I've searched a good bit on the topic, and tried compiling vlogger (2.1.1 i think) however I have not had much luck.

I have a vmware honeypot set up and would like to avoid using user-mode-linux on top of that if possible. I have not been able to find a clear-cut linux kernel based keylogger which works (aside from mentions of prepackaged rootkits and related). vlogger has many errors when compiling on a 2.4. kernel (does compile the control program however crashes when compiling the actual keylogger)....and when compiling on the 2.6.x series, even more errors are had.

I dont really 'program' aside from when I need to so 'diving right in' to using kernel hooks and kernel input buffers to make my own for this purpose would take a while.

Links, ideas anyone?

anyone?...

I've searched a good bit on the topic
Just curious what you found then.


I have a vmware honeypot
You know Vmware can be detected? And you don't need to be root for it.


I have not been able to find a clear-cut linux kernel based keylogger which works (aside from mentions of prepackaged rootkits and related).
You got a job to be done, so whats wrong with rootkits if that would work? Anyway, tried Sebek?


vlogger (..) however crashes when compiling the actual keylogger
Did you drop a question about that in the Programming forum? Might help..

1) mainly found various references to vlogger and infinite references to
http://www.phrack.org/show.php?p=59&a=14

Nothing definite.

2) yes, i am aware of the ease it takes to identify vmware regarding looking at the devices, *especially*in regards to vga. however vmware is at least legitimtate software. However if there are other ways you're aware of of detecting a virtual instance, please share. i'm not oppsed to slapping togethor an old PII, just lazy I suppose.

No, I have no opposition to rootkits, they would even be preferable and convenient in this instance, they are just soemwhat foreign territory to me as far as what ones exist and such. Sebek's info looks very promising.


3) If Sebek falls through, I'll take the programming forum advice; just thought I'd see if i could grab some quick and dirty comments here.

Thanks.

However if there are other ways you're aware of of detecting a virtual instance, please share.
VMware specific: BIOS values, magic number/segfault check, VMware backdoor (legitimate), IDT address, execution timing, dmesg, IP ID's, VMware's MAC address vendor range, TCP stack errors. General: execution timing (vs clean system), looking for shaping/limiting, payload changes. For me the most important thing to realise is that honeypots are (quoting Corey) "a modification to the structure of the system that can and will be found". Articles and discussions on various mailinglists are easy to find at either SecurityFocus, MARC or Phrack, but here's some docs:
- Phrack phake, p62-0x07: Local Honeypot Identification (txt)
- Phrack phake, p63-0x09: Advanced Honey Pot Identification And Exploitation (txt)
- CCC, Nosebreak: Attacking Honeynets (pdf)
- USMA, 2005 IEEE: Detecting Honeypots and other suspicious environments (pdf)
- VMware's back
- SecurityFocus.com, 4tphi: Detecting VMWare
- SecurityFocus.com, Defeating Honeypots: System Issues, Part 1 and Part 2, also note the "Network issues" and other docs in the reference table at the bottom)


BTW, changing all Makefile maligns to faligns was all I needed to do, so what exactly where those errors compiling Vlogger?