当前位置:首页 > SAFE > 正文内容

USB流量分析

Luz1年前 (2020-07-08)SAFE692

一、流量抓取

使用wireshark可以方便地抓取流量,选择USBPcap接口

image.png

抓取到的USB流量,其包括从USB接口通过的所有流量(USB鼠标、USB键盘等)

image.png



二、流量过滤

保存到数据包后,使用tshark过滤流量:

tshark -r mouse.pcap -T fields -e usb.capdata //mouses.pcap 保存的数据包文件名
...
0102000003000000
0102000004000000
0102000005000000
0102fdff05000000
0102feff05000000
0102ffff03000000
0102feff04000000
0102ffff02000000
0102ffff02000000
0102fdff03000000
0102fdff03000000
0102fcff02000000
0102fcff03000000
0102fcff03000000
0102fdff02000000
0102fdff03000000
0102fdff02000000
0102fdff03000000
0102feff01000000
0102feff02000000
0102feff02000000
0102ffff01000000
0102030000000000
0102060000000000
01021100ffff0000
0102080000000000
0102080000000000
0102070000000000
0102080000000000
0102070000000000
0102030000000000
0102ffffffff0000
0100feff00000000
0100ffff00000000
0100feff00000000
0100feffffff0000
0100fefffeff0000
...

三、流量分析

当作为USB鼠标的流量时,一行数据表示一个鼠标操作,

一行数据包含八个字节,第一字节为01

第二字节为按键号,即鼠标发送数据时的按键状态

01:左键按下
02:右键按下
00:未按下任何键

第三五字节分别为操作XY坐标(16进制)



当作为USB键盘的流量时,一行数据表示一个键盘按键操作

一行数据包含八个字节,第一字节的8bit分别表示

        |--bit0:   Left Control是否按下,按下为1  
        |--bit1:   Left Shift  是否按下,按下为1  
        |--bit2:   Left Alt    是否按下,按下为1  
        |--bit3:   Left GUI(Windows键) 是否按下,按下为1  
        |--bit4:   Right Control是否按下,按下为1   
        |--bit5:   Right Shift 是否按下,按下为1  
        |--bit6:   Right Alt   是否按下,按下为1  
        |--bit7:   Right GUI   是否按下,按下为1


第三字节开始即为触发的按键(可以有多个键同时被按下),查表可知按键内容

Usage ID

Usage Name

Usage Type

AT-101

PC-AT

Mac

Unix

Boot

00-00

Reserved







01

Keyboard ErrorRollOver1

Sel

N/A

4/101/104

02

Keyboard POSTFail1

Sel

N/A

4/101/104

03

Keyboard ErrorUndefined1

Sel

N/A

4/101/104

04

Keyboard a and A2

Sel

31

4/101/104

05

Keyboard b and B

Sel

50

4/101/104

06

Keyboard c and C2

Sel

48

4/101/104

07

Keyboard d and D

Sel

33

4/101/104

08

Keyboard e and E

Sel

19

4/101/104

09

Keyboard f and F

Sel

34

4/101/104

0A

Keyboard g and G

Sel

35

4/101/104

0B

Keyboard h and H

Sel

36

4/101/104

0C

Keyboard i and I

Sel

24

4/101/104

0D

Keyboard   j and J

Sel

37

4/101/104

0E

Keyboard k and K

Sel

38

4/101/104

0F

Keyboard l and L

Sel

39

4/101/104

10

Keyboard m and M2

Sel

52

4/101/104

11

Keyboard n and N

Sel

51

4/101/104

12

Keyboard o and O2

Sel

25

4/101/104

13

Keyboard p and P2

Sel

26

4/101/104

14

Keyboard q and Q2

Sel

17

4/101/104

15

Keyboard r and R

Sel

20

4/101/104

16

Keyboard s and S

Sel

32

4/101/104

17

Keyboard   t and T

Sel

21

4/101/104

18

Keyboard u and U

Sel

23

4/101/104


 

Usage ID

Usage Name

Usage Type

AT-101

PC-AT

Mac

Unix

Boot

19

Keyboard v and V

Sel

49

4/101/104

1A

Keyboard w and W2

Sel

18

4/101/104

1B

Keyboard x and X2

Sel

47

4/101/104

1C

Keyboard y and Y2

Sel

22

4/101/104

1D

Keyboard z and Z2

Sel

46

4/101/104

1E

Keyboard 1 and !2

Sel

2

4/101/104

1F

Keyboard 2 and @2

Sel

3

4/101/104

20

Keyboard   3 and #2

Sel

4

4/101/104

21

Keyboard 4 and $2

Sel

5

4/101/104

22

Keyboard 5 and %2

Sel

6

4/101/104

23

Keyboard   6 and 2

Sel

7

4/101/104

24

Keyboard 7 and &2

Sel

8

4/101/104

25

Keyboard   8 and *2

Sel

9

4/101/104

26

Keyboard 9 and (2

Sel

10

4/101/104

27

Keyboard 0 and )2

Sel

11

4/101/104

28

Keyboard Return (ENTER)3

Sel

43

4/101/104

29

Keyboard ESCAPE

Sel

110

4/101/104

2A

Keyboard DELETE   (Backspace)4

Sel

15

4/101/104

2B

Keyboard Tab

Sel

16

4/101/104

2C

Keyboard Spacebar

Sel

61

4/101/104

2D

Keyboard - and   (underscore)2

Sel

12

4/101/104

2E

Keyboard   = and +2

Sel

13

4/101/104

2F

Keyboard [ and {2

Sel

27

4/101/104

30

Keyboard ] and }2

Sel

28

4/101/104

31

Keyboard   \and |

Sel

29

4/101/104

32

Keyboard   Non-US # and ˜5

Sel

42

4/101/104

33

Keyboard   ; and :2

Sel

40

4/101/104

34

Keyboard and 2

Sel

41

4/101/104

35

Keyboard Grave Accent and   Tilde2

Sel

1

4/101/104

36

Keyboard   , and <2

Sel

53

4/101/104

37

Keyboard   . and >2

Sel

54

4/101/104

38

Keyboard / and ?2

Sel

55

4/101/104

39

Keyboard Caps Lock6

Sel

30

4/101/104

3A

Keyboard   F1

Sel

112

4/101/104

3B

Keyboard   F2

Sel

113

4/101/104

3C

Keyboard   F3

Sel

114

4/101/104

3D

Keyboard   F4

Sel

115

4/101/104


 

Usage ID

Usage Name

Usage Type

AT-101

PC-AT

Mac

Unix

Boot

3E

Keyboard   F5

Sel

116

4/101/104

3F

Keyboard   F6

Sel

117

4/101/104

40

Keyboard   F7

Sel

118

4/101/104

41

Keyboard   F8

Sel

119

4/101/104

42

Keyboard   F9

Sel

120

4/101/104

43

Keyboard F10

Sel

121

4/101/104

44

Keyboard F11

Sel

122

4/101/104

45

Keyboard F12

Sel

123

4/101/104

46

Keyboard PrintScreen7

Sel

124

4/101/104

47

Keyboard Scroll Lock6

Sel

125

4/101/104

48

Keyboard Pause7

Sel

126

4/101/104

49

Keyboard Insert7

Sel

75

4/101/104

4A

Keyboard Home7

Sel

80

4/101/104

4B

Keyboard PageUp7

Sel

85

4/101/104

4C

Keyboard Delete Forward7,8

Sel

76

4/101/104

4D

Keyboard End7

Sel

81

4/101/104

4E

Keyboard PageDown7

Sel

86

4/101/104

4F

Keyboard RightArrow7

Sel

89

4/101/104

50

Keyboard LeftArrow7

Sel

79

4/101/104

51

Keyboard DownArrow7

Sel

84

4/101/104

52

Keyboard UpArrow7

Sel

83

4/101/104

53

Keypad Num Lock and Clear6

Sel

90

4/101/104

54

Keypad /7

Sel

95

4/101/104

55

Keypad   *

Sel

100

4/101/104

56

Keypad -

Sel

105

4/101/104

57

Keypad   +

Sel

106

4/101/104

58

Keypad   ENTER3

Sel

108

4/101/104

59

Keypad 1 and End

Sel

93

4/101/104

5A

Keypad 2 and Down Arrow

Sel

98

4/101/104

5B

Keypad 3 and PageDn

Sel

103

4/101/104

5C

Keypad 4 and Left Arrow

Sel

92

4/101/104

5D

Keypad 5

Sel

97

4/101/104

5E

Keypad 6 and Right Arrow

Sel

102

4/101/104

5F

Keypad 7 and Home

Sel

91

4/101/104

60

Keypad 8 and Up Arrow

Sel

96

4/101/104

61

Keypad 9 and PageUp

Sel

101

4/101/104

62

Keypad 0 and Insert

Sel

99

4/101/104


 

Usage ID

Usage Name

Usage Type

AT-101

PC-AT

Mac

Unix

Boot

63

Keypad . and Delete

Sel

104

4/101/104

64

Keyboard Non-US \and |9,10

Sel

45

4/101/104

65

Keyboard Application11

Sel

129


104

66

Keyboard Power1

Sel




67

Keypad   =

Sel





68

Keyboard F13

Sel





69

Keyboard F14

Sel





6A

Keyboard F15

Sel





6B

Keyboard F16

Sel






6C

Keyboard F17

Sel






6D

Keyboard F18

Sel






6E

Keyboard F19

Sel






6F

Keyboard F20

Sel






70

Keyboard F21

Sel






71

Keyboard F22

Sel






72

Keyboard F23

Sel






73

Keyboard F24

Sel






74

Keyboard Execute

Sel





75

Keyboard Help

Sel





76

Keyboard Menu

Sel





77

Keyboard Select

Sel





78

Keyboard Stop

Sel





79

Keyboard Again

Sel





7A

Keyboard Undo

Sel





7B

Keyboard Cut

Sel





7C

Keyboard Copy

Sel





7D

Keyboard Paste

Sel





7E

Keyboard Find

Sel





7F

Keyboard Mute

Sel





80

Keyboard Volume Up

Sel





81

Keyboard Volume Down

Sel





82

Keyboard Locking Caps Lock12

Sel





83

Keyboard Locking Num Lock12

Sel





84

Keyboard Locking Scroll   Lock12

Sel





85

Keypad Comma13

Sel

107





86

Keypad Equal Sign14

Sel





87

Keyboard International115,16

Sel

56





88

Keyboard International217

Sel






89

Keyboard International318

Sel






8A

Keyboard International419

Sel







 

Usage ID

Usage Name

Usage Type

AT-101

PC-AT

Mac

Unix

Boot

8B

Keyboard International520

Sel






8C

Keyboard International621

Sel






8D

Keyboard International722

Sel






8E

Keyboard International823

Sel






8F

Keyboard International923

Sel






90

Keyboard LANG124

Sel






91

Keyboard LANG225

Sel






92

Keyboard LANG326

Sel






93

Keyboard LANG427

Sel






94

Keyboard LANG528

Sel






95

Keyboard LANG629

Sel






96

Keyboard LANG729

Sel






97

Keyboard LANG829

Sel






98

Keyboard LANG929

Sel






99

Keyboard Alternate Erase30

Sel






9A

Keyboard SysReq/Attention7

Sel






9B

Keyboard Cancel

Sel






9C

Keyboard Clear

Sel






9D

Keyboard Prior

Sel






9E

Keyboard Return

Sel






9F

Keyboard Separator

Sel






A0

Keyboard Out

Sel






A1

Keyboard Oper

Sel






A2

Keyboard Clear/Again

Sel






A3

Keyboard CrSel/Props

Sel






A4

Keyboard ExSel

Sel






A5-AF

Reserved







B0

Keypad 00

Sel






B1

Keypad 000

Sel






B2

Thousands Separator31

Sel






B3

Decimal Separator31

Sel






B4

Currency Unit32

Sel






B5

Currency Sub-unit32

Sel






B6

Keypad   (

Sel






B7

Keypad   )

Sel






B8

Keypad   {

Sel






B9

Keypad   }

Sel






BA

Keypad Tab

Sel






BB

Keypad Backspace

Sel







 

Usage ID

Usage Name

Usage Type

AT-101

PC-AT

Mac

Unix

Boot

BC

Keypad A

Sel






BD

Keypad   B

Sel






BE

Keypad C

Sel






BF

Keypad D

Sel






C0

Keypad   E

Sel






C1

Keypad   F

Sel






C2

Keypad XOR

Sel






C3

Keypad

Sel






C4

Keypad %

Sel






C5

Keypad   <

Sel






C6

Keypad   >

Sel






C7

Keypad &

Sel






C8

Keypad &&

Sel






C9

Keypad |

Sel






CA

Keypad ||

Sel






CB

Keypad   :

Sel






CC

Keypad   #

Sel






CD

Keypad Space

Sel






CE

Keypad @

Sel






CF

Keypad !

Sel






D0

Keypad Memory Store

Sel






D1

Keypad Memory Recall

Sel






D2

Keypad Memory Clear

Sel






D3

Keypad Memory Add

Sel






D4

Keypad Memory Subtract

Sel






D5

Keypad Memory Multiply

Sel






D6

Keypad Memory Divide

Sel






D7

Keypad +/-

Sel






D8

Keypad Clear

Sel






D9

Keypad Clear Entry

Sel






DA

Keypad Binary

Sel






DB

Keypad Octal

Sel






DC

Keypad Decimal

Sel






DD

Keypad Hexadecimal

Sel






DE-DF

Reserved







E0

Keyboard LeftControl

DV

58

4/101/104

E1

Keyboard LeftShift

DV

44

4/101/104

E2

Keyboard LeftAlt

DV

60

4/101/104

E3

Keyboard Left GUI11,33

DV

127

104

E4

Keyboard RightControl

DV

64

101/104


Usage ID

Usage Name

Usage Type

AT-101

PC-AT

Mac

Unix

Boot

E5

Keyboard RightShift

DV

57

4/101/104

E6

Keyboard RightAlt

DV

62

101/104

E7

Keyboard Right GUI11,34

DV

128

104

E8-FFFF

Reserved








00-00Reserved



1KeyboardErrorRollOver1

2KeyboardPOSTFail1


3KeyboardErrorUndefined1

4KeyboardaandA2Sel
5KeyboardbandBSel
6KeyboardcandC2Sel
7KeyboarddandDSel
8KeyboardeandESel
9KeyboardfandFSel
0AKeyboardgandGSel
0BKeyboardhandHSel
0CKeyboardiandISel
0DKeyboardjandJSel
0EKeyboardkandKSel
0FKeyboardlandLSel
10KeyboardmandM2Sel
11KeyboardnandNSel
12KeyboardoandO2Sel
13KeyboardpandP2Sel
14KeyboardqandQ2Sel
15KeyboardrandRSel
16KeyboardsandSSel
17KeyboardtandTSel
18KeyboarduandUSel
19KeyboardvandVSel
1AKeyboardwandW2Sel
1BKeyboardxandX2Sel
1CKeyboardyandY2Sel
1DKeyboardzandZ2Sel
1EKeyboard1and!2Sel
1FKeyboard2and@2Sel
20Keyboard3and#2Sel
21Keyboard4and$2Sel
22Keyboard5and2%Sel
23Keyboard6and^2Sel
24Keyboard7and&2Sel
25Keyboard8and*2Sel
26Keyboard9and(2Sel
27Keyboard0and)2Sel
28KeyboardReturn(ENTER)3Sel43
29KeyboardESCAPESel1103
2AKeyboardDELETE(Backspace)4Sel15
2BKeyboardTabSel163
2CKeyboardSpacebarSel613
2DKeyboard-and(underscore)2Sel
2EKeyboard=and2Sel
2FKeyboard[and{2Sel
30Keyboard]and}2Sel
31Keyboard\and|Sel29
32KeyboardNon-US#and˜5
33Keyboard;and:2Sel
34Keyboardand“2Sel
35KeyboardGraveAccentandTilde2
36Keyboard,and<2Sel
37Keyboard.and>2Sel
38Keyboard/and?2Sel
39KeyboardCapsLock6Sel30
3AKeyboardF1Sel1123
3BKeyboardF2Sel1133
3CKeyboardF3Sel1143
3DKeyboardF4Sel1153
3EKeyboardF5Sel1163
3FKeyboardF6Sel1173
40KeyboardF7Sel1183
41KeyboardF8Sel1193
42KeyboardF9Sel1203
43KeyboardF10Sel1213
44KeyboardF11Sel1223
45KeyboardF12Sel1233
46KeyboardPrintScreen7Sel1243
47KeyboardScrollLock6Sel125
48KeyboardPause7Sel1263
49KeyboardInsert7Sel753
4AKeyboardHome7Sel803
4BKeyboardPageUp7Sel853
4CKeyboardDeleteForward7,8Sel76
4DKeyboardEnd7Sel813
4EKeyboardPageDown7Sel863
4FKeyboardRightArrow7Sel893
50KeyboardLeftArrow7Sel793
51KeyboardDownArrow7Sel843
52KeyboardUpArrow7Sel833
53KeypadNumLockandClear6
54Keypad/7Sel953
55Keypad*Sel1003
56Keypad-Sel1053
57Keypad+Sel1063
58KeypadENTER3Sel1083
59Keypad1andEndSel
5AKeypad2andDownArrow
5BKeypad3andPageDnSel
5CKeypad4andLeftArrow
5DKeypad5Sel973
5EKeypad6andRightArrow
5FKeypad7andHomeSel
60Keypad8andUpArrow
61Keypad9andPageUpSel
62Keypad0andInsertSel
63Keypad.andDeleteSel
64KeyboardNon-US\and|9,10Sel
65KeyboardApplication11Sel1293
66KeyboardPower1Sel33
67Keypad=Sel3
68KeyboardF13Sel3
69KeyboardF14Sel3
6AKeyboardF15Sel3
6BKeyboardF16Sel

6CKeyboardF17Sel

6DKeyboardF18Sel

6EKeyboardF19Sel

6FKeyboardF20Sel

70KeyboardF21Sel

71KeyboardF22Sel

72KeyboardF23Sel

73KeyboardF24Sel

74KeyboardExecuteSel3
75KeyboardHelpSel3
76KeyboardMenuSel3
77KeyboardSelectSel3
78KeyboardStopSel3
79KeyboardAgainSel3
7AKeyboardUndoSel3
7BKeyboardCutSel3
7CKeyboardCopySel3
7DKeyboardPasteSel3
7EKeyboardFindSel3
7FKeyboardMuteSel3
80KeyboardVolumeUpSel3
81KeyboardVolumeDownSel3
82KeyboardLockingCapsLock12Sel
83KeyboardLockingNumLock12Sel
84KeyboardLockingScrollLock12Sel
85KeypadComma13Sel107
86KeypadEqualSign14Sel3
87KeyboardInternational115,16Sel56
88KeyboardInternational217Sel

89KeyboardInternational318Sel

8AKeyboardInternational419Sel

8BKeyboardInternational520Sel

8CKeyboardInternational621Sel

8DKeyboardInternational722Sel

8EKeyboardInternational823Sel

8FKeyboardInternational923Sel

90KeyboardLANG124Sel

91KeyboardLANG225Sel

92KeyboardLANG326Sel

93KeyboardLANG427Sel

94KeyboardLANG528Sel

95KeyboardLANG629Sel

96KeyboardLANG729Sel

97KeyboardLANG829Sel

98KeyboardLANG929Sel

99KeyboardAlternateErase30Sel
9AKeyboardSysReq/Attention7Sel

9BKeyboardCancelSel

9CKeyboardClearSel

9DKeyboardPriorSel

9EKeyboardReturnSel

9FKeyboardSeparatorSel

A0KeyboardOutSel

A1KeyboardOperSel

A2KeyboardClear/AgainSel

A3KeyboardCrSel/PropsSel

A4KeyboardExSelSel

A5-AFReserved



B0Keypad0Sel

B1Keypad0Sel

B2ThousandsSeparator31Sel

B3DecimalSeparator31Sel

B4CurrencyUnit32Sel

B5CurrencySub-unit32Sel

B6Keypad(Sel

B7Keypad)Sel

B8Keypad{Sel

B9Keypad}Sel

BAKeypadTabSel

BBKeypadBackspaceSel

BCKeypadASel

BDKeypadBSel

BEKeypadCSel

BFKeypadDSel

C0KeypadESel

C1KeypadFSel

C2KeypadXORSel

C3Keypad^Sel

C4Keypad%Sel

C5Keypad<Sel

C6Keypad>Sel

C7Keypad&Sel

C8Keypad&&Sel

C9Keypad|Sel

CAKeypad||Sel

CBKeypad:Sel

CCKeypad#Sel

CDKeypadSpaceSel

CEKeypad@Sel

CFKeypad!Sel

D0KeypadMemoryStoreSel
D1KeypadMemoryRecallSel
D2KeypadMemoryClearSel
D3KeypadMemoryAddSel
D4KeypadMemorySubtractSel
D5KeypadMemoryMultiplySel
D6KeypadMemoryDivideSel
D7Keypad+/-Sel

D8KeypadClearSel

D9KeypadClearEntrySel
DAKeypadBinarySel

DBKeypadOctalSel

DCKeypadDecimalSel

DDKeypadHexadecimalSel

DE-DFReserved



E0KeyboardLeftControlDV583
E1KeyboardLeftShiftDV443
E2KeyboardLeftAltDV603
E3KeyboardLeftGUI11,33DV127
E4KeyboardRightControlDV643
E5KeyboardRightShiftDV573
E6KeyboardRightAltDV623
E7KeyboardRightGUI11,34DV128
E8-FFFFReserved




分享给朋友:

发表评论

访客

◎欢迎参与讨论,请在这里发表您的看法和观点。