feat: log keystrokes via rawinput #1078
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
| @@ -0,0 +1,17 @@ | |||
| rule: | |||
| meta: | |||
| name: log keystrokes via directx | |||
There was a problem hiding this comment.
why have you named this "...via directx"? i don't see that mentioned for the msdn pages for these functions.
There was a problem hiding this comment.
I confused GetRawInputData with DirectX, and I fixed by changing the file name.
The reference for GetRawInputData: http://www.rohitab.com/discuss/topic/35415-c-getrawinputdata-keylogger/
for DirectX: https://www.gironsec.com/blog/2017/07/keylogger-using-directx/
I will create another PR for DirectX one after this is merged.
|
thank you for the contribution @zeze-zeze! |
zeze-zeze
changed the title
I didn't check the one in nursery. This PR has the same target to log-keystrokes-via-raw-input-data.yml And I should have pushed to nursery. First time contribute to this project. |
|
@zeze-zeze thank you for your contribution! Please verify that the existing rules highlighted by @mr-tz match your example |
|
log-keystrokes-via-raw-input-data.yml is more restrict, but it doesn't match my keylogger example register-raw-input-devices matches the example, but it is less restrict than mine. Which rule should I move from nursery 🤯 |
Do we need to make log-keystrokes-via-raw-input-data.yml less restrict? Let's for sure move register-raw-input-devices out of the nursery. |
4 participants
test file: mandiant/capa-testfiles#296
reference: http://www.rohitab.com/discuss/topic/35415-c-getrawinputdata-keylogger/