Prevent RubberDucky and keystroke injection attacks
Project description
DuckHunt
Prevent RubberDucky and Keystroke Injection Attacks
DuckHunt protects Windows from "RubberDucky" attacks by monitoring typing patterns and immediately locking the system upon detecting inhumanly fast keystroke inputs.
✨ Features
- Heuristic Detection: Analyzes typing speed and burst patterns to distinguish between human typing and automated scripts.
- Background Protection: Runs unobtrusively in the system tray.
- Smart Session Monitoring: Event-based detection automatically pauses monitoring when the workstation is locked (no polling overhead).
- Secure & Robust:
- Uses a split-process architecture (GUI + Daemon) for stability.
- Single-instance enforcement prevents conflicts.
- Auto-restarting daemon ensures continuous protection.
- Configurable: Adjustable sensitivity thresholds to match your typing style.
📦 Installation
Prerequisites: Python 3.10 or higher.
-
Install from PyPI:
pip install duckhunt-win
-
Clone the repository (for development):
git clone https://github.com/qb20nh/duckhunt.git cd duckhunt
-
Install dependencies:
pip install .
For development, you can install with dev dependencies:
pip install -e .[dev]
🚀 Usage
Starting DuckHunt
You can start the application by running the module directly:
python -m duckhunt-win
Or by running the executable if you have downloaded the latest release.
System Tray Controls
Once running, DuckHunt appears in your system tray:
- Left-Click / Toggle: Enable or Disable monitoring.
- Settings: Open the configuration window to adjust sensitivity.
- Exit: Quit the application and stop the background protection daemon.
How it Works
- Monitoring: The
Daemonprocess listens to global keystrokes using low-level hooks. - Detection: If the typing speed exceeds the configured Threshold (default 30ms/key) or exhibits suspicious Bursts, the detector flags the activity.
- Reaction: The workstation is immediately locked via Windows API.
- Notification: When you unlock your computer, DuckHunt notifies you that an attack was blocked.
⚙️ Configuration
You can configure DuckHunt via the Settings window or by creating a duckhunt.toml (or duckhunt.conf) file in your home directory or the application folder.
| Setting | Default | Description |
|---|---|---|
threshold |
30 |
Average interval between keys in milliseconds. Lower means faster typing is allowed (less sensitive). |
history_size |
25 |
Number of recent keystrokes to analyze for average speed. |
burst_keys |
10 |
Number of keys in a sequence to trigger "burst" detection. |
burst_window_ms |
100 |
Maximum time (ms) allowing burst_keys to be pressed before flagging as suspicious. |
allow_auto_type |
true |
(Experimental) Allow software simulated keys. |
📄 License
MIT License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file duckhunt_win-1.0.0rc1.tar.gz.
File metadata
- Download URL: duckhunt_win-1.0.0rc1.tar.gz
- Upload date:
- Size: 5.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9e05aeaa3b29c902d0523599f0c32b7624397af2ae924efb9a436a2795a82407
|
|
| MD5 |
7d20c1d60b8baf99db939bd25277872d
|
|
| BLAKE2b-256 |
b4d671fe872737dbe67b54bc6de55f2e2548798ce9c4e8c8081fe8b39665bb8c
|
Provenance
The following attestation bundles were made for duckhunt_win-1.0.0rc1.tar.gz:
Publisher:
release.yml on qb20nh/duckhunt
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
duckhunt_win-1.0.0rc1.tar.gz -
Subject digest:
9e05aeaa3b29c902d0523599f0c32b7624397af2ae924efb9a436a2795a82407 - Sigstore transparency entry: 756648258
- Sigstore integration time:
-
Permalink:
qb20nh/duckhunt@a8c8fdaa5b3e3b55680c203bb2395c6b2412e71e -
Branch / Tag:
refs/tags/v1.0.0-rc.1 - Owner: https://github.com/qb20nh
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@a8c8fdaa5b3e3b55680c203bb2395c6b2412e71e -
Trigger Event:
push
-
Statement type:
File details
Details for the file duckhunt_win-1.0.0rc1-py3-none-any.whl.
File metadata
- Download URL: duckhunt_win-1.0.0rc1-py3-none-any.whl
- Upload date:
- Size: 5.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5a4c889629ff2575942b3ccb193cc26abf5682ebfe5cd6a542a3801c9c9413ae
|
|
| MD5 |
b09c0b931e5dae492eb0ff11a2e86ebe
|
|
| BLAKE2b-256 |
f93fd1299186ed4f133c1f4a37ff48e0c11c3583ee37991de9b3c026536bb78a
|
Provenance
The following attestation bundles were made for duckhunt_win-1.0.0rc1-py3-none-any.whl:
Publisher:
release.yml on qb20nh/duckhunt
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
duckhunt_win-1.0.0rc1-py3-none-any.whl -
Subject digest:
5a4c889629ff2575942b3ccb193cc26abf5682ebfe5cd6a542a3801c9c9413ae - Sigstore transparency entry: 756648259
- Sigstore integration time:
-
Permalink:
qb20nh/duckhunt@a8c8fdaa5b3e3b55680c203bb2395c6b2412e71e -
Branch / Tag:
refs/tags/v1.0.0-rc.1 - Owner: https://github.com/qb20nh
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@a8c8fdaa5b3e3b55680c203bb2395c6b2412e71e -
Trigger Event:
push
-
Statement type:
