HotKeySet needs toning down

[Jon]

Someone has commented that the hotkeyset function can be used as a decent keylogger... Anyone ideas on how to tone it down to make it useless for this sort of thing while still being useful? AutoIt 2 was accused of being a keylogger many times so I wouldn't want to confirm that!

Options I've thought of:

1. Reduce the max number of hotkeys from 64 to 13 (half the alphabet)

2. Make it illegal to have A to Z as a "single" hotkey (make them require ALT/CTRL etc)

3. Remove all single hotkeys

I think option 2 is the favourite.

[GrahamS]

I would be prefer option 2

Graham

[trids]

It seems a pity to have to compromise a good idea (the excellent functionality of AI3).

Keyloggers used for nefarious ends like to run quietly: to this end, the always-on System Tray icon seems adequate.

Or how about refreshing the System Tray icon with each execution of a HotKey call? In case someone comes up with a naughty utility that can switch off tray icons.

I'm sure none of us wants to see AI3 banned for misuse by a tiny minority; but surely there must be an elegant alternative to throwing the baby out with the bath-water???

[Jon]

The tray icon isn't always on anymore.

I don't see any problem in removing 0-9 a-z as single hot keys - they will mess up the system under most cases anyway. You can still do ctrl+a or clt+alt+a which is what the majority would use anyway.

[trids]

You can still do ctrl+a or clt+alt+a which is what the majority would use anyway.

That's true .. ok, if we have to lose some functionality, then I'd accept being forced to use key-combinations .. limited only by imagination and physical constraints .

Pity about the icon though - lateral solutions are "tres" cool

[Somerset]

why couldn't you set the icon to appear, if there is a single hotkey.

no icon if there is key combonations.

alternate idea, if there is a singe hotkey. force a dialog of yes or no, to continue.

[Jon]

A person could try to build a keylogger first before deciding, because I am skeptical that it is possible.

Already done. But I see what you mean - it would generally just keep calling itself.

[Jon]

Also bear in mind that this would generally be used for password situations where the user just sees ***** so you could log all the standard keys 0-9 a-z and then actually Send a random non-hotkey letter to avoid triggering the hotkey - so the user thinks they are typing their password but they aren't.

God, I've got an evil mind sometimes.

[Valik]

Also bear in mind that this would generally be used for password situations where the user just sees ***** so you could log all the standard keys 0-9 a-z and then actually Send a random non-hotkey letter to avoid triggering the hotkey - so the user thinks they are typing their password but they aren't.

God, I've got an evil mind sometimes.

Given the amount of times AutoIt is used to write bots for online games, I can see where that last point would be an issue.

[Somerset]

to stop key logging you could just limit hot keys to the function keys.

[Jon]

Yeah it fails a couple of times and the the script exits and the user just think they mis typed. It's a scam that's been used with ATM machines (fake atm machines in a building somewhere, you enter pin it fails and then eats your card, result is that the thief now has your pin+card).

[Somerset]

isn't there some sorta way of generically remapping the keyboard, then returning it to normal after the hotkey has been pressed, and once it has been remapped something else would be sent.

[Valik]

but the password will always fail... I dunno, but I can't think of a valid reason for anyone to set 0-9, A-Z, so I am in favor of that limit.

That would also work in the malicious author's favor. While the script was running, the user wouldn't even be able to log in to change their password.

[CyberSlug]

For what it's worth, I'd vote for #1. Number 2 is also okay. I'm against #3 since some single keys (Esc, Pause, function keys) are useful as hotkeys.

[Jos]

I would be prefer option 2.

option 1 : is it true that this doesn't really work because you could write a script that will shell multiple scripts of which each do a nummer of unique keys ??

Options 3: I like to use some single keys in a script like pause and esc, so don't like this one...

Jos

[Jon]

I've implemented option 2 (/unstable/ updated).

[MattNis]

Since the sourcecode is so freely available, there isn't anything stopping anyone from re-enabling any hotkey functionality that is provided currently.

[Jon]

Same with anything. But when I get the hatemail and death threats about my trojan software like I did with v2.64 it would be nice to say that it doesn't come like that out of the box.

[scriptkitty]

I like option2. It is a shame that there needs to be any options, but in the case to use one, option2 suits all my needs. I can't see a point where I would need over 13 hotkeys, but it is not hard to imagine.

Is there a way to limit single key hotkeys to 13, and yea leave as many combonations as possible?

Oh and thinking for a sec, couldn't they just script {alt down} into it now?

[FunkyDo]

FIXED: VK check for A-Z was triggered if vk >= 0x41 *OR* vk <= 0x5A.

expandcollapse popup

///////////////////////////////////////////////////////////////////////////////
// GetSingleVKandMods()
// Get a single VK code and modifiers for a given string - used for getting
// single hotkey/shortcut key definitions
///////////////////////////////////////////////////////////////////////////////

bool HS_SendKeys::GetSingleVKandMods(const char *szString, UINT &vk, bool &bShift, bool &bControl, bool &bAlt, bool &bWin)
{
    int  nPos = 0;
    char    ch;
    char    *szTemp;
    bool    bRes = true;      // Success by default
    int  n = 0;

    // Reset mods
    bShift = bControl = bAlt = bWin = false;

    // Allocate some temporary memory for szTemp
    szTemp =  new char[lstrlen(szString)+1];


    while ( szString[nPos] == '+' || szString[nPos] == '^' || szString[nPos] == '!' || szString[nPos] == '#' )
    {
  // Is there a modifier requested?
  if (szString[nPos] == '+')
     bShift = true;
  else if (szString[nPos] == '^')
     bControl = true;
  else if (szString[nPos] == '!')
     bAlt = true;
  else if (szString[nPos] == '#')
     bWin = true;

  ++nPos;            // Next char
    }


    ch = szString[nPos++];      // Get next char


    // Is the next char a { or a simple key?
    if (ch == '{')
    {
  // Special key
  if ( ReadToChar('}', szString, szTemp, nPos) )
     bRes = false;      // Failed - no close bracket
  else
  {
     // Lookup special codes-  Look up the index of the key
     while ( (n < NUMKEYS) && (lstrcmpi(g_szKeyTable[n], szTemp)) )
    n++;

     // Is it a known or valid key
     if (n == NUMKEYS)
    bRes = false;        // Unknown
     else
     {
    if (g_cKeyLookupType[n] != SK_LOOKUP)
     bRes = false;      // Invalid
    else
     vk = g_nKeyCodes[n];
     }
  }
    }
    else
    {
  // Simple char
  vk = VkKeyScan(ch);

  if ( (vk & 0x0200)  )      // CTRL required?
     bControl = true;

  if ( (vk & 0x0400) )       // ALT required?
     bAlt = true;

  if ( (vk & 0x0100) )       // SHIFT required?
     bShift = true;
    }

    // Make sure only the VK code (lower byte) is passed back (sans shift states)
    vk = vk & 0xff;

    // Don't allow non-modified keys for 0-9 and a-z (keylogger prevention)
    if ( (vk >= 0x30 && vk <= 0x39) || (vk >= 0x41 && vk <= 0x5A) )
    {
  if (bShift == false && bControl == false && bAlt == false && bWin == false)
     bRes = false;      // invalid
    }

    // Free temp string memory
    delete [] szTemp;

    return bRes;

} // GetSingleVKandMods()

-FunkyDo

Edited January 17, 2004 by FunkyDo