API Detector bash script.

src/follow_symlinks.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# =============================== 
+# Step1: Find keyboard file paths
+# ===============================
+
+# Output file path
+kbd_output_file="kbd_file_paths.txt"
+
+# Function to follow symbolic links recursively
+follow_symlinks() {
+  local filepath=$1
+
+  if [[ -L $filepath ]]; then
+    local resolved_path=$(readlink -f "$filepath")
+    echo "$resolved_path" >> "$kbd_output_file"
+    follow_symlinks "$resolved_path"
+  fi
+}
+
+# Traverse files in /dev/input/by-path
+echo -n > "$kbd_output_file"
+find /dev/input/by-path -type l -name '*kbd*' -print0 | while IFS= read -r -d '' filepath; do
+  #echo "$filepath" >> "$kbd_output_file"
+  follow_symlinks "$filepath"
+done
+
+echo "Keyboard file paths written to $kbd_output_file"
+
+# ===============================
+# Step2: Find pids using keyboard event files
+# ===============================
+
+# Use found kbd file paths to find corresponding pids
+pids_input_file="$kbd_output_file"
+pids_output_file="pids.txt"
+
+echo -n > "$pids_output_file"
+
+declare -a pids_array
+
+# Get pids of processes using the keyboard and put in array
+while IFS= read -r pathname; do
+    pids=$(fuser "$pathname")
+    # add pids to array
+    for pid in $pids; do
+      pids_array+=("$pid")
+    done
+done < "$pids_input_file"
+
+# sort and remove duplicates
+sorted_pids=$(printf '%s\n' "${pids_array[@]}" | sort -nu)
+
+# write unique pids to file, separated by newlines
+printf '%s\n' "${sorted_pids[@]}" > "$pids_output_file"
+
+echo "Pids written to $pids_output_file"
+
+# ===============================
+# Step3: Find processes/program names using pids
+# ===============================
+exe_input_file="$pids_output_file"
+exe_output_file="suspicous_exes.txt"
+
+# Clear output file
+echo -n > "$exe_output_file"
+

src/get_kbd_event_files.py

@@ -0,0 +1,24 @@
+import os
+
+# Output file path
+kbd_output_file = "kbd_file_paths.txt"
+
+# Function to follow symbolic links recursively
+def follow_symlinks(filepath):
+    if os.path.islink(filepath):
+        resolved_path = os.path.realpath(filepath)
+        with open(kbd_output_file, "a") as f:
+            f.write(resolved_path + "\n")
+        follow_symlinks(resolved_path)
+
+# Traverse files in /dev/input/by-path
+with open(kbd_output_file, "w") as f:
+    f.write("")
+for root, dirs, files in os.walk("/dev/input/by-path"):
+    for filename in files:
+        if "kbd" in filename:
+            filepath = os.path.join(root, filename)
+            follow_symlinks(filepath)
+
+print("Keyboard file paths written to", kbd_output_file)
+

src/keyboard_script.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Output file path
+output_file="keyboard_files.txt"
+
+# Find keyboard device files
+keyboard_files=()
+while IFS= read -r -d '' file; do
+  if [[ $file == *"kbd"* || $file == *"keyboard"* ]]; then
+    keyboard_files+=("$file")
+  fi
+done < <(find /dev/input -type c -name 'event*')
+
+# Write keyboard files to output file
+echo "Keyboard Device Files" > "$output_file"
+echo "======================" >> "$output_file"
+
+if [[ ${#keyboard_files[@]} -eq 0 ]]; then
+  echo "No keyboard device files found." >> "$output_file"
+else
+  for file in "${keyboard_files[@]}"; do
+    echo "$file" >> "$output_file"
+  done
+fi
+
+echo "Keyboard files written to $output_file"
+

src/keyloggers.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Output file path
+output_file="keyboard_info.txt"
+
+# Step 1: Find keyboard device files
+keyboard_files=()
+while IFS= read -r -d '' file; do
+  if [[ $file == *"kbd"* || $file == *"keyboard"* ]]; then
+    keyboard_files+=("$file")
+  fi
+done < <(find /dev/input/by-path -type l -name 'event*')
+
+# Step 2: Check processes with open keyboard files
+echo "Keyboard Information" > "$output_file"
+echo "=====================" >> "$output_file"
+
+for keyboard_file in "${keyboard_files[@]}"; do
+  echo "Keyboard device file: $keyboard_file" >> "$output_file"
+
+  event_file=$(readlink -f "$keyboard_file")
+  echo "Event file: $event_file" >> "$output_file"
+
+  pids=$(fuser -v "$event_file" 2>/dev/null | awk -F'[: ]+' 'NR>1{print $2}')
+  echo "PIDs with file open: $pids" >> "$output_file"
+
+  # Step 3: Check corresponding programs
+  echo "Corresponding Programs" >> "$output_file"
+  echo "---------------------" >> "$output_file"
+
+  for pid in $pids; do
+    program=$(readlink -f "/proc/$pid/exe")
+    echo "PID $pid corresponds to program: $program" >> "$output_file"
+  done
+
+  echo >> "$output_file"
+done
+
+echo "Keyboard information written to $output_file"
+