From 39642dad32327c368ea8fdb66472ed4499c16af3 Mon Sep 17 00:00:00 2001 From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com> Date: Sun, 14 May 2023 16:24:14 +0200 Subject: [PATCH 1/3] Update dev_journal.md Continue on SW design for user space detector --- doc/dev_journal.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/dev_journal.md b/doc/dev_journal.md index 60cc211..d9a860d 100644 --- a/doc/dev_journal.md +++ b/doc/dev_journal.md @@ -73,6 +73,12 @@ It seems after restart kernel modules must be reinserted (even though spy was in ### Sebastian Talked to Dr. Eleliemy. Now have the following plan for the project: Two parts: One User Space detector that can more or less aggressivly kill uknown processes reading from I/O files. Should be configurable how aggressive it treats found loggers. From Just informing the user to auto SIGINT KILL, for instance. The Second part of thew Software checks kernel modules and probably just notifies user. There should be some db where we have Kernel Modules known to use I/O, so kind of a list of "Trusted I/O Drivers/Modules". +Here's an overview of the steps in the part of the programm that detects programm that have event files open which are not standard processes: +1. Use the `opendir()` function to open the directory `/dev/input/by-path/` and iterate over its contents using `readdir()`. +For each file in the directory, use the `strstr()` function to check if the file name contains "kbd" or "keyboard". +2. For each file that contain "kbd" or "keyboard", use readlink() to read the symbolic link, and get the device file that is mapped to it. +3. For each directory in `/proc/` check if the name is a numeric value and whenever it is, open `/proc/[PID]/fd/` and go over context with `readdir()`. If any of the filnames in there correspond to the ones found in step 2, it is a process that has a kbd device file open. +4. *TODO: FINNISH* #### Next Step: 1. Learn how kernel modules read I/O and how it is detectable. From bac300e6b1302e5910f4d8365a6592b601d8e05f Mon Sep 17 00:00:00 2001 From: Michel Date: Mon, 15 May 2023 15:27:28 +0200 Subject: [PATCH 2/3] Made dev journal entry for the 11.05.23 --- doc/dev_journal.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/dev_journal.md b/doc/dev_journal.md index d9a860d..2a963dd 100644 --- a/doc/dev_journal.md +++ b/doc/dev_journal.md @@ -69,6 +69,10 @@ It seems after restart kernel modules must be reinserted (even though spy was in 1. Test some more user space keyloggers and see if it is truly basicallly always very easy to detect them. 2. Figrue out how to detect kernel module kerlogger w/o just scanning for suspiciously named logfiles. +## Thursday, 11.05.2023 +### Michel +I was able to recreate all the steps Sebastian did on wednesday 10.05.2023. The only difference was, that on a ubuntu VM, the third step ls -l /proc/{1, 880, 1774, 63277}/exe` has to be executed a little bit differently. I wasnt able to give out a list of all processes at once. I had to check each PID individually, to see which PID belongs to which process. + ## Sunday, 14.05.23 ### Sebastian Talked to Dr. Eleliemy. Now have the following plan for the project: @@ -85,3 +89,4 @@ For each file in the directory, use the `strstr()` function to check if the file 2. Start coding the user space detector part of the software. + From 6be37e0ec4e68e762090f31f6388e6a1ff9a3a60 Mon Sep 17 00:00:00 2001 From: Michel Date: Tue, 23 May 2023 10:51:12 +0200 Subject: [PATCH 3/3] updated dev-journal with short list of my investigation to the current point --- doc/dev_journal.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/dev_journal.md b/doc/dev_journal.md index 2a963dd..30a020c 100644 --- a/doc/dev_journal.md +++ b/doc/dev_journal.md @@ -84,6 +84,13 @@ For each file in the directory, use the `strstr()` function to check if the file 3. For each directory in `/proc/` check if the name is a numeric value and whenever it is, open `/proc/[PID]/fd/` and go over context with `readdir()`. If any of the filnames in there correspond to the ones found in step 2, it is a process that has a kbd device file open. 4. *TODO: FINNISH* +## Friday, 19.05.23 +### Michel +`lsmod shows most loaded kernel modules and who and how many use it at the moment. +I/O Module responsible for keyboard drivers is not fully listed with `lsmod`. With `ll /lib/modules/5.19.0-35-generic/kernel/drivers/input/keyboard`one can list all drivers connected in some way to the Keyboard. +I tried `hwinfo to list all hardware on a device. To use it one needs to do `sudo apt install hwinfo`. With `hwinfo --short` one gets a short information list about devices and drivers / what they are. Further investigation is required. +TODO: Find a way to list all processes using those keyboard Kernel Modules + #### Next Step: 1. Learn how kernel modules read I/O and how it is detectable. 2. Start coding the user space detector part of the software.