},
	91 => %W{ LWin },
	92 => %W{ RWin },
	93 => %W{ Apps },
	95 => %W{ Sleep },
	96 => %W{ N0 },
	97 => %W{ N1 },
	98 => %W{ N2 },
	99 => %W{ N3 },
	100 => %W{ N4 },
	101 => %W{ N5 },
	102 => %W{ N6 },
	103 => %W{ N7 },
	104 => %W{ N8 },
	105 => %W{ N9 },
	106 => %W{ Multiply },
	107 => %W{ Add },
	108 => %W{ Separator },
	109 => %W{ Subtract },
	110 => %W{ Decimal },
	111 => %W{ Divide },
	112 => %W{ F1 },
	113 => %W{ F2 },
	114 => %W{ F3 },
	115 => %W{ F4 },
	116 => %W{ F5 },
	117 => %W{ F6 },
	118 => %W{ F7 },
	119 => %W{ F8 },
	120 => %W{ F9 },
	121 => %W{ F10 },
	122 => %W{ F11 },
	123 => %W{ F12 },
	124 => %W{ F13 },
	125 => %W{ F14 },
	126 => %W{ F15 },
	127 => %W{ F16 },
	128 => %W{ F17 },
	129 => %W{ F18 },
	130 => %W{ F19 },
	131 => %W{ F20 },
	132 => %W{ F21 },
	133 => %W{ F22 },
	134 => %W{ F23 },
	135 => %W{ F24 },
	144 => %W{ NumLock },
	145 => %W{ Scroll },
	160 => %W{ LShift },
	161 => %W{ RShift },
	162 => %W{ LCtrl },
	163 => %W{ RCtrl },
	164 => %W{ LMenu },
	165 => %W{ RMenu },
	166 => %W{ Back },
	167 => %W{ Forward },
	168 => %W{ Refresh },
	169 => %W{ Stop },
	170 => %W{ Search },
	171 => %W{ Favorites },
	172 => %W{ Home },
	176 => %W{ Forward },
	177 => %W{ Reverse },
	178 => %W{ Stop },
	179 => %W{ Play },
	186 => %W{ ; :},
	187 => %W{ = +},
	188 => %W{ , <},
	189 => %W{ - _},
	190 => %W{ . >},
	191 => %W{ / ?},
	192 => %W{ ' ~},
	219 => %W\| [ {\|,
	220 => %W{ \ \|},
	221 => %W\| ] }\|,
	222 => %W{ ' Quotes},
	}

	def keyscan_extract(buffer_data)
	outp = ""
	buffer_data = [buffer_data].pack("H*")
	buffer_data.unpack("n*").each do \|inp\|
	fl = (inp & 0xff00) >> 8
	vk = (inp & 0xff)
	kc = VirtualKeyCodes[vk]
	f_shift = fl & (1<<1)
	f_ctrl = fl & (1<<2)
	f_alt = fl & (1<<3)
	if(kc)
	name = ((f_shift != 0 and kc.length > 1) ? kc[1] : kc[0])
	case name
	when /^.$/
	outp << name
	when /shift\|click/i
	when 'Space'
	outp << " "
	else
	outp << " <#{name}> "
	end
	else
	outp << " <0x%.2x> " % vk
	end
	end
	return outp
	end

	// example hex stream
	msg = "0101014e014f015401450101014e014f0154014501db01500141010801080108015001410144010d010d010d010d010d010d0101031003a003530131031003a00342034e035201310139031003a003430144031003a00358035203550141031003a003470101014c015a0141031003a00358034e034f01420133031003a0035201300141031003a00347035603470142031003a003470346014e010d010d010d010d010d010d010d"
	puts keyscan_extract(msg)