LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-05-2006, 03:51 AM   #1
lini
LQ Newbie
 
Registered: Jan 2006
Posts: 29

Rep: Reputation: 15
anti keylogger


Hi,
I'm writing a piece of code that's supposed to discover keyloggers in one's system. A keylogger is a spy that logs all user keystrokes to a file. So I'm interested in writing a program that discovers the existence of a keylogger in the system.
Any ideas how to implement it? (over redhat based on kernel 2.4.x)
thanks
 
Old 01-05-2006, 07:29 PM   #2
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
There are many ways to implement a keylogger, so it's not easy... The most obvious is with shared library redirection that lets you hijack functions such as read(), gets(), et cetera... To detect this one you would have to create a mini shared library that deletes the LD_PRELOAD environment variable or stuff in /etc/ld.so.preload See ld.so(8)

The other ways involve kernel modules... One of them hijacks system calls: read() (different from the libc wrapper with the same name) which would let you sniff keystrokes from statically compiled programs as well as suid binaries. (Remember: shared vs static... the method mentioned above would sniff keystrokes from non-suid dynamically linked binaries. LD_PRELOAD is ignored for suid/sgid programs)

Still exists another that uses some obscure feature or extension of the X protocol. It must be in the web

Last edited by primo; 01-05-2006 at 07:31 PM.
 
Old 01-06-2006, 03:07 AM   #3
lini
LQ Newbie
 
Registered: Jan 2006
Posts: 29

Original Poster
Rep: Reputation: 15
Thanks for the explanation, it was informative, but I was asking mainly on ANTI-keylogger implementation. My keylogger involves kernel modules as you suggested, but I'm interested in discovering it...
 
Old 01-06-2006, 04:17 AM   #4
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Are you interested in recovering *any* kind of keylogger ?

Discovering LKM-based malware is difficult. There are many ways to hide something in the kernel and different Linux versions handle stuff such as the system call table differently and it appears that these days there isn't such a table at all. See the "Linux Kernel Module Programming Guide" for directions. The old ways of hijacking system calls were dropped for more stealthy ones. For these ones see Phrack
 
Old 01-07-2006, 06:56 AM   #5
lini
LQ Newbie
 
Registered: Jan 2006
Posts: 29

Original Poster
Rep: Reputation: 15
I've been thinking of 3 possible implementations, but I still can't see it all the way to the end. Maybe you can help me out with this:
1st idea is keeping a copy to the original system calls, and then, whenever the user runs the anti-keylooger, compare the original copy of the functions and the copy currently used. In case of a difference between the copies, it might be that there is a keylogger in the system. My problems with these options are: 1. assuming I'm keeping my original copy as a module, how do I let the antikeylogger use it? 2. how to compare between the 2 copies?
2nd idea: measuring the time it takes to perform a write operation, assuming when a keylogger is in the system it will take more clock cycles to write. problems: how can I keep the "usual" number of clock cycles?
3rd idea: maybe I can use interrupts to trace keyloggers planted in my system. I don't like this idea....
Can you help me with those ideas?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
keylogger? |2ainman Linux - Security 4 08-21-2013 04:48 AM
keylogger in java? Laptop2250 Programming 2 01-08-2005 06:27 PM
help with lkl keylogger br0k3n Linux - Software 0 07-22-2004 05:55 PM
Creating an ultimate anti-virus and anti-spam email gateway markcc Linux - Networking 2 10-08-2003 04:10 AM
Anti trojan and anti virus--Iparmor ppsl Linux - Security 1 12-03-2002 05:33 AM


All times are GMT -5. The time now is 01:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration