Sign in to follow this  
Followers 0
Jon

HotKeySet needs toning down

22 posts in this topic

Someone has commented that the hotkeyset function can be used as a decent keylogger... Anyone ideas on how to tone it down to make it useless for this sort of thing while still being useful? AutoIt 2 was accused of being a keylogger many times so I wouldn't want to confirm that!

Options I've thought of:

1. Reduce the max number of hotkeys from 64 to 13 (half the alphabet)

2. Make it illegal to have A to Z as a "single" hotkey (make them require ALT/CTRL etc)

3. Remove all single hotkeys

I think option 2 is the favourite.

Share this post


Link to post
Share on other sites



I would be prefer option 2

Graham


GrahamS

Share this post


Link to post
Share on other sites

It seems a pity to have to compromise a good idea (the excellent functionality of AI3).

Keyloggers used for nefarious ends like to run quietly: to this end, the always-on System Tray icon seems adequate.

Or how about refreshing the System Tray icon with each execution of a HotKey call? In case someone comes up with a naughty utility that can switch off tray icons.

I'm sure none of us wants to see AI3 banned for misuse by a tiny minority; but surely there must be an elegant alternative to throwing the baby out with the bath-water???

Share this post


Link to post
Share on other sites

The tray icon isn't always on anymore.

I don't see any problem in removing 0-9 a-z as single hot keys - they will mess up the system under most cases anyway. You can still do ctrl+a or clt+alt+a which is what the majority would use anyway.

Share this post


Link to post
Share on other sites

You can still do ctrl+a or clt+alt+a which is what the majority would use anyway.

That's true .. ok, if we have to lose some functionality, then I'd accept being forced to use key-combinations .. limited only by imagination and physical constraints B) .

Pity about the icon though - lateral solutions are "tres" cool :whistle:

Share this post


Link to post
Share on other sites

why couldn't you set the icon to appear, if there is a single hotkey.

no icon if there is key combonations.

alternate idea, if there is a singe hotkey. force a dialog of yes or no, to continue.


 

Spoiler

shoot_zpsfd329d66.png
dontbelieveeverythingyouthink_zps0e1e900

Madness is the first step to understanding...

Share this post


Link to post
Share on other sites

A person could try to build a keylogger first before deciding, because I am skeptical that it is possible.

Already done. But I see what you mean - it would generally just keep calling itself.

Share this post


Link to post
Share on other sites

Also bear in mind that this would generally be used for password situations where the user just sees ***** so you could log all the standard keys 0-9 a-z and then actually Send a random non-hotkey letter to avoid triggering the hotkey - so the user thinks they are typing their password but they aren't.

God, I've got an evil mind sometimes. :whistle:

Share this post


Link to post
Share on other sites

Also bear in mind that this would generally be used for password situations where the user just sees ***** so you could log all the standard keys 0-9 a-z and then actually Send a random non-hotkey letter to avoid triggering the hotkey - so the user thinks they are typing their password but they aren't.

God, I've got an evil mind sometimes. :whistle:

Given the amount of times AutoIt is used to write bots for online games, I can see where that last point would be an issue.

Share this post


Link to post
Share on other sites

to stop key logging you could just limit hot keys to the function keys.


 

Spoiler

shoot_zpsfd329d66.png
dontbelieveeverythingyouthink_zps0e1e900

Madness is the first step to understanding...

Share this post


Link to post
Share on other sites

Yeah it fails a couple of times and the the script exits and the user just think they mis typed. It's a scam that's been used with ATM machines (fake atm machines in a building somewhere, you enter pin it fails and then eats your card, result is that the thief now has your pin+card).

Share this post


Link to post
Share on other sites

isn't there some sorta way of generically remapping the keyboard, then returning it to normal after the hotkey has been pressed, and once it has been remapped something else would be sent.


 

Spoiler

shoot_zpsfd329d66.png
dontbelieveeverythingyouthink_zps0e1e900

Madness is the first step to understanding...

Share this post


Link to post
Share on other sites

but the password will always fail... I dunno, but I can't think of a valid reason for anyone to set 0-9, A-Z, so I am in favor of that limit.

:whistle:

That would also work in the malicious author's favor. While the script was running, the user wouldn't even be able to log in to change their password.

Share this post


Link to post
Share on other sites

I would be prefer option 2.

option 1 : is it true that this doesn't really work because you could write a script that will shell multiple scripts of which each do a nummer of unique keys ??

Options 3: I like to use some single keys in a script like pause and esc, so don't like this one...

Jos


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Since the sourcecode is so freely available, there isn't anything stopping anyone from re-enabling any hotkey functionality that is provided currently.


[quote]I was busy waiting all night for the Columbus Day Bunny to come down my chimney and light fireworks in my pumpkin.There's so much wrong with that.Oh, I'm sorry, i forgot you were Jewish.[/quote]

Share this post


Link to post
Share on other sites

Same with anything. But when I get the hatemail and death threats about my trojan software like I did with v2.64 it would be nice to say that it doesn't come like that out of the box.

Share this post


Link to post
Share on other sites

I like option2. It is a shame that there needs to be any options, but in the case to use one, option2 suits all my needs. I can't see a point where I would need over 13 hotkeys, but it is not hard to imagine.

Is there a way to limit single key hotkeys to 13, and yea leave as many combonations as possible?

Oh and thinking :whistle: for a sec, couldn't they just script {alt down} into it now?


AutoIt3, the MACGYVER Pocket Knife for computers.

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

FIXED: VK check for A-Z was triggered if vk >= 0x41 *OR* vk <= 0x5A.

///////////////////////////////////////////////////////////////////////////////
// GetSingleVKandMods()
// Get a single VK code and modifiers for a given string - used for getting
// single hotkey/shortcut key definitions
///////////////////////////////////////////////////////////////////////////////

bool HS_SendKeys::GetSingleVKandMods(const char *szString, UINT &vk, bool &bShift, bool &bControl, bool &bAlt, bool &bWin)
{
    int  nPos = 0;
    char    ch;
    char    *szTemp;
    bool    bRes = true;      // Success by default
    int  n = 0;

    // Reset mods
    bShift = bControl = bAlt = bWin = false;

    // Allocate some temporary memory for szTemp
    szTemp =  new char[lstrlen(szString)+1];


    while ( szString[nPos] == '+' || szString[nPos] == '^' || szString[nPos] == '!' || szString[nPos] == '#' )
    {
  // Is there a modifier requested?
  if (szString[nPos] == '+')
     bShift = true;
  else if (szString[nPos] == '^')
     bControl = true;
  else if (szString[nPos] == '!')
     bAlt = true;
  else if (szString[nPos] == '#')
     bWin = true;

  ++nPos;            // Next char
    }


    ch = szString[nPos++];      // Get next char


    // Is the next char a { or a simple key?
    if (ch == '{')
    {
  // Special key
  if ( ReadToChar('}', szString, szTemp, nPos) )
     bRes = false;      // Failed - no close bracket
  else
  {
     // Lookup special codes-  Look up the index of the key
     while ( (n < NUMKEYS) && (lstrcmpi(g_szKeyTable[n], szTemp)) )
    n++;

     // Is it a known or valid key
     if (n == NUMKEYS)
    bRes = false;        // Unknown
     else
     {
    if (g_cKeyLookupType[n] != SK_LOOKUP)
     bRes = false;      // Invalid
    else
     vk = g_nKeyCodes[n];
     }
  }
    }
    else
    {
  // Simple char
  vk = VkKeyScan(ch);

  if ( (vk & 0x0200)  )      // CTRL required?
     bControl = true;

  if ( (vk & 0x0400) )       // ALT required?
     bAlt = true;

  if ( (vk & 0x0100) )       // SHIFT required?
     bShift = true;
    }

    // Make sure only the VK code (lower byte) is passed back (sans shift states)
    vk = vk & 0xff;

    // Don't allow non-modified keys for 0-9 and a-z (keylogger prevention)
    if ( (vk >= 0x30 && vk <= 0x39) || (vk >= 0x41 && vk <= 0x5A) )
    {
  if (bShift == false && bControl == false && bAlt == false && bWin == false)
     bRes = false;      // invalid
    }

    // Free temp string memory
    delete [] szTemp;

    return bRes;

} // GetSingleVKandMods()

-FunkyDo

Edited by FunkyDo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0