From YobiWiki
Jump to navigation Jump to search


apt-cache search keylog
lkl - userspace keylogger for x86 architecture
lkl -l -k /usr/share/lkl/keymaps/us_km -o /tmp/log.file

=> Eats 100% of my CPU, half in syscalls, pfff what a discreet piece of soft, and leaves the keyboard in a dirty state, like ctrl was always pushed down

I submitted a patch to solve the problem and another one to get -h working without having to be root.

Hijacks the syscall table

original_read = sys_call_table[ SYS_read ];                                                                                                                                                                                                                           
sys_call_table[ SYS_read ] = hacked_read; 

Logs all sys_read() from stdin (0) with one byte read
Doesn't hide itself
Code done for old kernels, 2.4.5...

Hijacks the syscall table, not on the sys_read() which is solicited quite a lot but on the open() to monitor ttys and hijack their receive_buf() function which is called by the low-level tty driver to send characters received by the hardware to the line discipline for processing
Code done for old kernels, 2.4.18...


brought to you by the Argentine government :-)
Supports kernels up to 2.6.5 :-(
Apparently was part of Honeynet project so maybe it's just ancestor of sebek...


part of the honeynet project
kernel module, hides itself and hides its own network traffic
same syscall table hijacking, monitors read, readv, pread64, open, socketcall, fork, vfork, clone
filtering capabilities
can sniff keystrokes but also uploaded files etc
sends data to a remote server