First, what’s AutoHotkey? It’s a scripting language that lets you control various aspects of Windows. A lot of the stuff you’d be able to do with compiled C/C# programs can be done with AutoHotkey, which makes it one of the most powerful ways to mess with scammers on your VM.
For this to work you’ll need a way to control your VM remotely, I’ve also written a guide for that 
Intro
What we’re trying to achieve is a simple command to prepare and run a script stored on the local machine on a remote Windows VM. After all of this is set up we’ll be able to do a command something along the lines of this
./run_ahk.sh scripts/example.ahk
In the future we could make a small program with buttons for some of the fun ones.
Why Bother?
There’s lots of fun stuff that we can do with this;
- Send keyboard input, so they’ll be confused why you can type even with the input blocked
- Mess with windows; move them around, focus other windows, even make them transparent
- Launch custom message windows
- Open custom GUI programs, like fake scareware or viruses
- Run a keylogger
- ???
- profit
Scripts in Linux
The rest of this guide assumes a bit of knowledge of bash scripting in Linux. It’s not too hard and there’s loads of information online but here are a few key points;
- Scripts typically have the
.shextension although that’s not required. - Any script must be marked as being executable using the
chmod 0755 whatever.shcommand. - Scripts can be run directly from the terminal using
./whatever.sh.
Installing ahk On The VM
We can do this via a simple script from a Linux machine, or the same steps can be done manually on the VM. I prefer the scripted method as it’s nice and easy to run on a fresh or recently reset machine, plus if the scammer deletes the file for some reason we can just put it back
Save this file as install_ahk.sh
#!/bin/bash
remote_user="User"
remote_host="10.2.6.153"
ahk_folder="C:\ProgramData\Tools"
ahk_zip_url="https://github.com/AutoHotkey/AutoHotkey/releases/download/v2.0.9/AutoHotkey_2.0.9.zip"
# Create the folder to install it in
ssh ${remote_user}@${remote_host} -- mkdir ${ahk_folder}
# Download the portable version of ahk from GitHub
ssh ${remote_user}@${remote_host} -- curl.exe -L -o "${ahk_folder}\\ahk.zip" "${ahk_zip_url}"
# Extract the executable from that .zip
ssh ${remote_user}@${remote_host} -- cd "${ahk_folder}" \&\& tar -x -f ahk.zip AutoHotkey64.exe
You’ll need to change the values of the variables on the first few lines to match your system. And if you want to install to a different location or a different version, you can change the two below that too.
Running Local Scripts on The VM
Now to the main point of this guide! The process for running a script on the VM is; copy the file to the VM, run the file, remove it from the VM. We’re going to create a script to automate that so all we’ll need to worry about it the ahk part.
Save this file as run_ahk.sh
#!/bin/bash
remote_user="User"
remote_host="10.2.6.153"
ahk_exe_path="C:\ProgramData\Tools\AutoHotkey64.exe"
if [ ! -f "${1}" ]; then
echo "Could not find file '${1}'"
exit 1
fi
# Create a temp folder to transfer the script to the VM
mkdir temp_http_server
cp $1 temp_http_server/run.ahk
# Start a HTTP server in the background
screen_session=$(uuidgen)
this_machine_ip=$(ip route get 1.1.1.1 | head -1 | cut -d' ' -f 7)
screen -dmS ${screen_session} python3 -m http.server -d temp_http_server
# Tell the VM to download the script from that web server
ssh -t ${remote_user}@${remote_host} -- curl.exe -s -o C:\\Windows\\Tasks\\run.ahk http://${this_machine_ip}:8000/run.ahk
# Run the script with ahk
ssh -t ${remote_user}@${remote_host} -- "${ahk_exe_path}" "/Windows/Tasks/run.ahk"
# Remove the script from the VM
ssh -t ${remote_user}@${remote_host} -- del C:\\Windows\\Tasks\\run.ahk
# Stop the web server and clean up the temp files
rm -Rf temp_http_server
screen -S ${screen_session} -p 0 -X stuff "^C"
screen -S ${screen_session} -p 0 -X quit
Same as before, you’ll need to change the variables on the first few lines to match your system.
This looks a little more complex than it might need to, most of that is to avoid using scp - annoyingly the scp command can cause a cmd window to pop up while the file copies across. In the future we might look at ways to get around that but for now this works well enough
Testing It Out
Create a new file example.ahk file
#NoTrayIcon
MsgBox "Rubbish scam detected, do you want to continue?", "Warning", "YesNo"
Now run it using our script
./run_ahk.sh example.ahk
If everything’s working correctly you should get a prompt pop up on the VM like this one
