• Stars
    star
    628
  • Rank 71,541 (Top 2 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created about 9 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

πŸ‘€ Linux kernel mode debugfs keylogger

spy

A Linux kernel module to grab keys pressed in the keyboard, or a keylogger.

It's also an academic project for devs willing to learn Linux kernel module programming, with extensive comments, checkpatch.pl scanned code, standards-compliant Makefile and DKMS support.

spy was initially written for the US keyboard (and conforming laptops). By default it shows human-readable strings for the keys pressed. Optionally, the keycode shift_mask pair can be printed in hex or decimal. You can lookup the keycodes in /usr/include/linux/input-event-codes.h.

The keypress logs are recorded in debugfs as long as the module is loaded. Only root or sudoers can read the log. The module name has been camouflaged to blend-in with other kernel modules.

You can, however, execute a script at shutdown or reboot (the procedure would be distro-specific) to save the keys to a file.

DISCLAIMER: spy is intended to track your own devices and NOT to trespass on others. The author is not responsible for any unethical application.

Table of contents

Compilation

Build

Clone the repository and run:

# make

Note that you need to have the linux kernel headers installed for your running kernel version.

To insert the module into the kernel, run:

# insmod kisni.ko
OR
# make load

To unload the module (and clear the logs), run:

# rmmod kisni

DKMS support

If you have DKMS installed, you can install spy in such a way that it survives kernel upgrades. It is recommended to remove older versions of spy by running dkms remove -m kisni -v OLDVERSION --all as root. To install the new version, run:

# make -f Makefile.dkms

To uninstall it, run:

# make -f Makefile.dkms uninstall

Usage

To view the pressed keys, run:

# cat /sys/kernel/debug/kisni/keys
modinfo kisni.ko
cat /sys/kernel/debug/kisni/keys
#

To log generic hex keycodes in the format keycode shift_mask, run:

# insmod kisni.ko codes=1
// Type something
# cat /sys/kernel/debug/kisni/keys
23 0
12 0
26 0
26 0
18 0
39 0
2a 0
2a 1
2a 1
11 1
18 0
13 0
26 0
20 0
2a 0
2a 1
2a 1
2 1
1c 0
1f 0
16 0
20 0
18 0
39 0
2e 0
1e 0
14 0
6a 0
1c 0

To log the keycodes in decimal, run:

# insmod kisni.ko codes=2

To check the module details:

# modinfo kisni.ko
filename:       kisni.ko
description:    Sniff and log keys pressed in the system to debugfs
version:        1.8
author:         Arun Prakash Jana <[email protected]>
license:        GPL v2
srcversion:     F62F351D06A999293307C20
depends:
retpoline:      Y
name:           kisni
vermagic:       5.4.0-48-generic SMP mod_unload
parm:           codes:log format (0:US keys (default), 1:hex keycodes, 2:dec keycodes) (int)

License

License

Developer

Copyright Β© 2015 Arun Prakash Jana

Links