打开之后是一个流量包
用wireshark导出HTTP文件,有个upload,用一下binwalk,出来了一个镜像文件
用volatility搜一下,命令里有一个密码,看见了但是后来给忘了。。。
文件里有一个flag.img,导出
里面有一个压缩包,导出
或者用取证大师直接打开data.vmem就能看到压缩包
用cmd里的密码解压压缩包
一串字符,可以看出是usb键盘与电脑通信的流量
用一下网上搜到的脚本
import sys
import os usb_codes = {
0x04:"aA", 0x05:"bB", 0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF",
0x0A:"gG", 0x0B:"hH", 0x0C:"iI", 0x0D:"jJ", 0x0E:"kK", 0x0F:"lL",
0x10:"mM", 0x11:"nN", 0x12:"oO", 0x13:"pP", 0x14:"qQ", 0x15:"rR",
0x16:"sS", 0x17:"tT", 0x18:"uU", 0x19:"vV", 0x1A:"wW", 0x1B:"xX",
0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 0x20:"3#", 0x21:"4$",
0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 0x27:"0)",
0x2C:" ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[{", 0x30:"]}", 0x32:"#~",
0x33:";:", 0x34:"'\"", 0x36:",<", 0x37:".>", 0x4f:">", 0x50:"<"
} def code2chr(filepath):
lines = []
pos =
for x in open(filepath,"r").readlines():
code = int(x[:],) # 即第三个字节
if code == :
continue
# newline or down arrow - move down
if code == 0x51 or code == 0x28:
pos +=
continue
# up arrow - move up
if code == 0x52:
pos -=
continue # select the character based on the Shift key
while len(lines) <= pos:
lines.append("")
if code in range(,):
if int(x[:],) == :
lines[pos] += usb_codes[code][]
else:
lines[pos] += usb_codes[code][] for x in lines:
print(x) if __name__ == "__main__":
# check argv
filepath = 'usbdata.txt'
code2chr(filepath)
'''
if len(sys.argv) != :
print("Usage:\n\tpython keyboardScanCode.py datafile.txt\nhow to get datafile:\t tshark -r file.usb.pcapng -T fields -e usb.capdata > datafile.txt")
exit()
else:
filepath = sys.argv[]
code2chr(filepath)
'''
