keysniffer: trace pressed keys in debugfs

hacker_compKeysniffer started as a stub code to test the data coming from Linux kernel’s keypress notifier. However, it was a fine Sunday morning and I sat down writing a keylogger to trace the keys pressed on my system. It was ready b afternoon and I decided to publish it on GitHub for others to try out.

The advantage of writing the utility as a kernel module is the reduced traceability when compared to a userspace keylogger. I have crafted the name so that it looks like regular kernel modules and lists around the middle of lsmod output. The utility was never intended to be used for trespassing on others. If I use it regularly, the purpose would be to protect my own system.

keysniffer uses a buffer of 16KB (assuming 4KB page size). The pressed keys are written into the buffer separated by newlines. The log is written to debugfs, again to avoid easy or inadvertent detection using dmesg. Once the buffer is exhausted, it is reset and the log rolls back. The log is self-explanatory.

Installalation

Clone the project from GitHub and compile it:

$ git clone https://github.com/jarun/keysniffer
$ cd keysniffer
$ make

kisni.ko is the kernel module.

Usage

To start logging, insert the module:

$ sudo insmod kisni.ko

To view the log in debugfs:

$ sudo cat /sys/kernel/debug/kisni/keys

To remove the log, unload the module:

$ sudo rmmod kisni

Don’t forget to star the project on GitHub if you like it or find it useful.

On GitHub: keysniffer

2 thoughts on “keysniffer: trace pressed keys in debugfs”

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s