#1
|
|||
|
|||
kernel-based keylogger for Linux
A simplex kernel-based keylogger written for fun, not evil.
Functionality The keylogger can do the following: - Hide from loadable kernel modules list - Protect against being unloaded by the user - Unhide itself Supported Platforms The keylogger was tested to work on Linux kernels 4.8.0-52 and 4.10 TLS as provided by Ubuntu in Ubuntu 16.04 LTS and Ubuntu 16.10 respectively, but it should be very easy to port to kernels in-between, as well as newer ones. Setting Up Environment Install a compiler, Linux headers and all other things required for us to build the keylogger: Code:
apt-get update apt-get install build-essential Code:
make To install the keylogger module: Code:
sudo insmod AKeylogger.ko Code:
lsmod | grep "AKeylogger" Code:
dmesg Code:
cat /proc/AKeylog To uninstall the keylogger module: Code:
sudo rmmod AKeylogger |
#2
|
|||
|
|||
Great.
If someone login via ssh or putty, I guess it can't be logged, right? It only works in local machine? |
#3
|
|||
|
|||
I do not know, I must test
|
#4
|
|||
|
|||
According to kernel module it works with keyboard only, eg: register_keyboard_notifier(), etc
the ssh/putty(=telnet) are not using keyboard, they are network (socket) based protocols, so one would need to intercept tcp/udp sockets.... thats totally different type of logger I guess keep in mind you might have thousands of open sockets in a system (and just 1 keyboard!) |
The Following User Says Thank You to sendersu For This Useful Post: | ||
nimaarek (10-20-2017) |
#5
|
|||
|
|||
For the ssh guesses, the hook up of the system calls and interrupt are response
|
#6
|
|||
|
|||
My guess is that even if you intercept the ssh data (using the system calls), that wouldn't be enough as it's encrypted and it's decrypted and interpreted (executed, etc.) on user space by the ssh daemon, the shell, etc.
You could still "strace" on a kernel module all kinds of activity that the ssh connection triggers - processes being spawned, received arguments - but not the actual keypresses on the remote terminal window and the sshd receiving each of them, as this last part happens in user space. |
#7
|
|||
|
|||
Quote:
why not hook into SSH-related processes and steal credentials or session traffic. like gyrfalcon malware (according to Vault 7 Wikileaks) https://wikileaks.org/vault7/document/Gyrfalcon-2_0-User_Guide/Gyrfalcon-2_0-User_Guide.pdf |
The Following User Says Thank You to sh3dow For This Useful Post: | ||
nimaarek (10-28-2017) |
#8
|
|||
|
|||
Could you please post this on any downloadable server? I would like have a look at it. Thanks a lot.
|
Tags |
keylogger, loadable kernel module |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code | sh3dow | Source Code | 0 | 05-12-2016 03:15 |
IDA remote debug Linux Kernel | Sergey Nameless | General Discussion | 3 | 04-03-2012 04:12 |