第一次做usb数据分析,记录一下
http://www.beyondlogic.org/usbnutshell/usb4.shtml#Interrupt
对于usehid.data
第一字节0x02或者0x20,表示shift键被按
第三字节为press key code,对照如下python代码。
解题思路是通过Description Response Device包确定设备为keyword,查找usb keyword 地址,然后用
tshark -r xxx.pcap -Y 'usb.src == "usb keyword.addr"' -T fields -e usbhid.data | grep -v 0000000000000000 dump数据。
可以使用-T json查看完整数据包。
#!/usr/bin/env python3
# run this before the script : `tshark -r access_cards.pcap -Y 'usb.src == "1.16.1"' -T fields -e usbhid.data | grep -v 0000000000000000 > data.dat `
# This is the name of the file that contains the HID data. A line should look like `030000000000000000`
file_name = "data.dat"
# This should cover the most common key codes
MappingN = {}
MappingS = {}
MappingN[4] = "a"; MappingS[4] = "A"
MappingN[5] = "b"; MappingS[5] = "B"
MappingN[6] = "c"; MappingS[6] = "C"
MappingN[7] = "d"; MappingS[7] = "D"
MappingN[8] = "e"; MappingS[8] = "E"
MappingN[9] = "f"; MappingS[9] = "F"
MappingN[10] = "g"; MappingS[10] = "G"
MappingN[11] = "h"; MappingS[11] = "H"
MappingN[12] = "i"; MappingS[12] = "I"
MappingN[13] = "j"; MappingS[13] = "J"
MappingN[14] = "k"; MappingS[14] = "K"
MappingN[15] = "l"; MappingS[15] = "L"
MappingN[16] = "m"; MappingS[16] = "M"
MappingN[17] = "n"; MappingS[17] = "N"
MappingN[18] = "o"; MappingS[18] = "O"
MappingN[19] = "p"; MappingS[19] = "P"
MappingN[20] = "q"; MappingS[20] = "Q"
MappingN[21] = "r"; MappingS[21] = "R"
MappingN[22] = "s"; MappingS[22] = "S"
MappingN[23] = "t"; MappingS[23] = "T"
MappingN[24] = "u"; MappingS[24] = "U"
MappingN[25] = "v"; MappingS[25] = "V"
MappingN[26] = "w"; MappingS[26] = "W"
MappingN[27] = "x"; MappingS[27] = "X"
MappingN[28] = "y"; MappingS[28] = "Y"
MappingN[29] = "z"; MappingS[29] = "Z"
MappingN[30] = "1"; MappingS[30] = "!"
MappingN[31] = "2"; MappingS[31] = "@"
MappingN[32] = "3"; MappingS[32] = "#"
MappingN[33] = "4"; MappingS[33] = "$"
MappingN[34] = "5"; MappingS[34] = "%"
MappingN[35] = "6"; MappingS[35] = "^"
MappingN[36] = "7"; MappingS[36] = "&"
MappingN[37] = "8"; MappingS[37] = "*"
MappingN[38] = "9"; MappingS[38] = "("
MappingN[39] = "0"; MappingS[39] = ")"
MappingN[40] = "Enter"; MappingS[40] = "Enter"
MappingN[41] = "esc"; MappingS[41] = "esc"
MappingN[42] = "del"; MappingS[42] = "del"
MappingN[43] = "tab"; MappingS[43] = "tab"
MappingN[44] = "space"; MappingS[44] = "space"
MappingN[45] = "-"; MappingS[45] = "_"
MappingN[46] = "="; MappingS[46] = "+"
MappingN[47] = "["; MappingS[47] = "{"
MappingN[48] = "]"; MappingS[48] = "}"
MappingN[49] = "\\"; MappingS[49] = "|"
MappingN[50] = " "; MappingS[50] = " "
MappingN[51] = ";"; MappingS[51] = ":",
MappingN[52] = "'"; MappingS[52] = "\\"
MappingN[53] = "`"; MappingS[53] = "~"
MappingN[54] = ","; MappingS[54] = "<"
MappingN[55] = "."; MappingS[55] = ">"
MappingN[56] = "/"; MappingS[56] = "?"
MappingN[57] = "CapsLock"; MappingS[57] = "CapsLock"
MappingN[79] = "RightArrow"; MappingS[79] = "RightArrow"
MappingN[80] = "LeftArrow"; MappingS[80] = "LeftArrow"
MappingN[84] = "/"; MappingS[84] = "/"
MappingN[85] = "*"; MappingS[85] = "*"
MappingN[86] = "-"; MappingS[86] = "-"
MappingN[87] = "+"; MappingS[87] = "+"
MappingN[88] = "Enter"; MappingS[88] = "Enter"
MappingN[89] = "1"; MappingS[89] = "1"
MappingN[90] = "2"; MappingS[90] = "2"
MappingN[91] = "3"; MappingS[91] = "3"
MappingN[92] = "4"; MappingS[92] = "4"
MappingN[93] = "5"; MappingS[93] = "5"
MappingN[94] = "6"; MappingS[94] = "6"
MappingN[95] = "7"; MappingS[95] = "7"
MappingN[96] = "8"; MappingS[96] = "8"
MappingN[97] = "9"; MappingS[97] = "9"
MappingN[98] = "0"; MappingS[98] = "0"
MappingN[99] = "."; MappingS[99] = "."
# capslock default is off
capslock = 0
# shift key is press
shift = 0
# This will contain the converted characters
out = list()
# Do a barrel roll
with open(file_name, "rb") as f:
line = f.readline()
while line:
shift_flag = int(line[0:2], 16)
idx = int(line[4:6], 16)
# abnomal index handler
if idx < 4 or idx > 99:
line = f.readline()
continue
# caplock turn on / off
if idx == 57:
capslock = capslock ^ 1
line = f.readline()
continue
# shift press check
shift = shift_flag & 0x02 or shift_flag
# alpha capslock deal
if MappingN[idx].isalpha():
if (capslock ^ shift) == 0:
c = MappingN[idx]
else:
c = MappingS[idx]
#other character does't consider capslock.eg.01234#/
else:
if shift == 0:
c = MappingN[idx]
else:
c = MappingS[idx]
out += c
line = f.readline()
# Spit it out
print("".join(out))
