From 0c1d9c29b2ec09d203e6babd1905744a1ad57bb3 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Sat, 3 Jun 2023 19:46:21 +0200 Subject: [PATCH 1/5] Update dev_journal.md --- doc/dev_journal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/dev_journal.md b/doc/dev_journal.md index 56d38f9..974d2ce 100644 --- a/doc/dev_journal.md +++ b/doc/dev_journal.md @@ -86,7 +86,7 @@ For each file in the directory, use the `strstr()` function to check if the file ## Friday, 19.05.23 ### Michel -`lsmod shows most loaded kernel modules and who and how many use it at the moment. +`lsmod` shows most loaded kernel modules and who and how many use it at the moment. I/O Module responsible for keyboard drivers is not fully listed with `lsmod`. With `ll /lib/modules/5.19.0-35-generic/kernel/drivers/input/keyboard`one can list all drivers connected in some way to the Keyboard. I tried `hwinfo` to list all hardware on a device. To use it one needs to do `sudo apt install hwinfo`. With `hwinfo --short` one gets a short information list about devices and drivers / what they are. Further investigation is required. TODO: Find a way to list all processes using those keyboard Kernel Modules From 1897b6853658a7d3a9c2ab2c105cd091bb0719d9 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Sat, 3 Jun 2023 19:46:57 +0200 Subject: [PATCH 2/5] Update dev_journal.md --- doc/dev_journal.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/dev_journal.md b/doc/dev_journal.md index 974d2ce..804c136 100644 --- a/doc/dev_journal.md +++ b/doc/dev_journal.md @@ -102,4 +102,5 @@ Instead of using c now used bash to make a script that 2. checks which pids use those files and writes those into a file. 3. checks to which programms/executables the pids correspond to. Still need to finnish it. -TODO: Add functionality that is asks user if the malicious process should be killed. I.e. add some configuration functionality. + +_TODO_: Add functionality that is asks user if the malicious process should be killed. I.e. add some configuration functionality. From dc8e5ea198641c9e1d95ece9491ecb9bc543cd70 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Sat, 3 Jun 2023 19:47:45 +0200 Subject: [PATCH 3/5] Update dev_journal.md Add missing name under Saturday, 3. June 2023 --- doc/dev_journal.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/dev_journal.md b/doc/dev_journal.md index 804c136..d14294b 100644 --- a/doc/dev_journal.md +++ b/doc/dev_journal.md @@ -97,6 +97,7 @@ TODO: Find a way to list all processes using those keyboard Kernel Modules ## Saturday, 3. June 2023 +### Sebastian Instead of using c now used bash to make a script that 1. finds `/dev/input/event*` that correspond to keyboard files and writes them in a file. 2. checks which pids use those files and writes those into a file. From 5db2f3391bfef0c9e25d3ca963490212dfc98b61 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Sat, 3 Jun 2023 19:49:16 +0200 Subject: [PATCH 4/5] Update dev_journal.md --- doc/dev_journal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/dev_journal.md b/doc/dev_journal.md index d14294b..8249005 100644 --- a/doc/dev_journal.md +++ b/doc/dev_journal.md @@ -104,4 +104,4 @@ Instead of using c now used bash to make a script that 3. checks to which programms/executables the pids correspond to. Still need to finnish it. -_TODO_: Add functionality that is asks user if the malicious process should be killed. I.e. add some configuration functionality. +_TODO_: Add functionality that is asks user if the malicious process should be killed. I.e. add some configuration functionality. Finnish Step 3. in mentioned bash script. From 649c231a9dfb62c2543a6283b841cc5f3eeb983d Mon Sep 17 00:00:00 2001 From: SoulKindred <91552157+SoulKindred@users.noreply.github.com> Date: Mon, 5 Jun 2023 14:14:49 +0200 Subject: [PATCH 5/5] Update dev_journal.md small update for 05.06.2023 --- doc/dev_journal.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/dev_journal.md b/doc/dev_journal.md index 8249005..c46e6f9 100644 --- a/doc/dev_journal.md +++ b/doc/dev_journal.md @@ -105,3 +105,7 @@ Instead of using c now used bash to make a script that Still need to finnish it. _TODO_: Add functionality that is asks user if the malicious process should be killed. I.e. add some configuration functionality. Finnish Step 3. in mentioned bash script. + +## Monday, 5. June 2023 +### Michel +Systemtap allowes one to write stap scripts and compile them as kernel modules. Linetimes.stp is usefull to filter functioncalls. With some slight modification (needs some more research) we could use it to filter all modules that perform the "register_keyboard_notifier" function inside of the kernel. Currently, it only lists events that happen durring probing. So the 'spy' keylogger has to be loaded as a kernel module for it to show up whilst monitoring. One could compile the systemtap script as a kernel module and load it very early on boot. That also would require some more research. Detecting the "register_keyboard_notifier" function call does not seem efficient.