Jump to content

HotKeySet needs toning down


Recommended Posts

  • Administrators

Someone has commented that the hotkeyset function can be used as a decent keylogger... Anyone ideas on how to tone it down to make it useless for this sort of thing while still being useful? AutoIt 2 was accused of being a keylogger many times so I wouldn't want to confirm that!

Options I've thought of:

1. Reduce the max number of hotkeys from 64 to 13 (half the alphabet)

2. Make it illegal to have A to Z as a "single" hotkey (make them require ALT/CTRL etc)

3. Remove all single hotkeys

I think option 2 is the favourite.

Link to post
Share on other sites

It seems a pity to have to compromise a good idea (the excellent functionality of AI3).

Keyloggers used for nefarious ends like to run quietly: to this end, the always-on System Tray icon seems adequate.

Or how about refreshing the System Tray icon with each execution of a HotKey call? In case someone comes up with a naughty utility that can switch off tray icons.

I'm sure none of us wants to see AI3 banned for misuse by a tiny minority; but surely there must be an elegant alternative to throwing the baby out with the bath-water???

Link to post
Share on other sites
  • Administrators

The tray icon isn't always on anymore.

I don't see any problem in removing 0-9 a-z as single hot keys - they will mess up the system under most cases anyway. You can still do ctrl+a or clt+alt+a which is what the majority would use anyway.

Link to post
Share on other sites

You can still do ctrl+a or clt+alt+a which is what the majority would use anyway.

That's true .. ok, if we have to lose some functionality, then I'd accept being forced to use key-combinations .. limited only by imagination and physical constraints B) .

Pity about the icon though - lateral solutions are "tres" cool :whistle:

Link to post
Share on other sites
  • Administrators

A person could try to build a keylogger first before deciding, because I am skeptical that it is possible.

Already done. But I see what you mean - it would generally just keep calling itself.
Link to post
Share on other sites
  • Administrators

Also bear in mind that this would generally be used for password situations where the user just sees ***** so you could log all the standard keys 0-9 a-z and then actually Send a random non-hotkey letter to avoid triggering the hotkey - so the user thinks they are typing their password but they aren't.

God, I've got an evil mind sometimes. :whistle:

Link to post
Share on other sites

Also bear in mind that this would generally be used for password situations where the user just sees ***** so you could log all the standard keys 0-9 a-z and then actually Send a random non-hotkey letter to avoid triggering the hotkey - so the user thinks they are typing their password but they aren't.

God, I've got an evil mind sometimes. :whistle:

Given the amount of times AutoIt is used to write bots for online games, I can see where that last point would be an issue.
Link to post
Share on other sites
  • Administrators

Yeah it fails a couple of times and the the script exits and the user just think they mis typed. It's a scam that's been used with ATM machines (fake atm machines in a building somewhere, you enter pin it fails and then eats your card, result is that the thief now has your pin+card).

Link to post
Share on other sites

but the password will always fail... I dunno, but I can't think of a valid reason for anyone to set 0-9, A-Z, so I am in favor of that limit.

:whistle:

That would also work in the malicious author's favor. While the script was running, the user wouldn't even be able to log in to change their password.
Link to post
Share on other sites
  • Developers

I would be prefer option 2.

option 1 : is it true that this doesn't really work because you could write a script that will shell multiple scripts of which each do a nummer of unique keys ??

Options 3: I like to use some single keys in a script like pause and esc, so don't like this one...

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Link to post
Share on other sites

Since the sourcecode is so freely available, there isn't anything stopping anyone from re-enabling any hotkey functionality that is provided currently.

[quote]I was busy waiting all night for the Columbus Day Bunny to come down my chimney and light fireworks in my pumpkin.There's so much wrong with that.Oh, I'm sorry, i forgot you were Jewish.[/quote]

Link to post
Share on other sites
  • Administrators

Same with anything. But when I get the hatemail and death threats about my trojan software like I did with v2.64 it would be nice to say that it doesn't come like that out of the box.

Link to post
Share on other sites

I like option2. It is a shame that there needs to be any options, but in the case to use one, option2 suits all my needs. I can't see a point where I would need over 13 hotkeys, but it is not hard to imagine.

Is there a way to limit single key hotkeys to 13, and yea leave as many combonations as possible?

Oh and thinking :whistle: for a sec, couldn't they just script {alt down} into it now?

AutoIt3, the MACGYVER Pocket Knife for computers.

Link to post
Share on other sites

FIXED: VK check for A-Z was triggered if vk >= 0x41 *OR* vk <= 0x5A.

///////////////////////////////////////////////////////////////////////////////
// GetSingleVKandMods()
// Get a single VK code and modifiers for a given string - used for getting
// single hotkey/shortcut key definitions
///////////////////////////////////////////////////////////////////////////////

bool HS_SendKeys::GetSingleVKandMods(const char *szString, UINT &vk, bool &bShift, bool &bControl, bool &bAlt, bool &bWin)
{
    int  nPos = 0;
    char    ch;
    char    *szTemp;
    bool    bRes = true;      // Success by default
    int  n = 0;

    // Reset mods
    bShift = bControl = bAlt = bWin = false;

    // Allocate some temporary memory for szTemp
    szTemp =  new char[lstrlen(szString)+1];


    while ( szString[nPos] == '+' || szString[nPos] == '^' || szString[nPos] == '!' || szString[nPos] == '#' )
    {
  // Is there a modifier requested?
  if (szString[nPos] == '+')
     bShift = true;
  else if (szString[nPos] == '^')
     bControl = true;
  else if (szString[nPos] == '!')
     bAlt = true;
  else if (szString[nPos] == '#')
     bWin = true;

  ++nPos;            // Next char
    }


    ch = szString[nPos++];      // Get next char


    // Is the next char a { or a simple key?
    if (ch == '{')
    {
  // Special key
  if ( ReadToChar('}', szString, szTemp, nPos) )
     bRes = false;      // Failed - no close bracket
  else
  {
     // Lookup special codes-  Look up the index of the key
     while ( (n < NUMKEYS) && (lstrcmpi(g_szKeyTable[n], szTemp)) )
    n++;

     // Is it a known or valid key
     if (n == NUMKEYS)
    bRes = false;        // Unknown
     else
     {
    if (g_cKeyLookupType[n] != SK_LOOKUP)
     bRes = false;      // Invalid
    else
     vk = g_nKeyCodes[n];
     }
  }
    }
    else
    {
  // Simple char
  vk = VkKeyScan(ch);

  if ( (vk & 0x0200)  )      // CTRL required?
     bControl = true;

  if ( (vk & 0x0400) )       // ALT required?
     bAlt = true;

  if ( (vk & 0x0100) )       // SHIFT required?
     bShift = true;
    }

    // Make sure only the VK code (lower byte) is passed back (sans shift states)
    vk = vk & 0xff;

    // Don't allow non-modified keys for 0-9 and a-z (keylogger prevention)
    if ( (vk >= 0x30 && vk <= 0x39) || (vk >= 0x41 && vk <= 0x5A) )
    {
  if (bShift == false && bControl == false && bAlt == false && bWin == false)
     bRes = false;      // invalid
    }

    // Free temp string memory
    delete [] szTemp;

    return bRes;

} // GetSingleVKandMods()

-FunkyDo

Edited by FunkyDo
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...