{"id":20563710,"url":"https://github.com/trustedsec/sliverkeylogger","last_synced_at":"2025-08-20T22:32:13.580Z","repository":{"id":37065887,"uuid":"504651319","full_name":"trustedsec/SliverKeylogger","owner":"trustedsec","description":null,"archived":false,"fork":false,"pushed_at":"2023-09-22T19:39:04.000Z","size":36,"stargazers_count":148,"open_issues_count":2,"forks_count":40,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-12-11T05:41:46.119Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trustedsec.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-17T19:32:53.000Z","updated_at":"2024-10-29T14:51:17.000Z","dependencies_parsed_at":"2024-11-16T05:00:20.140Z","dependency_job_id":null,"html_url":"https://github.com/trustedsec/SliverKeylogger","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FSliverKeylogger","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FSliverKeylogger/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FSliverKeylogger/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FSliverKeylogger/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trustedsec","download_url":"https://codeload.github.com/trustedsec/SliverKeylogger/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230462907,"owners_count":18229864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-16T04:20:24.505Z","updated_at":"2024-12-19T16:12:11.164Z","avatar_url":"https://github.com/trustedsec.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"#  Sliver Keylogger\n\nThis extension to sliver was written mostly as a learning exercise ![image](https://user-images.githubusercontent.com/3172440/174394786-94255ada-2263-4b0b-8076-348b852b2546.png)\n into how sliver handles extensions.\n\nI would like to thank the entire [Sliver](https://github.com/BishopFox/sliver) team for there work on this public implant framework.\nI would especially like to thank [@rkervell](https://twitter.com/rkervell) for answering many of my questions related to how sliver handles it extensions\n\n## how does this work\n\nBasically it uses [raw input](https://docs.microsoft.com/en-us/windows/win32/inputdev/raw-input).  This has advantages and disadvantages to other common keylogging methods.\n\nI like it because it doesn't require injecting into other binaries, nor does it require polling a given call frequently and potentially missing results.\n\nThis code is some of my own work and some of a mash of examples found around the internet.\n\n## how to build it\n\nopen the solution file using visual studio 2019, and build the x86 and x64 releases\n\n## how to load / install it\n\nUntil this is potentially included in the [armory](https://github.com/sliverarmory) it can be built on a windows system. then the resulting $(solutiondir)\\bin folder can be placed on the sliver client\nand `extensions install \u003cpath to folder\u003e` can be run to install the extension.  you may need to restart or also run `extensions load \u003cpath to folder\u003e`\n\n## usage\n\nraw_keylogger \\\u003ccmdid\\\u003e\n\nthe following cmdid's are valid\n```\n0 = stop\n1 = start\n2 = get keystrokes\n```\n\nif everything goes well it will look like this\n![Screen Shot 2022-06-17 at 3 05 09 PM](https://user-images.githubusercontent.com/3172440/174394494-95aebc3f-3250-4374-9feb-33b5286cf2a7.png)\n\n## lessons learned\n\nSliver's api has the following two main parts\n```cpp\ntypedef int (*goCallback)(const char*, int);\n\nextern \"C\" {\n\t__declspec(dllexport) int __cdecl entrypoint(char* argsBuffer, uint32_t bufferSize, goCallback callback);\n}\n```\n\nthe implant will call the \"entrypoint\" as defined in the .json file. it points to your entrypoint function (doesn't have to have that name, just follow the signature)\n\ngoCallback is a function for returning output to go.   its called like `callback(string, string_length)`\n\nWhen coding the extension for now the \"name\" and \"command_name\" must match, otherwise the implant will reload your extension on every call.\n\nAs of this writing non-BOF extensions don't support strongly typed arguments, so everything provided on the cli after the command name will be sent down as a string.  you have to handle it from there on the extension's native code side.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Fsliverkeylogger","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustedsec%2Fsliverkeylogger","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Fsliverkeylogger/lists"}