PhilippeTeuwen at 21:18, 8 February 2008

2008-02-08T21:18:10Z

New page

==lkl==
apt-cache search keylog
lkl - userspace keylogger for x86 architecture

lkl -l -k /usr/share/lkl/keymaps/us_km -o /tmp/log.file
=> Eats 100% of my CPU, half in syscalls, pfff what a discreet piece of soft, and leaves the keyboard in a dirty state, like ctrl was always pushed down

I submitted [http://bugs.debian.org/460230 a patch] to solve the problem and [http://bugs.debian.org/464757 another one] to get -h working without having to be root.

==lkm==
http://packetstormsecurity.org/UNIX/security/kernel.keylogger.txt
 Hijacks the syscall table
original_read = sys_call_table[ SYS_read ];
sys_call_table[ SYS_read ] = hacked_read;
Logs all sys_read() from stdin (0) with one byte read
 Doesn't hide itself
 Code done for old kernels, 2.4.5...
==vlogger==
http://www.phrack.org/issues.html?issue=59&id=14&mode=txt
 Hijacks the syscall table, not on the sys_read() which is solicited quite a lot but on the open() to monitor ttys and hijack their receive_buf() function which is called by the low-level tty driver to send characters received by the hardware to the line discipline for processing
 Code done for old kernels, 2.4.18...
==tcleo==
brought to you by the Argentine government :-)
 http://www.citefa.gov.ar/SitioSI6_EN/si6.htm
 Supports kernels up to 2.6.5 :-(
 Apparently was part of Honeynet project so maybe it's just ancestor of sebek...

==sebek==
part of the honeynet project
 http://www.honeynet.org/tools/sebek/
 kernel module, hides itself and hides its own network traffic
 same syscall table hijacking, monitors read, readv, pread64, open, socketcall, fork, vfork, clone
 filtering capabilities
 can sniff keystrokes but also uploaded files etc
 sends data to a remote server

Keyloggers - Revision history

PhilippeTeuwen at 21:18, 8 February 2008