From bed471a7cc9dce93e138d00e28a7d41ec9a89930 Mon Sep 17 00:00:00 2001
From: zeze-zeze <zezectf@gmail.com>
Date: Mon, 13 Oct 2025 15:14:04 +0800
Subject: [PATCH 1/4] feat: log keystrokes via directx

---
 .../keylog/log-keystrokes-via-directx.yml       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 collection/keylog/log-keystrokes-via-directx.yml

diff --git a/collection/keylog/log-keystrokes-via-directx.yml b/collection/keylog/log-keystrokes-via-directx.yml
new file mode 100644
index 000000000..80880dc32
--- /dev/null
+++ b/collection/keylog/log-keystrokes-via-directx.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: log keystrokes via directx
+    namespace: collection/keylog
+    authors:
+      - https://github.com/zeze-zeze
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Collection::Input Capture::Keylogging [T1056.001]
+    examples:
+      - 52d8e95c9883cd16d7b44e3a7adc22d6.exe_
+  features:
+    - and:
+      - api: RegisterRawInputDevices
+      - api: GetRawInputData

From 4f73f558f5d395a8f202377770fc5806b15ccdaf Mon Sep 17 00:00:00 2001
From: zeze-zeze <zezectf@gmail.com>
Date: Mon, 13 Oct 2025 17:57:55 +0800
Subject: [PATCH 2/4] fix: williballenthin review

---
 ...es-via-directx.yml => log-keystrokes-via-rawinput.yml} | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 rename collection/keylog/{log-keystrokes-via-directx.yml => log-keystrokes-via-rawinput.yml} (65%)

diff --git a/collection/keylog/log-keystrokes-via-directx.yml b/collection/keylog/log-keystrokes-via-rawinput.yml
similarity index 65%
rename from collection/keylog/log-keystrokes-via-directx.yml
rename to collection/keylog/log-keystrokes-via-rawinput.yml
index 80880dc32..47acd0f95 100644
--- a/collection/keylog/log-keystrokes-via-directx.yml
+++ b/collection/keylog/log-keystrokes-via-rawinput.yml
@@ -1,9 +1,9 @@
 rule:
   meta:
-    name: log keystrokes via directx
+    name: log keystrokes via rawinput
     namespace: collection/keylog
     authors:
-      - https://github.com/zeze-zeze
+      - @zeze-zeze
     scopes:
       static: function
       dynamic: call
@@ -13,5 +13,5 @@ rule:
       - 52d8e95c9883cd16d7b44e3a7adc22d6.exe_
   features:
     - and:
-      - api: RegisterRawInputDevices
-      - api: GetRawInputData
+      - api: user32.RegisterRawInputDevices
+      - api: user32.GetRawInputData

From c92b599402f2ccb4c001e93fef6866d0345eb14b Mon Sep 17 00:00:00 2001
From: zeze-zeze <zezectf@gmail.com>
Date: Tue, 21 Oct 2025 00:04:29 +0800
Subject: [PATCH 3/4] move register-raw-input-devices from nursery

---
 collection/keylog/log-keystrokes-via-rawinput.yml |  8 ++++----
 nursery/register-raw-input-devices.yml            | 13 -------------
 2 files changed, 4 insertions(+), 17 deletions(-)
 delete mode 100644 nursery/register-raw-input-devices.yml

diff --git a/collection/keylog/log-keystrokes-via-rawinput.yml b/collection/keylog/log-keystrokes-via-rawinput.yml
index 47acd0f95..604bd6609 100644
--- a/collection/keylog/log-keystrokes-via-rawinput.yml
+++ b/collection/keylog/log-keystrokes-via-rawinput.yml
@@ -3,15 +3,15 @@ rule:
     name: log keystrokes via rawinput
     namespace: collection/keylog
     authors:
-      - @zeze-zeze
+      - zeze-zeze
+      - michael.hunhoff@mandiant.com
     scopes:
-      static: function
+      static: basic block
       dynamic: call
     att&ck:
       - Collection::Input Capture::Keylogging [T1056.001]
     examples:
       - 52d8e95c9883cd16d7b44e3a7adc22d6.exe_
   features:
-    - and:
+    - or:
       - api: user32.RegisterRawInputDevices
-      - api: user32.GetRawInputData
diff --git a/nursery/register-raw-input-devices.yml b/nursery/register-raw-input-devices.yml
deleted file mode 100644
index 2e5cb96da..000000000
--- a/nursery/register-raw-input-devices.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-# generated using capa explorer for IDA Pro
-rule:
-  meta:
-    name: register raw input devices
-    namespace: host-interaction/hardware
-    authors:
-      - michael.hunhoff@mandiant.com
-    scopes:
-      static: basic block
-      dynamic: call
-  features:
-    - or:
-      - api: user32.RegisterRawInputDevices

From a067ed243a32bcb662981c2644eb9c09b9e5795f Mon Sep 17 00:00:00 2001
From: zeze-zeze <zezectf@gmail.com>
Date: Sat, 25 Oct 2025 02:20:20 +0800
Subject: [PATCH 4/4] use original rule name

---
 ...ystrokes-via-rawinput.yml => register-raw-input-devices.yml} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename collection/keylog/{log-keystrokes-via-rawinput.yml => register-raw-input-devices.yml} (90%)

diff --git a/collection/keylog/log-keystrokes-via-rawinput.yml b/collection/keylog/register-raw-input-devices.yml
similarity index 90%
rename from collection/keylog/log-keystrokes-via-rawinput.yml
rename to collection/keylog/register-raw-input-devices.yml
index 604bd6609..3a0b2dd8f 100644
--- a/collection/keylog/log-keystrokes-via-rawinput.yml
+++ b/collection/keylog/register-raw-input-devices.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: log keystrokes via rawinput
+    name: register raw input devices
     namespace: collection/keylog
     authors:
       - zeze-zeze