Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   kernel-based keylogger for Linux (https://forum.exetools.com/showthread.php?t=18451)

nimaarek 10-15-2017 06:32
kernel-based keylogger for Linux
 
1 Attachment(s)
A simplex kernel-based keylogger written for fun, not evil.

Functionality
The keylogger can do the following:
- Hide from loadable kernel modules list
- Protect against being unloaded by the user
- Unhide itself

Supported Platforms
The keylogger was tested to work on Linux kernels 4.8.0-52 and 4.10 TLS as provided by Ubuntu in Ubuntu 16.04 LTS and Ubuntu 16.10 respectively, but it should be very easy to port to kernels in-between, as well as newer ones.

Setting Up Environment
Install a compiler, Linux headers and all other things required for us to build the keylogger:
Code:
apt-get update
apt-get install build-essential
Build
Code:
make
Use
To install the keylogger module:
Code:
sudo insmod AKeylogger.ko
Test whether the module is loaded:
Code:
lsmod | grep "AKeylogger"
Code:
dmesg
Test whether the logging is happening:
Code:
cat /proc/AKeylog
The log file will show the keystrokes logged after the module has been loaded.

To uninstall the keylogger module:
Code:
sudo rmmod AKeylogger

winndy 10-18-2017 20:38
Great.
If someone login via ssh or putty, I guess it can't be logged, right?
It only works in local machine?

nimaarek 10-19-2017 04:10
I do not know, I must test

sendersu 10-19-2017 06:00
According to kernel module it works with keyboard only, eg: register_keyboard_notifier(), etc

the ssh/putty(=telnet) are not using keyboard, they are network (socket) based protocols, so one would need to intercept tcp/udp sockets.... thats totally different type of logger I guess :)

keep in mind you might have thousands of open sockets in a system (and just 1 keyboard!) :)

nimaarek 10-20-2017 16:23
For the ssh guesses, the hook up of the system calls and interrupt are response

Mkz 10-20-2017 18:13
My guess is that even if you intercept the ssh data (using the system calls), that wouldn't be enough as it's encrypted and it's decrypted and interpreted (executed, etc.) on user space by the ssh daemon, the shell, etc.

You could still "strace" on a kernel module all kinds of activity that the ssh connection triggers - processes being spawned, received arguments - but not the actual keypresses on the remote terminal window and the sshd receiving each of them, as this last part happens in user space.

sh3dow 10-27-2017 21:28
Quote:
Originally Posted by sendersu (Post 110948)
According to kernel module it works with keyboard only, eg: register_keyboard_notifier(), etc

the ssh/putty(=telnet) are not using keyboard, they are network (socket) based protocols, so one would need to intercept tcp/udp sockets.... thats totally different type of logger I guess :)

keep in mind you might have thousands of open sockets in a system (and just 1 keyboard!) :)

why not hook into SSH-related processes and steal credentials or session traffic.
like gyrfalcon malware (according to Vault 7 Wikileaks) https://wikileaks.org/vault7/document/Gyrfalcon-2_0-User_Guide/Gyrfalcon-2_0-User_Guide.pdf

foosaa 10-30-2017 14:51
Could you please post this on any downloadable server? I would like have a look at it. Thanks a lot.


All times are GMT +8. The time now is 18:16.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX