seb/keylogger-detector
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source 
Made print-statements preaty and added doc
This commit is contained in:
SoulKindred 2023-06-13 12:55:11 +02:00 committed by GitHub
parent efbc9bc88f
commit 689508282c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 125 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
src/keylogger_detector.py
View File

@ -110,24 +110,34 @@ def confirm_kill_procces(process_name, times=0):
return confirm_kill_procces(process_name, times+1) return confirm_kill_procces(process_name, times+1)
########################## def detect_kernel(module):
def detect_logger(module): """
Start the systemtap-script.
load and unload modules twice.
load module when finished.
print("starting sniffing") Args:
module(str): Path + name of the module being tested
Returns:
String: Path + name of the module that is logging keystrokes
"""
if verbose_option:
print('[Verbose] Started kernel keylogger detection')
process = subprocess.Popen(['stap','funcall_trace.stp', '-T', '10'], stdout=subprocess.PIPE, text=True) process = subprocess.Popen(['stap','funcall_trace.stp', '-T', '10'], stdout=subprocess.PIPE, text=True)
for i in range(2): for i in range(2):
subprocess.Popen(['sudo','insmod', module]) subprocess.Popen(['sudo','insmod', module])
time.sleep(1) time.sleep(1)
print("-") print(".", end="")
subprocess.Popen(['sudo','rmmod', module]) subprocess.Popen(['sudo','rmmod', module])
time.sleep(1) time.sleep(1)
subprocess.Popen(['sudo','insmod', module]) subprocess.Popen(['sudo','insmod', module])
print("-") print(".")
out = process.communicate()[0] out = process.communicate()[0]
if verbose_option:
print("ended sniffing") print('[Verbose] Started kernel keylogger detection')
print(out) print(out)
if out == "[-]": if out == "[-]":
@ -136,11 +146,30 @@ def detect_logger(module):
return 0 return 0
def getpath(sus_modules): def getpath(sus_modules):
"""
Gets the path of a list of modules being tested
calls "find_file()" function
Args:
List[module(str)] List of all modules being tested
Returns:
List[modules(str)]List of the Path of all modules being tested
"""
for i in range(len(sus_modules)): for i in range(len(sus_modules)):
sus_modules[i] = find_file(sus_modules[i] + ".ko") sus_modules[i] = find_file(sus_modules[i] + ".ko")
return sus_modules return sus_modules
def find_file(filename): def find_file(filename):
"""
Searches for a file begining at root
Args:
filename(str) The filename one is looking for
Returns:
result_out(str) 'The Path_to_Module/Module_name'
"""
result = [] result = []
for root, dirs, files in os.walk("/"): for root, dirs, files in os.walk("/"):
if filename in files: if filename in files:
@ -151,21 +180,40 @@ def find_file(filename):
return result_out return result_out
def unload_mod(modules): def unload_mod(modules):
"""
Unloads modules.
Args:
module(str) the module that needs to be unloaded. Has to be Path_to_Module/Module_name
"""
tmp = [] tmp = []
for module in modules: for module in modules:
result = subprocess.run(['sudo','rmmod', module],capture_output = True, text = True) result = subprocess.run(['sudo','rmmod', module],capture_output = True, text = True)
if result.returncode == 0: if result.returncode == 0:
print(f"Unloaded module: {module}") if verbose_option:
print(f"[Verbose] Unloaded module: {module}")
else: else:
print(f"Failed to unloaded module: {module}") if verbose_option:
print(f"[Verbose] Failed to unloaded module: {module}")
print("[Verbose] " + result.stderr)
tmp.append(module) tmp.append(module)
print(result.stderr)
result_out = compare_mods(tmp, modules) result_out = compare_mods(tmp, modules)
if verbose_option:
print("[Verbose] ", end="")
print(result_out) print(result_out)
return result_out return result_out
def tidy_up(entries): def tidy_up(entries):
"""
Takes a txt file and removes everything except the first word of a line
Args:
File(.txt) in this usecase a whitelist.txt
Returns:
clean_entries(List[str]) List of only the first wrod from each line
"""
cleaned_entries = [] cleaned_entries = []
for entry in entries: for entry in entries:
modules = entry.split() modules = entry.split()
@ -175,6 +223,16 @@ def tidy_up(entries):
return cleaned_entries return cleaned_entries
def compare_mods(A, B): def compare_mods(A, B):
"""
Does set-suptraction to.
Args:
A(list[str]) List of elements one wants to ignore
B(list[str]) List of elements that one wants without all elements in A
Returns:
result(list[str] List of elements that are in B but not in A
"""
setA = set(A) setA = set(A)
setB = set(B) setB = set(B)
@ -184,6 +242,15 @@ def compare_mods(A, B):
def get_whitelist(file_path): def get_whitelist(file_path):
"""
reads a text-file
Args:
file_path(str) Path to file one wants to read
Returns:
lines(list[str]) List of each line from a file
"""
try: try:
with open(file_path, 'r') as file: with open(file_path, 'r') as file:
lines = file.read().splitlines() lines = file.read().splitlines()
@ -192,6 +259,16 @@ def get_whitelist(file_path):
print(f'Error: Failed to load whitelist{file_path}') print(f'Error: Failed to load whitelist{file_path}')
def list_modules(command): def list_modules(command):
"""
Calls a command in terminal
Args:
command(str) the command one wants to execute
Returns:
result(list[std]) List of each line the command has as an output.
"""
result = subprocess.run(command, shell = True, capture_output=True, text=True) result = subprocess.run(command, shell = True, capture_output=True, text=True)
if result.returncode == 0: if result.returncode == 0:
@ -384,27 +461,36 @@ def detect_keyloggers():
if verbose_option: if verbose_option:
print('[Verbose] Config file saved') print('[Verbose] Config file saved')
print('[+] Program completed. Exiting.')
debug(debug_option, 'Kernel detection option: ' + str(kernel_detection_option))
###########################
# 10. If kernel_detection_option is set, run kernel detection
###########################
if kernel_detection_option: if kernel_detection_option:
whitelist = get_whitelist("whitelist.txt") whitelist = get_whitelist("whitelist.txt")
lsmod_output = list_modules("lsmod") lsmod_output = list_modules("lsmod")
lsmod_output = list_modules("lsmod")
sus_modules = compare_mods(whitelist, lsmod_output) sus_modules = compare_mods(whitelist, lsmod_output)
sus_modules = tidy_up(sus_modules) sus_modules = tidy_up(sus_modules)
sus_modules = unload_mod(sus_modules) sus_modules = unload_mod(sus_modules)
time.sleep(1) time.sleep(1)
sus_modules = getpath(sus_modules) sus_modules = getpath(sus_modules)
suspects = [] suspects = []
if verbose_option:
print("[Verbose] ", end="")
print(sus_modules) print(sus_modules)
if len(sus_modules) == 0: if len(sus_modules) == 0 and verbose_option:
print("nothing to do") print("[Verbose] Nothing to do")
print("ALL CLEAN")
for module in sus_modules: for module in sus_modules:
if module == '': if module == '': #if modules have an empty path, they are in root
break break
suspects.append(detect_logger(module)) suspects.append(detect_kernel(module))
time.sleep(1) time.sleep(1)
print("Following modules are logging your keystrokes: ") print("Following modules are logging your keystrokes: ")
@ -412,15 +498,17 @@ def detect_keyloggers():
print( f"[{i}] {suspects[i]}") print( f"[{i}] {suspects[i]}")
print("Enter the number of the module you want to remove: ") print("Enter the number of the module you want to remove: ")
user_input = input().split() user_input = input().split()
to_remove = []
for j in user_input: for j in user_input:
to_remove = suspects[int(j)] to_remove = suspects[int(j)]
subprocess.Popen(['sudo','rmmod', to_remove]) subprocess.Popen(['sudo','rmmod', to_remove])
if len(to_remove) < 1:
print(f"Removed {to_remove}") print(f"Removed {to_remove}")
print("Finished")
print('[+] Program completed. Exiting.')
debug(debug_option, 'Kernel detection option: ' + str(kernel_detection_option))