
Show HN: keysniffer – Linux kernel module to log pressed keys in debugfs - apjana
https://github.com/jarun/keysniffer
======
emmab
> The module name has been crafted to blend-in with other kernel modules.

> keysniffer is intended to track your own devices and NOT to trespass on
> others.

This sounds inconsistent...

~~~
0xdeadbeefbabe
I agree. Maybe he's implying something about linux being multi-user.

------
an_ko
If you only need a logger for X11, but want it to be layout-agnostic, I wrote
one of those: [https://github.com/anko/xkbcat](https://github.com/anko/xkbcat)
It doesn't even need sudo, perhaps because X11 was written by hippies. :)

------
xrorre
You can counter this by creating a hook to scramble keys as they are typed.
There are countless antiloggers out there and they're the first thing I
install on any fresh distro. Why this antilogging technique is not the default
in most so called 'hardened' systems is beyond me. Really low hanging fruit
like the ability to log keys should be looked after first and not addressed at
some future date when you realize 20+ years of keystrokes were siphoned off
your machine.

~~~
geofft
Aren't anti-antiloggers equally easy to write? Countering an example keylogger
is easy, but countering a production-ready keylogger, assuming that keylogger
actually gets to load itself as a kernel module, doesn't seem like low-hanging
fruit.

What's the threat model you have where evil kernel modules are installed on
your machine, yet they _don 't_ do things like siphon off your files, read
passwords out of the memory of running processes, add entries to
/root/.ssh/authorized_keys if and only if the current process's name is
"sshd", etc.?

~~~
xrorre
In terms of a threat model, it includes any machine which acts as a hypervisor
and as the old saying goes: If you don't trust the hypervisor, how can you
trust any machine running in that hypervisor?

Antilogging is but one tiny component of defense in depth and worth
investigating if you're doing anything interesting with a computer. 'Doing
something interesting' although is not to be misconstrued as 'doing something
bad'. It just means how can any meaningful work get done if low hanging fruit
like keystrokes can (and are) being siphoned off?

It helps to see how machines are actually being compromised like this...I've
seen it on my machine and sometimes entire office building are being siphoned
like this. I typically report this, but I would much rather get to the root as
to how it's possible in the first place :(

~~~
geofft
Huh, that doesn't match my intuitions at all (at least on UNIX-based OSes), so
I'm pretty surprised and want to re-adjust my expectations. You're saying that
you regularly see compromised machines that are running kernel-mode
keyloggers, but _only_ keyloggers? What has the attack vector been, and do you
know where they keys are being logged to?

------
yc-kraln
cat /dev/input ?

~~~
throwaway0209
would that yield the same? (i am not able to try it at the moment)

~~~
rincebrain
Not really - in part because /dev/input is a directory, and in part because I
_believe_ reading from /dev/input consumes the event, which would be less than
ideal for a silent keylogger. ;)

(/dev/input/XXXX also gives more structured output than just raw key events
IIRC.)

~~~
deutronium
You can actually read keypresses from /dev/input/eventN to make a keylogger, I
wrote a simple one in lua.

~~~
rincebrain
I sit corrected, thank you.

