Merge branch 'main' into fiex

2023-06-13 14:20:31 +02:00 · 2023-06-13 14:20:31 +02:00 · 5680143977
commit 5680143977
parent 689508282c 7d4bc93243
10 changed files with 132 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -1,2 +1,65 @@
-# keylogger-detector
+# KLDetect
-University project for an Operating Systems lecture. The goal is to develope a keystroke-logger-detector for a Linux environment. Developement Environment: Fedora 37 VM under  Gnome on VirtualBox. A project journal can be found [here](https://github.com/sebaschi/keylogger-detector/blob/main/doc/dev_journal.md)
+KLDetect is a keylogger detector for the Linux Desktop.
 It can detect processes reading from ```/dev/input/event*``` devices and kernel modules registered to listen to keyboard events.
 # Dependencies
 * [Python](https://www.python.org/downloads/)
 * [SystemTap](https://sourceware.org/systemtap/wiki)
 * [```fuser```](https://www.man7.org/linux/man-pages/man1/fuser.1.html)
 * Utilities that come with [Fedora](https://fedoraproject.org/) like ```which```.
 # Setup
 Download or clone this repository:
 ```
 git clone https://github.com/sebaschi/keylogger-detector.git
 ```
 Navigate into the src directory:
 ```
 cd keylogger-detector/src
 ```
 Run a keylogger. KLDetect has been tested and shown to work on the following keylogger.
 User progams:
 * [simple-key-logger](https://github.com/gsingh93/simple-key-logger/tree/master)
 * [logkeys](https://github.com/kernc/logkeys)
 * [keylog](https://github.com/SCOTPAUL/keylog)
 Kernel Module:
 * [spy](https://github.com/jarun/spy)
 # Usage 
 KLDetect **must** be run as root (sudo).
 Running without options just runs userspace detection:
 ```
 ./kldetect.py
 ```
 To get a list of options:
 ```
 ./kldetect.py -h
 ```
 To run with kernel module detection:
 ```
 ./kldetect.py -k
 ```
 To run just kernel module detection
 ```
 ./kernel_detector.py
 ```
 # Warning
 Running any part if this program in a lightheaded manner may break your system.
 Killing processes and unloading modules should be done with caution. We suggest testing it an a VM.
 If one runs the KLDetect with the kernel module keylogger detection option set, make sure to update the [whitelist.txt](https://github.com/sebaschi/keylogger-detector/blob/main/src/whitelist.txt)
 with the safe kernel modules that you know you have on your system. Altough KLDetect should not unload any kernel modules currently used, better safe than sorry.
 # Developers
 Copyright © 2023[Michel Romancuk](https://github.com/SoulKindred), [Sebastian Lenzlinger](https://github.com/sebaschi)
 This project is Part of a Univeristy project at the [Operating Systems](https://dmi.unibas.ch/de/studium/computer-science-informatik/lehrangebot-fs23/vorlesung-operating-systems-1/) lecture at the University of Basel, Switzerland.
 A project journal can be found [here](https://github.com/sebaschi/keylogger-detector/blob/main/doc/dev_journal.md).
--- a/doc/dev_journal.md
+++ b/doc/dev_journal.md
@ -166,7 +166,7 @@ This is after extensivly refactoring because I was starting to loose oversight o
 ## Wednesday, 7. June 2023, day
 ### Sebastian
 VirtualBox stopped working so after much pain I decided to switch to Boxes. There the install of Fedora 37 went smoothly.
-Then Started testing the userland detector on [simple-key-logger](https://github.com/gsingh93/simple-key-logger/tree/maste), [logkeys](https://github.com/kernc/logkeys).
+Then Started testing the userland detector on [simple-key-logger](https://github.com/gsingh93/simple-key-logger/tree/master), [logkeys](https://github.com/kernc/logkeys).
 [pykeylogger](https://github.com/amoffat/pykeylogger) produced a segmentation fault, after I finaly got it to run. Trying to run [py-keylogger](https://github.com/hiamandeep/py-keylogger), turns out it only runs on X11 it seem (so we'd not catch it anyway).
 [keylog](https://github.com/SCOTPAUL/keylog) was succesfully detected and removed.
 All in all, the main functionality works as intended. Basically now would be the refinement phase to add more options or to have a way to configure the config.json file more easily.
--- a/doc/qr_code_kldetect_repo.png
+++ b/doc/qr_code_kldetect_repo.png
--- a/doc/research/acm_2390317.2390326.bib
+++ b/doc/research/acm_2390317.2390326.bib
@ -0,0 +1,17 @@
@inproceedings{10.1145/2390317.2390326,
 author = {Howard, Adam and Hu, Yi},
 title = {An Approach for Detecting Malicious Keyloggers},
 year = {2012},
 isbn = {9781450315388},
 publisher = {Association for Computing Machinery},
 address = {New York, NY, USA},
 url = {https://doi.org/10.1145/2390317.2390326},
 doi = {10.1145/2390317.2390326},
 abstract = {Keyloggers are applications that are installed onto computers with the intent of monitoring and storing keystrokes that are input by a user. These keystrokes can either be stored on a physical hard disk or transmitted via a network connection to a remote location. Because of their functions, keyloggers have a potential of being used for malicious purposes. In order to protect privacy, it is important to realize the threat that a keylogger application might pose and identify appropriate methods for detecting it. The method presented in this research provides a standardized approach to detect unknown keylogging software from a computer. We also conducted experiments on a variety of keyloggers to verify the effectiveness of the proposed approach.},
 booktitle = {Proceedings of the 2012 Information Security Curriculum Development Conference},
 pages = {53–56},
 numpages = {4},
 keywords = {rootkit, privacy, system hook, keylogger, malicious software},
 location = {Kennesaw, Georgia},
 series = {InfoSecCD '12}
 }
--- a/doc/research/acm_financial_losses_due_to_malware.bib
+++ b/doc/research/acm_financial_losses_due_to_malware.bib
@ -0,0 +1,17 @@
@inproceedings{10.1145/2905055.2905362,
 author = {Amin, Maitri},
 title = {A Survey of Financial Losses Due to Malware},
 year = {2016},
 isbn = {9781450339629},
 publisher = {Association for Computing Machinery},
 address = {New York, NY, USA},
 url = {https://doi.org/10.1145/2905055.2905362},
 doi = {10.1145/2905055.2905362},
 abstract = {General survey stat that the main damage malware can cause is to slow down their PCs and perhaps crash some websites which is quite wrong, The Russian antivirus software developer teamed up with B2B International for a study worldwide recently, shown 36\% of users lose money online as a result of a malware attack. Currently malware can't be detected by traditional way based anti-malware tools due to their polymorphic and/or metamorphic nature. Here we have improvised a current detection technique of malware based on mining Application Programming Interface (API) calls and developed the first public dataset to promote malware research.• In survey of cyber-attacks 6.2\% financial attacks are due to malware which increase to 1.3 \% in 2013 compared to 2012.• Financial data theft causes 27.6\% to reach 28,400,000. Victims abused by this targeting malware countered 3,800,000, which is 18.6\% greater than previous year.• Finance-committed malware, associated with Bitcoin has demonstrated the most dynamic development. Where's, Zeus is still top listed for playing important roles to steal banking credentials.Solutionary study stats that companies are spending a staggering amount of money in the aftermath of damaging attack: DDoS attacks recover $6,500 per hour from malware and more than $3,000 each time for up to 30 days to moderate and improve from malware attacks. [1]},
 booktitle = {Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies},
 articleno = {145},
 numpages = {4},
 keywords = {Malware, API, financial losses, Survey},
 location = {Udaipur, India},
 series = {ICTCS '16}
 }
--- a/doc/research/acm_risk_of_stolen_credentials.bib
+++ b/doc/research/acm_risk_of_stolen_credentials.bib
@ -0,0 +1,17 @@
@inproceedings{10.1145/3133956.3134067,
 author = {Thomas, Kurt and Li, Frank and Zand, Ali and Barrett, Jacob and Ranieri, Juri and Invernizzi, Luca and Markov, Yarik and Comanescu, Oxana and Eranti, Vijay and Moscicki, Angelika and Margolis, Daniel and Paxson, Vern and Bursztein, Elie},
 title = {Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials},
 year = {2017},
 isbn = {9781450349468},
 publisher = {Association for Computing Machinery},
 address = {New York, NY, USA},
 url = {https://doi.org/10.1145/3133956.3134067},
 doi = {10.1145/3133956.3134067},
 abstract = {In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016--March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords---which originate from thousands of online services---enable an attacker to obtain a victim's valid email credentials---and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7--25\% of exposed passwords match a victim's Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user's historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.},
 booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
 pages = {1421–1434},
 numpages = {14},
 keywords = {keylogger, phishing, risk analysis, data breach, password reuse, authentication, phishing kit, password},
 location = {Dallas, Texas, USA},
 series = {CCS '17}
 }
--- a/doc/research/citation-strange-world-keyloggers.bib
+++ b/doc/research/citation-strange-world-keyloggers.bib
@ -0,0 +1,10 @@
@article{article,
 author = {Creutzburg, Reiner},
 year = {2017},
 month = {01},
 pages = {139-148},
 title = {The strange world of keyloggers - an overview, Part I},
 volume = {2017},
 journal = {Electronic Imaging},
 doi = {10.2352/ISSN.2470-1173.2017.6.MOBMU-313}
 }
--- a/src/config.json
+++ b/src/config.json
@ -1,8 +1,8 @@
 {
    "white_listed_programs": [
        "systemd_logind",
-        "gnome-shell",
+        "systemd",
-        "systemd"
+        "gnome-shell"
    ],
    "auto_kill_programs": [],
    "kbd_names": [
--- a/src/kernel_detector.py
+++ b/src/kernel_detector.py
--- a/src/keylogger_detector.py
+++ b/src/keylogger_detector.py
@ -16,7 +16,6 @@ from utils import (
    kill_process
    )
 # Global variables/CLI options
 auto_kill_option = False
@ -40,10 +39,10 @@ def print_help():
    print('  -v, --verbose\t\t\tVerbose mode. Informative information will be displayed duting execution')
    print('  -a, --auto-kill\t\tAutomatically kill blacklisted processes')
    print('  -s, --safe\t\t\tSafe mode. Asked to confirm before killing a process')
-    print('  -w, --add-white-list\t\t\tActivate prompt to add program names to the whitelist') #For some reason this line gets messed up in display 
+    print('  -w, --add-white-list\t\tActivate prompt to add program names to the whitelist') #For some reason this line gets messed up in display 
-    print('  -b, --add-black-list\t\t\tAutomatically add program names chosen to kill to the blacklist')
+    print('  -b, --add-black-list\t\tAutomatically add program names chosen to kill to the blacklist')
    print('  -d, --debug\t\t\tDebug mode. Print debug statements')
-    print(' -k, --kernel-detection\t\t\tRun the kernel keylogger detector, too. CURRENTLY NOT IMPLEMENTED TO DIRECTLY RUN KERNEL DETECTOR.')
+    print(' -k, --kernel-detection\t\tRun the kernel keylogger detector, too. CURRENTLY NOT IMPLEMENTED TO DIRECTLY RUN KERNEL DETECTOR.')
 def set_input_options():
    """