Jump to content

[Suggestion] Multiple Control Characters


dcbz

Recommended Posts

Hey All,

For a project i'm working on I need to send pretty much every control character at once.

I just assumed the rubber ducky could do this when i bought it, since it's a pretty straight forward construct, however now that i actually start to play with it i can't get this to work.

Is it possible with the default firmware to send a string of control characters like:

Control + Alt + Windows Key + Shift + x

Any help would be much appreciated.

Thanks

Link to comment
Share on other sites

It might be possible it depends on whats going on at a HID level?

The Ducky only supports two-byte instructions in its current state-machine, control characters (e.g control-alt) get OR'ed together, which then allows key-combos like ctrl-alt-del.

I havnt got much time to play around these days (until my life get less hectic) but if you can run a usb sniffer (bus dog / usblyzer), and on a usb keyboard enter that combo (after something obvious like pressing a 5 times) I can look at the sequence and possibly try to add that extra command into the encoder.

Otherwise this is something for the next encoder.

If you only want that sequence, you could either hard-code it into the firmware, or another possibility is I could hardcode that sequence into firmware within next 2x weeks. It should be straight forward from following Atmels Keyboard HID example.

PS.

I've come across that sequence before...but cant remember that products name...

Edited by midnitesnake
Link to comment
Share on other sites

Ah thanks for the reply.

I grabbed a copy of the firmware source and was looking to hardcode it now.

I was wondering if the bytecode generated by encode.jar contained the literal key code value, because then i could just encode it manually. But from what you described it sounds like those bytes arn't the key codes themselves.

I will read the firmware source and see if i have time to tackle it that way. My project is due in 8 days and requires a lot of work after i get this part working ;)

Thanks again. I'll let you know which route i go.

Link to comment
Share on other sites

Added an untested (but compiles with no errors), an example of a Hard-Coded Keyboard HID Injection Firmware in the SVN source folder called Ducky_HID_Hardcoded.zip.

This might help you understand the workings a bit better? This uses Atmel's example of playing Keyboard HID keys, in place of Applebaums state-machine.

Link to comment
Share on other sites

Hey,

Thanks for the help with this.

The firmware source you uploaded seems to send ui_sequence as soon as you insert the device, right?

I actually have some weird requirements, but i need to set some stuff up, then send the keystroke once i'm done.

I need the ducky to function as normal, i was going to recompile an encoder with a new instruction, like WEIRDKEYSTROKE and have that send the char code.

Guess i'll try get that working now.

Thanks!

Edited by dcbz
Link to comment
Share on other sites

Look at the original code and the gpio if statement, you can program the ducky to only send the instruction on the push of this button, you can enter your other instructions hardcoded per the example.

sorry,but I'm away from keyboard until the weekend. So can't give any great help until then.

Thought the key combo was a deep freeze thing, think it's different?

Link to comment
Share on other sites

Thanks again for your help, i see what you mean.

The hardcoded string is great thanks, that's exactly what i need i guess.

Pushing the button won't work though, since i need to do something timing related, i will need to somehow signal to the device to send the keystroke.

I guess i can change the statemachine in the original code. injectToken comes straight from the file right, so if i do something like if((injectToken && 0xff) == 0x90) { do_hardcoded_signal; } i could then add an instruction and recompile encoder.jar to emit it.

That should work yeah?

Thanks again for your help.

If i get this working i'll send it to you off list ;)

Link to comment
Share on other sites

Hrm this didn't seem to work.

In process_frame() i added:

if((injectToken&0xff) == 0x90 ) {
sequence_running = true;
}

Above it, i have the loop processing the sequence, at the start of STATE_INJECTING.

I added a instruction to the encoder.jar which looks like this:

} else if (instruction[0].equals("TRIGGEREXPLOIT")) {
file.add((byte)0x90);
} else if (instruction[0].equals("STRING")) {

Then i make a file like this:

-[dcbz@squee:~/code/ducky]$ cat > test
TRIGGEREXPLOIT
-[dcbz@squee:~/code/ducky]$ java -jar encoder.jar -i test
-[dcbz@squee:~/code/ducky]$ xxd inject.bin
0000000: 90 .

However when i run this, i do not see the keystrokes i used.

Not sure why it's not working at this stage, will debug tommorow ;(

EDIT: Scratch this, it seems to be working. Thanks for all your help!

Edited by dcbz
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...