Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add parse_keylogger.py Script and Update README #3

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add parse_keylogger.py Script and Update README #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9a73680
Create parse_keylogger.py
IAmStoxe Sep 22, 2023
cf857ce
Update parse_keylogger.py
IAmStoxe Sep 22, 2023
f82caaa
Update readme.md
IAmStoxe Sep 22, 2023
7227f34
Update readme.md
IAmStoxe Sep 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 25 additions & 2 deletions readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
# Sliver Keylogger

This extension to sliver was written mostly as a learning exercise ![image](https://user-images.githubusercontent.com/3172440/174394786-94255ada-2263-4b0b-8076-348b852b2546.png)
into how sliver handles extensions.
This extension to sliver was written mostly as a learning exercise ![image](https://user-images.githubusercontent.com/3172440/174394786-94255ada-2263-4b0b-8076-348b852b2546.png) into how sliver handles extensions.

I would like to thank the entire [Sliver](https://github.com/BishopFox/sliver) team for there work on this public implant framework.
I would especially like to thank [@rkervell](https://twitter.com/rkervell) for answering many of my questions related to how sliver handles it extensions
Expand Down Expand Up @@ -55,3 +54,27 @@ goCallback is a function for returning output to go. its called like `callback
When coding the extension for now the "name" and "command_name" must match, otherwise the implant will reload your extension on every call.

As of this writing non-BOF extensions don't support strongly typed arguments, so everything provided on the cli after the command name will be sent down as a string. you have to handle it from there on the extension's native code side.


## Utilizing the `parse_keylogger.py` Script

To process and interpret the keylogger output, you can use the `parse_keylogger.py` script located in the `scripts/` directory.

### How to Use:

1. Ensure you have the necessary Python environment set up and active.
2. Navigate to the `scripts/` directory.
3. You can run the script in two ways:
- By passing the path to a log file:
```bash
python parse_keylogger.py --file path_to_log_file.txt
```
- By directly passing the log content as a string:
```bash
python parse_keylogger.py --string "your_log_content_here"
```

The script will process the log content, interpret special keystroke sequences, and print the human-readable text.

Note: The script currently handles special sequences like `[bs]` for backspaces and `[enter]` for newline entries. Other sequences such as arrow keys are recognized but not fully interpreted for cursor movement.

97 changes: 97 additions & 0 deletions scripts/parse_keylogger.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
import argparse

def interpret_backspaces(line):
"""
Process the backspaces in the provided line of text.

Args:
- line (str): The line of text to process.

Returns:
- str: The processed line of text with backspaces applied.
"""
while '[bs]' in line:
index = line.index('[bs]')
# Remove the [bs]
line = line[:index] + line[index+4:]
# Remove the character before [bs] if it exists
if index > 0:
line = line[:index-1] + line[index:]
return line

def interpret_enter_keys(line):
"""
Process the enter keys in the provided line of text.

Args:
- line (str): The line of text to process.

Returns:
- str: The processed line of text with enter keys replaced by newlines.
"""
return line.replace('[enter]', '\n')

def process_log_line(line):
"""
Process a line from the log file to interpret special sequences.

Args:
- line (str): The line of text to process.

Returns:
- str: The processed line of text.
"""
line = interpret_backspaces(line)
line = interpret_enter_keys(line)
# Additional interpretations can be added here
return line

def interpret_log_file(file_path):
"""
Process the entire log file and return the interpreted text.

Args:
- file_path (str): The path to the log file.

Returns:
- str: The interpreted content of the log file.
"""
interpreted_log = []
with open(file_path, 'r') as f:
for line in f:
interpreted_log.append(process_log_line(line))
return ''.join(interpreted_log)

def interpret_log_string(log_str):
"""
Process the entire log string and return the interpreted text.

Args:
- log_str (str): The log content as a string.

Returns:
- str: The interpreted content of the log.
"""
lines = log_str.split('\n')
interpreted_log = [process_log_line(line) for line in lines]
return '\n'.join(interpreted_log)

def main():
parser = argparse.ArgumentParser(description='Interpret a keylogger output.')
parser.add_argument('--file', type=str, help='Path to the log file to interpret.')
parser.add_argument('--string', type=str, help='Log content as a string to interpret.')

args = parser.parse_args()

if args.file:
result = interpret_log_file(args.file)
elif args.string:
result = interpret_log_string(args.string)
else:
print("Please provide either --file or --string argument.")
return

print(result)

if __name__ == "__main__":
main()