Keyloggers

From YobiWiki
Jump to: navigation, search

Contents

lkl

apt-cache search keylog
lkl - userspace keylogger for x86 architecture
lkl -l -k /usr/share/lkl/keymaps/us_km -o /tmp/log.file

=> Eats 100% of my CPU, half in syscalls, pfff what a discreet piece of soft, and leaves the keyboard in a dirty state, like ctrl was always pushed down

I submitted a patch to solve the problem and another one to get -h working without having to be root.

lkm

http://packetstormsecurity.org/UNIX/security/kernel.keylogger.txt
Hijacks the syscall table

original_read = sys_call_table[ SYS_read ];                                                                                                                                                                                                                           
sys_call_table[ SYS_read ] = hacked_read; 

Logs all sys_read() from stdin (0) with one byte read
Doesn't hide itself
Code done for old kernels, 2.4.5...

vlogger

http://www.phrack.org/issues.html?issue=59&id=14&mode=txt
Hijacks the syscall table, not on the sys_read() which is solicited quite a lot but on the open() to monitor ttys and hijack their receive_buf() function which is called by the low-level tty driver to send characters received by the hardware to the line discipline for processing
Code done for old kernels, 2.4.18...

tcleo

brought to you by the Argentine government :-)
http://www.citefa.gov.ar/SitioSI6_EN/si6.htm
Supports kernels up to 2.6.5 :-(
Apparently was part of Honeynet project so maybe it's just ancestor of sebek...

sebek

part of the honeynet project
http://www.honeynet.org/tools/sebek/
kernel module, hides itself and hides its own network traffic
same syscall table hijacking, monitors read, readv, pread64, open, socketcall, fork, vfork, clone
filtering capabilities
can sniff keystrokes but also uploaded files etc
sends data to a remote server

Personal tools
Namespaces

Variants
Actions
Navigation
Tools