Wednesday, April 25, 2012

Teensy USB HID for Penetration Testers - Part 3 - Programming sketches in Arduino

In previous post we saw very basic usage of Arduino Development Environment (ADE) and ran our Hello World using Teensy. Let's have a look at doing something more with Teensy and ADE.

You know that there are two bare minimum functions called setup and loop in a sketch. But there are many more functions which are very useful while programming complex sketches. Have a look at the below sketch, which opens up notepad and types "Hello World" in it.

void setup()
{
delay(5000);
Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();

delay(500);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();

Keyboard.print("notepad");
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();

Keyboard.set_key1(0);
Keyboard.send_now();
delay(2000);
Keyboard.print("Hello World");
}

void loop()
{
}

In a minute we will have a step by step look how the sketch is executed by Teensy. But before that, just recall how you open a notepad using "Run" prompt in Windows. These are the steps:

1. Press "Windows key + R"

2. Release "Windows key + R"

2. Type "notepad" when the run prompt opens up.

3. Press Enter.

4. Release Enter

Easy one. Now, if you map these steps to the sketch above you will find that the sketch is doing nothing but "simulating" your keystrokes. Let's have a look at the sketch again with comments

void setup()
{
  delay(5000); //Delay required for OS to connect the device properly
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); //Tell Teensy to press Windows key
  Keyboard.set_key1(KEY_R); //Tell Teensy to press R
  Keyboard.send_now(); //Press "Windows key + R"
 
  delay(500); //Wait for half second
  Keyboard.set_modifier(0); //Tell Teensy to release Windows key
  Keyboard.set_key1(0); //Tell Teensy to release R
  Keyboard.send_now(); //Release "Windows key + R"
  //Teensy should open a run prompt now
  Keyboard.print("notepad"); //Type notepad in the run prompt
  Keyboard.set_key1(KEY_ENTER); //Tell Teensy to press Enter key
  Keyboard.send_now(); //Press Enter

  Keyboard.set_key1(0); //Tell Teensy to release Enter
  Keyboard.send_now(); //Release Enter
  delay(2000); //Wait for notepad to open
  Keyboard.print("Hello World"); //Type Hello World in notepad
}

void loop()
{
}
So the sketch makes more sense now. We used a number of new functions. Let's have a look at those:

delay() delays the execution of sketch by Teensy for given milliseconds. delay(5000) means delaying the execution for 5 seconds.

Keyboard.set_modifier sets a modifier key. There are four modifier keys

NameFunction
MODIFIERKEY_CTRLControl Key
MODIFIERKEY_SHIFTShift Key
MODIFIERKEY_ALTAlt Key
MODIFIERKEY_GUIWindows (PC) or Clover (Mac)
 Table Courtesy: http://www.pjrc.com/teensy/td_keyboard.html

Note that I said it "sets" the modifier key. To send the key you need Keyboard.send_now() which sends all the "set" keys. We used Keyboard.setkey1 for setting the "R" key and then sent those together using Keyboard.send_now().

As per great documentation here at pjrc.com USB keyboard can have up-to 6 normal keys and 4 modifier keys. A complete table of codes for all normal keys could be found on the same page.

So we pressed the "Windows keys + R" by setting and sending the keys. Now to release these we need to set these to 0 and send these again. That is what we have done in above sketch by using Keyboard.set_modifier(0), Keyboard.setkey1(0) and Keyboard.send_now().

Rest of the sketch is easy to understand and needs no explanation. 

In the next post we will have a look at Kautilya. Please leave comments and feedback.

2 comments:

  1. So helpful thanks!!!

    ReplyDelete
  2. I am actually impressed by the way you detailed search out every little thing. It really is seriously going to assist me a great deal. Thanks for sharing your thoughts so clearly.

    ReplyDelete