diff --git a/src/follow_symlinks.sh b/src/follow_symlinks.sh new file mode 100755 index 0000000..3998b0e --- /dev/null +++ b/src/follow_symlinks.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# =============================== +# Step1: Find keyboard file paths +# =============================== + +# Output file path +kbd_output_file="kbd_file_paths.txt" + +# Function to follow symbolic links recursively +follow_symlinks() { + local filepath=$1 + + if [[ -L $filepath ]]; then + local resolved_path=$(readlink -f "$filepath") + echo "$resolved_path" >> "$kbd_output_file" + follow_symlinks "$resolved_path" + fi +} + +# Traverse files in /dev/input/by-path +echo -n > "$kbd_output_file" +find /dev/input/by-path -type l -name '*kbd*' -print0 | while IFS= read -r -d '' filepath; do + #echo "$filepath" >> "$kbd_output_file" + follow_symlinks "$filepath" +done + +echo "Keyboard file paths written to $kbd_output_file" + +# =============================== +# Step2: Find pids using keyboard event files +# =============================== + +# Use found kbd file paths to find corresponding pids +pids_input_file="$kbd_output_file" +pids_output_file="pids.txt" + +echo -n > "$pids_output_file" + +declare -a pids_array + +# Get pids of processes using the keyboard and put in array +while IFS= read -r pathname; do + pids=$(fuser "$pathname") + # add pids to array + for pid in $pids; do + pids_array+=("$pid") + done +done < "$pids_input_file" + +# sort and remove duplicates +sorted_pids=$(printf '%s\n' "${pids_array[@]}" | sort -nu) + +# write unique pids to file, separated by newlines +printf '%s\n' "${sorted_pids[@]}" > "$pids_output_file" + +echo "Pids written to $pids_output_file" + +# =============================== +# Step3: Find processes/program names using pids +# =============================== +exe_input_file="$pids_output_file" +exe_output_file="suspicous_exes.txt" + +# Clear output file +echo -n > "$exe_output_file" + diff --git a/src/get_kbd_event_files.py b/src/get_kbd_event_files.py new file mode 100755 index 0000000..02ba94f --- /dev/null +++ b/src/get_kbd_event_files.py @@ -0,0 +1,24 @@ +import os + +# Output file path +kbd_output_file = "kbd_file_paths.txt" + +# Function to follow symbolic links recursively +def follow_symlinks(filepath): + if os.path.islink(filepath): + resolved_path = os.path.realpath(filepath) + with open(kbd_output_file, "a") as f: + f.write(resolved_path + "\n") + follow_symlinks(resolved_path) + +# Traverse files in /dev/input/by-path +with open(kbd_output_file, "w") as f: + f.write("") +for root, dirs, files in os.walk("/dev/input/by-path"): + for filename in files: + if "kbd" in filename: + filepath = os.path.join(root, filename) + follow_symlinks(filepath) + +print("Keyboard file paths written to", kbd_output_file) + diff --git a/src/keyboard_script.sh b/src/keyboard_script.sh new file mode 100755 index 0000000..69dcfa8 --- /dev/null +++ b/src/keyboard_script.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +# Output file path +output_file="keyboard_files.txt" + +# Find keyboard device files +keyboard_files=() +while IFS= read -r -d '' file; do + if [[ $file == *"kbd"* || $file == *"keyboard"* ]]; then + keyboard_files+=("$file") + fi +done < <(find /dev/input -type c -name 'event*') + +# Write keyboard files to output file +echo "Keyboard Device Files" > "$output_file" +echo "======================" >> "$output_file" + +if [[ ${#keyboard_files[@]} -eq 0 ]]; then + echo "No keyboard device files found." >> "$output_file" +else + for file in "${keyboard_files[@]}"; do + echo "$file" >> "$output_file" + done +fi + +echo "Keyboard files written to $output_file" + diff --git a/src/keyloggers.sh b/src/keyloggers.sh new file mode 100755 index 0000000..020d28d --- /dev/null +++ b/src/keyloggers.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Output file path +output_file="keyboard_info.txt" + +# Step 1: Find keyboard device files +keyboard_files=() +while IFS= read -r -d '' file; do + if [[ $file == *"kbd"* || $file == *"keyboard"* ]]; then + keyboard_files+=("$file") + fi +done < <(find /dev/input/by-path -type l -name 'event*') + +# Step 2: Check processes with open keyboard files +echo "Keyboard Information" > "$output_file" +echo "=====================" >> "$output_file" + +for keyboard_file in "${keyboard_files[@]}"; do + echo "Keyboard device file: $keyboard_file" >> "$output_file" + + event_file=$(readlink -f "$keyboard_file") + echo "Event file: $event_file" >> "$output_file" + + pids=$(fuser -v "$event_file" 2>/dev/null | awk -F'[: ]+' 'NR>1{print $2}') + echo "PIDs with file open: $pids" >> "$output_file" + + # Step 3: Check corresponding programs + echo "Corresponding Programs" >> "$output_file" + echo "---------------------" >> "$output_file" + + for pid in $pids; do + program=$(readlink -f "/proc/$pid/exe") + echo "PID $pid corresponds to program: $program" >> "$output_file" + done + + echo >> "$output_file" +done + +echo "Keyboard information written to $output_file" +