diff --git a/src/legacy/find_logger_proc.h b/src/legacy/find_logger_proc.h deleted file mode 100644 index e69de29..0000000 diff --git a/src/legacy/follow_symlinks.sh b/src/legacy/follow_symlinks.sh deleted file mode 100755 index 9d9e492..0000000 --- a/src/legacy/follow_symlinks.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# =============================== -# Step1: Find keyboard file paths -# =============================== - -# Output file path -kbd_output_file="kbd_file_paths.txt" - -# Function to follow symbolic links recursively -follow_symlinks() { - local filepath=$1 - - if [[ -L $filepath ]]; then - local resolved_path=$(readlink -f "$filepath") - echo "$resolved_path" >> "$kbd_output_file" - follow_symlinks "$resolved_path" - fi -} - -# Traverse files in /dev/input/by-path -echo -n > "$kbd_output_file" -find /dev/input/by-path -type l -name '*kbd*' -print0 | while IFS= read -r -d '' filepath; do - #echo "$filepath" >> "$kbd_output_file" - follow_symlinks "$filepath" -done - -echo "Keyboard file paths written to $kbd_output_file" - -# =============================== -# Step2: Find pids using keyboard event files -# =============================== - -# Use found kbd file paths to find corresponding pids -pids_input_file="$kbd_output_file" -pids_output_file="pids.txt" - -echo -n > "$pids_output_file" - -declare -a pids_array - -# Get pids of processes using the keyboard and put in array -while IFS= read -r pathname; do - pids=$(fuser "$pathname") - # add pids to array - for pid in $pids; do - pids_array+=("$pid") - done -done < "$pids_input_file" - -# sort and remove duplicates -sorted_pids=$(printf '%s\n' "${pids_array[@]}" | sort -nu) - -# write unique and sorted pids to file, separated by newlines -printf '%s\n' "${sorted_pids[@]}" > "$pids_output_file" - -echo "Pids written to $pids_output_file" - -# =============================== -# Step3: Find processes/program names using pids -# =============================== -exe_input_file="$pids_output_file" -exe_output_file="suspicous_exes.txt" - -# Clear output file -echo -n > "$exe_output_file" - diff --git a/src/legacy/get_kbd_event_files.py b/src/legacy/get_kbd_event_files.py deleted file mode 100755 index 02ba94f..0000000 --- a/src/legacy/get_kbd_event_files.py +++ /dev/null @@ -1,24 +0,0 @@ -import os - -# Output file path -kbd_output_file = "kbd_file_paths.txt" - -# Function to follow symbolic links recursively -def follow_symlinks(filepath): - if os.path.islink(filepath): - resolved_path = os.path.realpath(filepath) - with open(kbd_output_file, "a") as f: - f.write(resolved_path + "\n") - follow_symlinks(resolved_path) - -# Traverse files in /dev/input/by-path -with open(kbd_output_file, "w") as f: - f.write("") -for root, dirs, files in os.walk("/dev/input/by-path"): - for filename in files: - if "kbd" in filename: - filepath = os.path.join(root, filename) - follow_symlinks(filepath) - -print("Keyboard file paths written to", kbd_output_file) - diff --git a/src/legacy/keyloggers.sh b/src/legacy/keyloggers.sh deleted file mode 100755 index 020d28d..0000000 --- a/src/legacy/keyloggers.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -# Output file path -output_file="keyboard_info.txt" - -# Step 1: Find keyboard device files -keyboard_files=() -while IFS= read -r -d '' file; do - if [[ $file == *"kbd"* || $file == *"keyboard"* ]]; then - keyboard_files+=("$file") - fi -done < <(find /dev/input/by-path -type l -name 'event*') - -# Step 2: Check processes with open keyboard files -echo "Keyboard Information" > "$output_file" -echo "=====================" >> "$output_file" - -for keyboard_file in "${keyboard_files[@]}"; do - echo "Keyboard device file: $keyboard_file" >> "$output_file" - - event_file=$(readlink -f "$keyboard_file") - echo "Event file: $event_file" >> "$output_file" - - pids=$(fuser -v "$event_file" 2>/dev/null | awk -F'[: ]+' 'NR>1{print $2}') - echo "PIDs with file open: $pids" >> "$output_file" - - # Step 3: Check corresponding programs - echo "Corresponding Programs" >> "$output_file" - echo "---------------------" >> "$output_file" - - for pid in $pids; do - program=$(readlink -f "/proc/$pid/exe") - echo "PID $pid corresponds to program: $program" >> "$output_file" - done - - echo >> "$output_file" -done - -echo "Keyboard information written to $output_file" - diff --git a/src/legacy/kldetect.py b/src/legacy/kldetect.py deleted file mode 100755 index 90a85e3..0000000 --- a/src/legacy/kldetect.py +++ /dev/null @@ -1,251 +0,0 @@ -#!/usr/bin/env python3 - -import os # for going directories -import subprocess # for running commands, in particular fuser -import sys # for exiting -import signal # for killing processes -import json # for handling our configurations - -CONFIG_FILE = 'config.json' - - -auto_kill_option = False -verbose_option = False -safe_option = False - -# Check if the user is in sudo mode -def check_sudo(): - if os.geteuid() != 0: - print("[-] Please rerun as root") - sys.exit(1) - -# Check if the user has the required packages installed -def check_packages(): - packages = ['fuser'] - missing_packages = [] - for package in packages: - try: - subprocess.check_call(['which', package]) - except subprocess.CalledProcessError: - missing_packages.append(package) - if len(missing_packages) > 0: - print("[-] Please install the following packages:", str(missing_packages)) - sys.exit(1) - - - - -# Follow symlinks to find real path -def get_real_path(path): - if os.path.islink(path): - return os.path.realpath(path) - else: - return path - -# get keyboard device files -def get_keyboard_device_files(kbd_names): - keyboard_device_files = [] - for root, dirs, files in os.walk('/dev/input/by-path'): - for file in files: - if any(kbd_name in file for kbd_name in kbd_names): - keyboard_device_files.append(get_real_path(os.path.join(root, file))) - return keyboard_device_files - -# print a list to a file separated by newlines -def print_list_to_file(list, file): - with open(file, 'w') as f: - for item in list: - f.write("%s\n" % item) - -# find pids using file using fuser -def get_pids(file): - try: - pids = subprocess.check_output(['fuser', file]).decode('utf-8').split() - except subprocess.CalledProcessError: - if verbose_option: - print("[-] Error: fuser failed to run on", file) - return [] - #pids = [int(pid) for pid in pids] - return pids - -# clear a file -def clear_file(file): - open(file, 'w').close() - - -# find programm name using pid -def get_program_name(pid): - status_file = '/proc/' + str(pid) + '/status' - with open(status_file, 'r') as f: - # See cat /proc/[pid]/status | grep Name - for line in f: - if line.startswith('Name:'): - program_name = line.split(":")[1].strip() - return program_name - -# proces input arguments and set options -def set_input_arguments(): - global auto_kill_option - global verbose_option - global safe_option - if len(sys.argv) > 1: - if '-a' in sys.argv: - auto_kill_option = True - if '-v' in sys.argv: - verbose_option = True - if '-s' in sys.argv: - safe_option = True - - -# ask user to confirm a list of programs to kill -def confirm_kill_programs(programs, times=0): - print("Confirm to kill the following programs:") - for program in programs: - print(program) - print("y/n?") - answer = input() - if answer == 'y': - return True - elif answer == 'n': - return False - else: - if times > 5: - print("[-] Too many tries. Exiting") - sys.exit(1) - print("[-] Please answer y or n") - return confirm_kill_programs(programs, times+1) - -# kill list of processes -def kill_processes(pids): - print(pids) ## DEBUG - print("Killing processes with pids:", pids) - for pid in pids: - os.kill(pid, signal.SIGKILL) - if verbose_option: - print("[-] Killed process with pid", pid) - -# the main program starts here -def detect_keyloggers(): - ############################### - # Step 0: Check minimal requirements/ Set up - ############################### - check_sudo() - check_packages() - config = load_config() - # initialize white_listed_programs - if 'white_listed_programs' in config: - white_listed_programs = config['white_listed_programs'] - else: - config['white_listed_programs'] = [] - white_listed_programs = [] - # initialize auto_kill_programs - if 'auto_kill_programs' in config: - auto_kill_programs = config['auto_kill_programs'] - else: - config['auto_kill_programs'] = [] - auto_kill_programs = [] - # initialize kbd_names - if 'kbd_names' in config: - kbd_names = config['kbd_names'] - else: - config['kbd_names'] = [] - kbd_names = [] - # Set options - set_input_arguments() - - ############################### - # Step 1: Get keyboard device files - ############################### - keyboard_device_files = get_keyboard_device_files(kbd_names) - ############################### - # Step 2: Get pids using keyboard device files - ############################### - pids = [] - for file in keyboard_device_files: - pids += get_pids(file) - pids = sorted(list(set(pids))) - ############################### - # Step 3: Get program names using pids - ############################### - program_names = [] - program_pid_dict = {} - # Get program names - for pid in pids: - program_name = get_program_name(pid) - program_pid_dict[program_name] = program_pid_dict[program_name].append(int(pid)) - if auto_kill_option and program_name in auto_kill_programs: - os.kill(pid, signal.SIGKILL) - if verbose_option: - print("[-] Auto-Killed process", program_name, "with pid", pid) - else: - program_names.append(program_name) - program_names = sorted(list(set(program_names))) - - # Identify suspicious programs - suspicious_programs = [] - for program_name in program_names: - if program_name not in white_listed_programs: - suspicious_programs.append(program_name) - - - - - - if verbose_option: - ###############################= - # Intermezzo: Print results - ############################### - print("Keyboard device files:") - for file in keyboard_device_files: - print(file) - print("") - print("Pids:") - for pid in pids: - print(pid) - print("") - print("Program names:") - for program_name in program_names: - print(program_name) - print("") - - if len(suspicious_programs) == 0: - print("[+] No suspicious programs found") - sys.exit(0) - - ############################### - # Step 4: Ask user to kill any suspicious programs - ############################### - print("Suspicious programs:") - for program_name in suspicious_programs: - print(program_name) - user_input = input("Please enter those programs you want to kill. Use the whitespace(spacebar) to separate values.") - if user_input == '': - print("[-] No programs to kill") - sys.exit(0) - - programs_to_kill = user_input.split() - programs_to_kill = [program_name for program_name in programs_to_kill if program_name in suspicious_programs] # Filter out programs that are not suspicious - pids_to_kill = [] - for program_name in programs_to_kill: - pids_to_kill.append(program_pid_dict[program_name]) - auto_kill_programs.append(program_name) - - if safe_option: - if confirm_kill_programs(programs_to_kill): - kill_processes(pids_to_kill) - else: - kill_processes(pids_to_kill) - - ############################### - # Step 5: Save config - ############################### - config['auto_kill_programs'] = list(set(auto_kill_programs)) - config['white_listed_programs'] = list(set(white_listed_programs)) - config['kbd_names'] = list(set(kbd_names)) - save_config(config) - - -if __name__ == "__main__": - detect_keyloggers() - - diff --git a/src/legacy/proto.py b/src/legacy/proto.py deleted file mode 100755 index 30bc43a..0000000 --- a/src/legacy/proto.py +++ /dev/null @@ -1,77 +0,0 @@ -import os -import subprocess - -# =============================== -# Step1: Find keyboard file paths -# =============================== - -# Output file path -kbd_output_file = "kbd_file_paths.txt" - -# Function to follow symbolic links recursively -def follow_symlinks(filepath): - if os.path.islink(filepath): - resolved_path = os.path.realpath(filepath) - with open(kbd_output_file, "a") as output_file: - output_file.write(resolved_path + "\n") - follow_symlinks(resolved_path) - -# Traverse files in /dev/input/by-path -with open(kbd_output_file, "w") as output_file: - for root, dirs, files in os.walk("/dev/input/by-path"): - for file in files: - if "kbd" in file: - filepath = os.path.join(root, file) - output_file.write(filepath + "\n") - follow_symlinks(filepath) - -print("Keyboard file paths written to", kbd_output_file) - -# =============================== -# Step2: Find pids using keyboard event files -# =============================== - -# Use found kbd file paths to find corresponding pids -pids_input_file = kbd_output_file -pids_output_file = "pids.txt" - -pids_array = [] - -# Get pids of processes using the keyboard and put in array -with open(pids_input_file, "r") as input_file: - for pathname in input_file: - pathname = pathname.strip() - pids = subprocess.check_output(["fuser", pathname]).decode().split() - pids_array.extend(pids) - -# Sort and remove duplicates -sorted_pids = sorted(set(pids_array)) -print() -print("The following pids where found:" + str(sorted_pids) + "\n") - -# Write unique and sorted pids to file, separated by newlines -with open(pids_output_file, "w") as output_file: - output_file.write("\n".join(sorted_pids) + "\n") -print("Pids written to", pids_output_file) - -# =============================== -# Step3: Find processes/program names using pids -# =============================== -exe_input_file = pids_output_file -exe_output_file = "suspicious_exes.txt" - -# Clear output file -with open(exe_output_file, "w") as output_file: - output_file.write("") -exe_pid_dict = {} - -for pid in sorted_pids: - #Get name of executable from PID using process status file - status_file_path = "/proc/" + pid + "/status" - with open(status_file_path, "r") as status_file: - for line in status_file: - # See cat /proc/{pid}/status | grep "Name:" - if line.startswith("Name:"): - exe_name = line.split(":")[1].strip() - exe_pid_dict[exe_name] = pid -print("The following executables where found:" + str(exe_pid_dict) + "\n") diff --git a/src/legacy/test.c b/src/legacy/test.c deleted file mode 100644 index fea0089..0000000 --- a/src/legacy/test.c +++ /dev/null @@ -1,112 +0,0 @@ -#include -#include -#include -#include -#include - -#define DEVICE_DIR "/dev/input" -#define BY_PATH_DIR "/dev/input/by-path" -#define PROC_DIR "/proc" - -void get_program_name(long pid) { - char exe_file_path[256]; - snprintf(exe_file_path, sizeof(exe_file_path), "/proc/%ld/exe", pid); - - if (access(exe_file_path, F_OK) == 0) { - char program_path[256]; - ssize_t path_len = readlink(exe_file_path, program_path, sizeof(program_path) - 1); - if (path_len != -1) { - program_path[path_len] = '\0'; - printf("Corresponding program: %s\n\n", program_path); - } - } -} - -void find_keyboard_files() { - DIR *by_path_dir = opendir(BY_PATH_DIR); - if (by_path_dir == NULL) { - perror("opendir"); - exit(EXIT_FAILURE); - } - - struct dirent *entry; - while ((entry = readdir(by_path_dir)) != NULL) { - if (strstr(entry->d_name, "kbd") != NULL || strstr(entry->d_name, "keyboard") != NULL) { - char device_file_path[256]; - snprintf(device_file_path, sizeof(device_file_path), "%s/%s", BY_PATH_DIR, entry->d_name); - - char link_dest[256]; - ssize_t link_size = readlink(device_file_path, link_dest, sizeof(link_dest) - 1); - if (link_size == -1) { - perror("readlink"); - continue; - } - - link_dest[link_size] = '\0'; - printf("Keyboard device file: %s\n", link_dest); - - char event_file[256]; - snprintf(event_file, sizeof(event_file), "%s/%s", DEVICE_DIR, link_dest); - - DIR *proc_dir = opendir(PROC_DIR); - if (proc_dir == NULL) { - perror("opendir"); - continue; - } - - struct dirent *pid_entry; - while ((pid_entry = readdir(proc_dir)) != NULL) { - if (pid_entry->d_type != DT_DIR) - continue; - - // Check if the entry name is a numeric value (PID) - char *endptr; - long pid = strtol(pid_entry->d_name, &endptr, 10); - if (*endptr != '\0') - continue; - - char fd_dir_path[256]; - snprintf(fd_dir_path, sizeof(fd_dir_path), "%s/%s/fd", PROC_DIR, pid_entry->d_name); - - DIR *fd_dir = opendir(fd_dir_path); - if (fd_dir == NULL) - continue; - - struct dirent *fd_entry; - while ((fd_entry = readdir(fd_dir)) != NULL) { - if (fd_entry->d_type != DT_LNK) - continue; - - char fd_file_path[256]; - snprintf(fd_file_path, sizeof(fd_file_path), "%s/%s", fd_dir_path, fd_entry->d_name); - - char link_dest[256]; - ssize_t link_size = readlink(fd_file_path, link_dest, sizeof(link_dest) - 1); - if (link_size == -1) - continue; - - link_dest[link_size] = '\0'; - - if (strcmp(link_dest, event_file) == 0) { - printf("Process with PID %ld is using this file.\n", pid); - get_program_name(pid); - } - } - - closedir(fd_dir); - } - - closedir(proc_dir); - } - } - - closedir(by_path_dir); -} - -int main() { - printf("Finding keyboard files...\n\n"); - find_keyboard_files(); - - return 0; -} - diff --git a/src/legacy/user-space-detector.py b/src/legacy/user-space-detector.py deleted file mode 100644 index 30bc43a..0000000 --- a/src/legacy/user-space-detector.py +++ /dev/null @@ -1,77 +0,0 @@ -import os -import subprocess - -# =============================== -# Step1: Find keyboard file paths -# =============================== - -# Output file path -kbd_output_file = "kbd_file_paths.txt" - -# Function to follow symbolic links recursively -def follow_symlinks(filepath): - if os.path.islink(filepath): - resolved_path = os.path.realpath(filepath) - with open(kbd_output_file, "a") as output_file: - output_file.write(resolved_path + "\n") - follow_symlinks(resolved_path) - -# Traverse files in /dev/input/by-path -with open(kbd_output_file, "w") as output_file: - for root, dirs, files in os.walk("/dev/input/by-path"): - for file in files: - if "kbd" in file: - filepath = os.path.join(root, file) - output_file.write(filepath + "\n") - follow_symlinks(filepath) - -print("Keyboard file paths written to", kbd_output_file) - -# =============================== -# Step2: Find pids using keyboard event files -# =============================== - -# Use found kbd file paths to find corresponding pids -pids_input_file = kbd_output_file -pids_output_file = "pids.txt" - -pids_array = [] - -# Get pids of processes using the keyboard and put in array -with open(pids_input_file, "r") as input_file: - for pathname in input_file: - pathname = pathname.strip() - pids = subprocess.check_output(["fuser", pathname]).decode().split() - pids_array.extend(pids) - -# Sort and remove duplicates -sorted_pids = sorted(set(pids_array)) -print() -print("The following pids where found:" + str(sorted_pids) + "\n") - -# Write unique and sorted pids to file, separated by newlines -with open(pids_output_file, "w") as output_file: - output_file.write("\n".join(sorted_pids) + "\n") -print("Pids written to", pids_output_file) - -# =============================== -# Step3: Find processes/program names using pids -# =============================== -exe_input_file = pids_output_file -exe_output_file = "suspicious_exes.txt" - -# Clear output file -with open(exe_output_file, "w") as output_file: - output_file.write("") -exe_pid_dict = {} - -for pid in sorted_pids: - #Get name of executable from PID using process status file - status_file_path = "/proc/" + pid + "/status" - with open(status_file_path, "r") as status_file: - for line in status_file: - # See cat /proc/{pid}/status | grep "Name:" - if line.startswith("Name:"): - exe_name = line.split(":")[1].strip() - exe_pid_dict[exe_name] = pid -print("The following executables where found:" + str(exe_pid_dict) + "\n") diff --git a/src/legacy/user-space-detector.sh b/src/legacy/user-space-detector.sh deleted file mode 100755 index 9d9e492..0000000 --- a/src/legacy/user-space-detector.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# =============================== -# Step1: Find keyboard file paths -# =============================== - -# Output file path -kbd_output_file="kbd_file_paths.txt" - -# Function to follow symbolic links recursively -follow_symlinks() { - local filepath=$1 - - if [[ -L $filepath ]]; then - local resolved_path=$(readlink -f "$filepath") - echo "$resolved_path" >> "$kbd_output_file" - follow_symlinks "$resolved_path" - fi -} - -# Traverse files in /dev/input/by-path -echo -n > "$kbd_output_file" -find /dev/input/by-path -type l -name '*kbd*' -print0 | while IFS= read -r -d '' filepath; do - #echo "$filepath" >> "$kbd_output_file" - follow_symlinks "$filepath" -done - -echo "Keyboard file paths written to $kbd_output_file" - -# =============================== -# Step2: Find pids using keyboard event files -# =============================== - -# Use found kbd file paths to find corresponding pids -pids_input_file="$kbd_output_file" -pids_output_file="pids.txt" - -echo -n > "$pids_output_file" - -declare -a pids_array - -# Get pids of processes using the keyboard and put in array -while IFS= read -r pathname; do - pids=$(fuser "$pathname") - # add pids to array - for pid in $pids; do - pids_array+=("$pid") - done -done < "$pids_input_file" - -# sort and remove duplicates -sorted_pids=$(printf '%s\n' "${pids_array[@]}" | sort -nu) - -# write unique and sorted pids to file, separated by newlines -printf '%s\n' "${sorted_pids[@]}" > "$pids_output_file" - -echo "Pids written to $pids_output_file" - -# =============================== -# Step3: Find processes/program names using pids -# =============================== -exe_input_file="$pids_output_file" -exe_output_file="suspicous_exes.txt" - -# Clear output file -echo -n > "$exe_output_file" -