From 1a2849d6984f2564a70865929761058fc4fb3250 Mon Sep 17 00:00:00 2001
From: SoulKindred <91552157+SoulKindred@users.noreply.github.com>
Date: Thu, 8 Jun 2023 19:32:47 +0200
Subject: [PATCH] Add files via upload

Contains Stap, python-script and whitelist.txt
Does not fully work. Requires return-value in start_stap function. If that works, it works fully. Then begin with tidy up work.
---
 .../funcall_trace.stp                         |   6 +
 .../kernel_detector.py                        | 150 ++++++++++++++++++
 src/keylogger_detector_kernel/whitelist.txt   |  68 ++++++++
 3 files changed, 224 insertions(+)
 create mode 100644 src/keylogger_detector_kernel/funcall_trace.stp
 create mode 100644 src/keylogger_detector_kernel/kernel_detector.py
 create mode 100644 src/keylogger_detector_kernel/whitelist.txt

diff --git a/src/keylogger_detector_kernel/funcall_trace.stp b/src/keylogger_detector_kernel/funcall_trace.stp
new file mode 100644
index 0000000..c3ea404
--- /dev/null
+++ b/src/keylogger_detector_kernel/funcall_trace.stp
@@ -0,0 +1,6 @@
+
+probe kernel.function("register_keyboard_notifier").call
+	{
+		printf("triggered\n")
+	}
+
diff --git a/src/keylogger_detector_kernel/kernel_detector.py b/src/keylogger_detector_kernel/kernel_detector.py
new file mode 100644
index 0000000..776a97e
--- /dev/null
+++ b/src/keylogger_detector_kernel/kernel_detector.py
@@ -0,0 +1,150 @@
+import subprocess
+import time
+import multiprocessing
+import os
+
+global Smell
+
+#==============================================================================================================
+#
+#Functions
+#
+#==============================================================================================================
+def list_modules(command):
+	result = subprocess.run(command, shell = True, capture_output=True, text=True)
+	
+	if result.returncode == 0:
+		return result.stdout.strip().split('\n')
+	else:
+		print(f"Failed with error:{result.stderr}")
+		return[]
+
+def get_whitelist(file_path):
+	try:
+		with open(file_path, 'r') as file:
+			lines = file.read().splitlines()
+			return lines
+	except IOError:
+		print(f'Error: Failed to load whitelist{file_path}')
+		
+def compare_mods(A, B):
+	setA = set(A)
+	setB = set(B)
+	
+	result = setB - setA
+	
+	return list(result)
+	
+def tidy_up(entries):
+	cleaned_entries = []
+	for entry in entries:
+		modules = entry.split()
+		if modules:
+			first_mod = modules[0]
+			cleaned_entries.append(first_mod)
+	return cleaned_entries
+			
+def unload_mod(modules):
+	tmp = []
+	for module in modules:
+		result = subprocess.run(['sudo','rmmod', module],capture_output = True, text = True)
+		if result.returncode == 0:
+			print(f"Unloaded module: {module}")
+		else:
+			print(f"Failed to unloaded module: {module}")
+			tmp.append(module)
+			print(result.stderr)
+	result_out = compare_mods(tmp, modules)
+	print(result_out)
+	return result_out
+			
+
+#TODO Get Return-value from start_stap()			
+def start_stap():
+	print("Starting Sniffer")
+	output = subprocess.Popen(['stap','funcall_trace.stp'],universal_newlines=True)
+	if output.stdout != "":
+		output.terminate()
+		print("fishy")
+		Smell = "fishy"
+	else:
+		output.terminate()
+		print("nothing fishy")
+		Smell = "not fishy"
+	print(Smell + " smell")
+
+
+
+	
+	
+	
+	
+def load_mod(module):
+	result = subprocess.run(['sudo','insmod', module],capture_output = True, text = True)
+	if result.returncode == 0:
+		print(f"Loaded module: {module}")
+		time.sleep(5)
+	else:
+		print(f"Failed to Loaded module: {module}")
+		print(result.stderr)
+	
+	
+def find_file(filename):
+    result = []
+    for root, dirs, files in os.walk("/"):
+        if filename in files:
+            file_path = os.path.join(root, filename)
+            result.append(file_path)
+    result_out = result[0]
+    result_out = ''.join(result_out)
+    return result_out
+	
+def getpath(sus_modules):
+	for i in range(len(sus_modules)):
+		sus_modules[i] = find_file(sus_modules[i] + ".ko")
+	return sus_modules
+	
+def detect_logger(module):
+	p1 = multiprocessing.Process(target=start_stap)
+	p1.start()
+	p2 = multiprocessing.Process(target=load_mod(module))
+	p2.start()
+
+	p1.join()
+	p2.join()
+
+
+
+
+#==============================================================================================================
+#
+#Work
+#
+#==============================================================================================================
+
+whitelist = get_whitelist("whitelist.txt")
+
+lsmod_output = list_modules("lsmod");
+
+sus_modules = compare_mods(whitelist, lsmod_output)
+
+sus_modules = tidy_up(sus_modules)
+print(sus_modules)
+
+sus_modules = unload_mod(sus_modules)
+time.sleep(1)
+print("waited")
+
+sus_modules = getpath(sus_modules)
+print(sus_modules)
+if len(sus_modules) == 0:
+	exit()
+suspects = []
+for module in range(len(sus_modules)):
+	suspects.append(detect_logger(sus_modules[module]))
+	
+print(suspects)
+
+
+
+
diff --git a/src/keylogger_detector_kernel/whitelist.txt b/src/keylogger_detector_kernel/whitelist.txt
new file mode 100644
index 0000000..4fae9aa
--- /dev/null
+++ b/src/keylogger_detector_kernel/whitelist.txt
@@ -0,0 +1,68 @@
+Module                  Size  Used by
+tls                   147456  0
+uinput                 20480  0
+isofs                  65536  1
+snd_seq_dummy          16384  0
+snd_hrtimer            16384  1
+vboxvideo              36864  0
+drm_vram_helper        24576  1 vboxvideo
+nf_conntrack_netbios_ns    16384  1
+nf_conntrack_broadcast    16384  1 nf_conntrack_netbios_ns
+nft_fib_inet           16384  1
+nft_fib_ipv4           16384  1 nft_fib_inet
+nft_fib_ipv6           16384  1 nft_fib_inet
+nft_fib                16384  3 nft_fib_ipv6,nft_fib_ipv4,nft_fib_inet
+nft_reject_inet        16384  6
+nf_reject_ipv4         16384  1 nft_reject_inet
+nf_reject_ipv6         24576  1 nft_reject_inet
+nft_reject             16384  1 nft_reject_inet
+nft_ct                 24576  16
+nft_chain_nat          16384  3
+nf_nat                 65536  1 nft_chain_nat
+nf_conntrack          192512  4 nf_nat,nft_ct,nf_conntrack_netbios_ns,nf_conntrack_broadcast
+nf_defrag_ipv6         24576  1 nf_conntrack
+nf_defrag_ipv4         16384  1 nf_conntrack
+ip_set                 65536  0
+rfkill                 40960  3
+nf_tables             352256  237 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet
+nfnetlink              20480  3 nf_tables,ip_set
+qrtr                   57344  4
+snd_intel8x0           57344  2
+snd_ac97_codec        200704  1 snd_intel8x0
+ac97_bus               16384  1 snd_ac97_codec
+snd_seq               106496  7 snd_seq_dummy
+intel_rapl_msr         20480  0
+snd_seq_device         16384  1 snd_seq
+intel_rapl_common      36864  1 intel_rapl_msr
+snd_pcm               184320  2 snd_intel8x0,snd_ac97_codec
+snd_timer              53248  3 snd_seq,snd_hrtimer,snd_pcm
+sunrpc                815104  1
+rapl                   24576  0
+binfmt_misc            28672  1
+snd                   143360  12 snd_seq,snd_seq_device,snd_intel8x0,snd_timer,snd_ac97_codec,snd_pcm
+joydev                 28672  0
+pcspkr                 16384  0
+soundcore              16384  1 snd
+i2c_piix4              36864  0
+vboxguest              53248  6
+loop                   40960  0
+zram                   32768  2
+crct10dif_pclmul       16384  1
+crc32_pclmul           16384  0
+crc32c_intel           24576  3
+polyval_generic        16384  0
+video                  73728  0
+ghash_clmulni_intel    16384  0
+vmwgfx                458752  2
+drm_ttm_helper         16384  3 vmwgfx,drm_vram_helper,vboxvideo
+wmi                    45056  1 video
+sha512_ssse3           49152  0
+e1000                 188416  0
+serio_raw              20480  0
+ttm                   102400  3 vmwgfx,drm_vram_helper,drm_ttm_helper
+ata_generic            16384  0
+pata_acpi              16384  0
+ip6_tables             40960  0
+ip_tables              40960  0
+fuse                  212992  5
+