KeyMe relies on user defined modules to perform actions.
The modules should be located in the
keymods directory in the root of the Micro SD card. Each module is self contained in its own directory. The directories are named in the format
mod##. The mapping to a selection by the DIP is based on the directory number, which range from 2 - 31. For example, Module 7 is contained in the
/keymods/mod07 directory on the Micro SD card.
Each Module contains three files:
|Configuration File||Specifies environment variables.|
|Payload File||[FILE]||The payload to run on the target system.|
|Help File||Description of the Module. (This file is optional.)|
The Configuration file greatly simplifies the process of creating a module. There are many actions that are common across different types of modules.
For example, many payloads will need to be run in a terminal. Using the configuration file, users can specify the Operating System and type of payload. By specifying the target OS is Windows 7 and the payload is a Batch script, the KeyMe firmware will take care of opening a text editor, typing out the content of the payload script, saving the file, and running the script in the terminal. All the user needs to do is set two variable in the
config.txt file of the Module.
The following table lists all the Options for configuration. Some are required and other are optional. You can also use Module Generator
|Operating system of target|
|The type of payload|
|Single line command|
|Name of file on SD card to use as the payload|
|Privilege level (Optional)|
|Regular user access (Default)|
|Administrative access (for Windows 7)|
|Launch payload after X milliseconds(Optional)|
|[######]||Time in milliseconds|
|Directory path on host system (Optional)|
|[DIRECTORY]||Directory path on host system. Up to 255 characters.|
|Next module to execute (Optional)|
|[##]||Module number [2 - 31]|
- Set Option with the format OPTION:VALUE.
- There is no space in between the Option and Value.
- Only one option per line
- Comment lines start with #
The following example will run a batch script (dostuff.bat) on the target Windows 7 system 6 seconds after plugged in.
The KeyMe firmware is capable of handling multiple kinds of payloads. There are four types of payloads.
A single line command is run in the terminal of the host OS. This single line can contain multiple commands using '&' in Windows and ';' in Linux/OSX.
Depending on the Operating System, KeyMe will execute Batch, Bash, Python, Ruby, VBScript, or PowerShell. In order to run, support for these languages must already exist on the target system.
Binaries are converted to HEX and typed in to host, then converted back into binary format. After the binary is copied to the intended host, it is executed, then deleted.
HIDIScript is a scripting language which allows users to perform full keyboard emulation. Read more about the language and generating payloads at HIDIScript.
The Module can contain a
help.txt file. This file should contain useful information about the module. If DIP selection 1 is set, these file are typed out onto the target system. This can be handy to quickly check which module to use. Simple open up a text editor and plug in The Glitch on DIP 1.
The following are some examples of KeyMe modules.
Here is a simple example of adding a new user to a Windows system using a batch script. These files would be contained in the
Boot into a Backtrack Linux from a Live CD and create a reverse SSH connection once the system has been restarted.