log keystrokes via raw input data

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: log keystrokes via raw input data
    namespace: collection/keylog
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires offset, mnemonic features
    att&ck:
      - Collection::Input Capture::Keylogging [T1056.001]
  features:
    - and:
      - basic block:
        - description: get raw input
        - and:
          - api: user32.GetRawInputData
          - number: 0x10000003 = RID_INPUT
          - number: 0x10 = sizeof(RAWINPUTHEADER)
      - instruction:
        - description: check raw data is keyboard keydown
        - mnemonic: cmp
        - offset: 0x18 = RAWINPUT->data.Message
        - number: 0x100 = WM_KEYDOWN
      - instruction:
        - description: check raw data is keyboard
        - mnemonic: cmp
        - offset: 0x0 = RAWINPUT->header.dwType
        - number: 0x1 = RIM_TYPEKEYBOARD
      - optional:
        - offset: 0x16 = RAWINPUT->data.VKey