seb/keylogger-detector
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from sebaschi/userland

Browse Source 
The userland programm core functionality is completed. 
keylogger-detector.py detects all processes reading from a keyboard file in /dev/input/eventX.
The keylogger asks the user if they would like to kill any process, and does so.
Many PIDs with the same programm are handled.
There is a whitelist and autokill list configurable(only partially from withing the running program) aswell as what names keyboards might have, like 'kbd'.
This commit is contained in:
Sebastian Lenzlinger 2023-06-07 19:44:33 +02:00 committed by GitHub
commit d434029e56
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 502 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
__pycache__/
*.pdf
/docs/research/
/build/

54
doc/dev_journal.md
View File

@ -120,6 +120,56 @@ Test in VM and finnishing touches to smooth things out.
Did a first test in a Fedora 37 VM. At first it didn't work. Then I tested it on my normal machine and it also stopped working. It turned out that it was just not getting the root priviledges right, even tho it passed the root check. Testing on the VM was then succesfull in that it found the pids. Killing the process wasn't succesfull and will need further testing and fixes.
#### TODO:
1. Fix the bug where the killing of the process doesn't work.
2. Build config files, maybe check if there is a better way to to do configs than with .txt files.
~~2. Build config files, maybe check if there is a better way to to do configs than with .txt files.~~ (finnished 6.06.23)
3. Keep testing. Goal is that if run as '''$ sudo ./kldetect.py -v''' one is prompted to kill the keylogger, and then rerunning the programm would give the output '''[+] No suspicious programms found'''
4. Note to self: Problem with killing is that not using pids-program dict to choose which program to kill.
~~4. Note to self: Problem with killing is that not using pids-program dict to choose which program to kill.~~
#### Later that same say
Configuration is now done with json to keep it all central.
Test with json configuration works.
Killing a process still doesn't work:
''' TypeError: 'str' object cannot be interpreted as integer '''
## Wednesday, 7. June 2023, night
### Sebastian
This is the latest output aftert a test run where actually 3 processes has keyloggers runnig.
'''
[kldetect@fedora src]$ sudo ./keylogger_detector.py
[sudo] password for kldetect:
/usr/sbin/fuser
/usr/bin/which
[+] No suspicious processes found
[kldetect@fedora src]$ sudo ./keylogger_detector.py
/usr/sbin/fuser
/usr/bin/which
[+] No suspicious processes found
[kldetect@fedora src]$ cat config.
cat: config.: No such file or directory
[kldetect@fedora src]$ cat config.json
{"white_listed_programs": ["systemd", "gnome-shell"], "auto_kill_programs": ["skeylogger", "skeylogger", "skeylogger", "skeylogger", "skeylogger"], "kbd_names": ["kbd"]}[kldetect@fedora src]$ sudo ./keylogger_detector.py -v
[Verbose] Input options set
[Verbose] Root access checked
/usr/sbin/fuser
/usr/bin/which
[Verbose] Packages checked
[Verbose] Config file loaded
[Verbose] Config file parsed
[Verbose] Keyboard device files found: []
[Verbose] Process IDs using keyboard device files: []
[Verbose] Process names using keyboard device files: []
[Verbose] Suspicious processes found: []
[Verbose] Suspicious processes not killed: []
[Verbose] Suspicious processes killed: []
[+] No suspicious processes found
'''
This is after extensivly refactoring because I was starting to loose oversight over the code. So I split it up into utils, config and keylogger_detector.
#### TODO:
1. Ivestigate and bug fix
## Wednesday, 7. June 2023, day
### Sebastian
VirtualBox stopped working so after much pain I decided to switch to Boxes. There the install of Fedora 37 went smoothly.
Then Started testing the userland detector on [simple-key-logger](https://github.com/gsingh93/simple-key-logger/tree/maste), [logkeys](https://github.com/kernc/logkeys).
[pykeylogger](https://github.com/amoffat/pykeylogger) produced a segmentation fault, after I finaly got it to run. Trying to run [py-keylogger](https://github.com/hiamandeep/py-keylogger), turns out it only runs on X11 it seem (so we'd not catch it anyway).
[keylog](https://github.com/SCOTPAUL/keylog) was succesfully detected and removed.
All in all, the main functionality works as intended. Basically now would be the refinement phase to add more options or to have a way to configure the config.json file more easily.
#### TODO
1. Write report
2. Add functionality to userspace detector

12
src/config.json
View File

@ -1 +1,11 @@
{"white_listed_programs": ["systemd", "gnome-shell"], "auto_kill_programs": [], "kbd_names": ["kbd"]}
{
"white_listed_programs": [
"systemd_logind",
"gnome-shell",
"systemd"
],
"auto_kill_programs": [],
"kbd_names": [
"kbd"
]
}

50
src/config.py
View File

@ -4,43 +4,41 @@ import os
CONFIG_FILE = 'config.json'
def load_config():
"""
Load the configuration from the JSON file or create a new one if it doesn't exist
Returns:
dict: The configuration data
"""
config = {}
# Check if the configuration file exists
if os.path.exists(CONFIG_FILE):
try:
with open(CONFIG_FILE, 'r') as file:
config = json.load(file)
except (IOError, json.JSONDecodeError) as e:
print(f"Error loading configuration: {e}")
except:
print("[-] Error: Failed to load config file")
else:
config = {
'white_listed_programs': [],
'auto_kill_programs': [],
'kbd_names': ['kbd']
}
save_config(config)
return config
def save_config(config):
"""
Save the configuration to the JSON file
Args:
config (dict): The configuration data
"""
try:
with open(CONFIG_FILE, 'w') as file:
json.dump(config, file, indent=4)
except IOError as e:
print(f"Error saving configuration: {e}")
# Load the configuration
config_data = load_config()
# Access and modify the settings
whitelist = config_data.get('whitelist', [])
autokill_list = config_data.get('autokill_list', [])
other_setting = config_data.get('other_setting')
# Add a process to the whitelist
whitelist.append(9999)
# Remove a process from the autokill list
if 1234 in autokill_list:
autokill_list.remove(1234)
# Modify the other_setting value
config_data['other_setting'] = 'new_value'
# Save the modified configuration back to the JSON file
save_config(config_data)
except:
print("[-] Error: Failed to save config file")

283
src/keylogger_detector.py Executable file
View File

@ -0,0 +1,283 @@
#!/usr/bin/env python3
import sys
from config import CONFIG_FILE, load_config, save_config
from utils import (
check_root,
check_packages,
get_keyboard_device_files,
get_real_path,
get_pids_using_file,
get_process_name,
kill_processes,
kill_process
)
# Global variables
auto_kill_option = False
verbose_option = False
safe_option = False
add_white_list_option = False
debug_option = False
# Functions
def debug(option, to_print):
if option:
print('[Debug]', to_print)
def print_help():
print('Usage: python3 keylogger_detector.py [OPTIONS]')
print('Options:')
print(' -h, --help\t\t\tPrint this help message')
print(' -v, --verbose\t\t\tVerbose mode. Informative information will be displayed duting execution')
print(' -a, --auto-kill\t\tAutomatically kill blacklisted processes')
print(' -s, --safe\t\t\tSafe mode. Asked to confirm before killing a process')
print(' -w, --add-white-list\t\t\tActivate prompt to add program names to the whitelist') #For some reason this line gets messed up in display
print(' -d, --debug\t\t\tDebug mode. Print debug statements')
def set_input_options():
"""
Set input options based on command line arguments
Invalid arguments are ignored
Raises:
SystemExit: If -h or --help is passed as an argument, the help message is printed and the program exits
"""
global auto_kill_option, verbose_option, safe_option, add_white_list_option
global debug_option
if len(sys.argv) > 1:
for arg in sys.argv[1:]:
print(arg)
if arg == '-h' or arg == '--help':
print_help()
sys.exit(0)
elif arg == '-v' or arg == '--verbose':
verbose_option = True
elif arg == '-a' or arg == '--auto-kill':
auto_kill_option = True
elif arg == '-s' or arg == '--safe':
safe_option = True
elif arg == '-w' or arg == '--add-white-list' :
add_white_list_option = True
elif arg == '-d' or arg == '--debug':
debug_option = True
def confirm_kill_procces(process_name, times=0):
"""
Prompt the user to confirm to kill a process.
Should be used only in safe mode.
Args:
process_name (str): Name of the process to kill
times (int) : Number of times prompt has been displayed but neither y nor n where given. Defaults to 0.
Use to limit promt attempts.
Returns:
bool: True if user confirms the kill, False otherwise.
Raises:
SystemExit: If the user has given invalid input more than 5 times, the program exits.
"""
if times > 5:
print('Too many invalid inputs. Exiting.')
sys.exit(1)
if times > 0:
print('Invalid input. Please enter y or n.')
print('Do you want to kill {}? (y/n)'.format(process_name))
answer = input()
if answer == 'y':
return True
elif answer == 'n':
return False
else:
return confirm_kill_procces(process_name, times+1)
def detect_keyloggers():
"""
Detect (userland) keylogger processes based on which processes have a keyboard file open (/dev/input/event*)
The main function of the program.
Will attempt to detect keyloggers based on the config file, command line arguments and user input.
Here the control flow and logic of the program are defined.
"""
############################
# 1. Setup and initialization
############################
debug(True, str(sys.argv)) # Set manually to debug if args are being read
global auto_kill_option, verbose_option, safe_option
global CONFIG_FILE
set_input_options()
if verbose_option:
print('[Verbose] Input options set')
check_root()
if verbose_option:
print('[Verbose] Root access checked')
check_packages()
if verbose_option:
print('[Verbose] Packages checked')
config = load_config()
if verbose_option:
print('[Verbose] Config file loaded')
white_listed_programs = config['white_listed_programs']
auto_kill_programs = config['auto_kill_programs']
kbd_names = config['kbd_names']
if verbose_option:
print('[Verbose] Config file parsed')
debug(debug_option, 'Whitelist option: ' + str(add_white_list_option))
debug(debug_option, 'Vebose option: ' + str(verbose_option))
############################
# 2. Get device files mapped to keyboard
############################
keyboard_device_files = get_keyboard_device_files(kbd_names)
if verbose_option:
print('[Verbose] Keyboard device files found:', keyboard_device_files)
############################
# 3. Get pids using keyboard device files
############################
pids = []
for device_file in keyboard_device_files:
pids += get_pids_using_file(device_file)
pids = sorted(list(set(pids)))
if verbose_option:
print('[Verbose] Process IDs using keyboard device files:', pids)
############################
# 4. Get process names using pids
############################
process_names = []
name_pid_dict = {}
for pid in pids:
name = get_process_name(pid)
process_names.append(name)
name_pid_dict.setdefault(name, []).append(pid)
process_names = sorted(list(set(process_names)))
if verbose_option:
print('[Verbose] Process names using keyboard device files:', process_names)
############################
# 5.If auto_kill option is set, kill auto-killable processes
############################
if auto_kill_option:
for name in process_names:
if name in auto_kill_programs:
if verbose_option:
print('[Verbose] Auto-killable process found:', name)
if safe_option:
if confirm_kill_procces(name):
kill_process(name_pid_dict[name])
else:
kill_process(name_pid_dict[name])
############################
# 6. Identify suspicious processes, i.e. those not whitelisted
############################
suspicious_processes = []
for name in process_names:
if name not in white_listed_programs:
suspicious_processes.append(name)
if verbose_option:
print('[Verbose] Suspicious processes found:', suspicious_processes)
print('[Verbose] Suspicious processes not killed:', [name for name in suspicious_processes if name not in auto_kill_programs])
print('[Verbose] Suspicious processes killed:', [name for name in suspicious_processes if name in auto_kill_programs])
############################
# 6.1 If no suspicious processes are found, exit
############################
if len(suspicious_processes) == 0:
print("[+] No suspicious processes found")
sys.exit(0)
############################
# 7. Prompt user to chose which processes (not covered by auto kill if set) to kill
############################
print('[-]The following suspicious processes were found:')
for name in suspicious_processes:
print(f'\t{name}')
if safe_option:
print('[Safe] You are in safe mode. In safe mode you will be asked to confirm each kill.')
print('[Safe] Please be aware that killing an important process may cause your system to crash.')
print('Please enter the names of the processes to kill, separated by a space.')
print('To not kill any just hit enter.')
to_kill = input().split()
if len(to_kill) == 0:
print('[+] No processes to kill.')
if verbose_option:
print('[Verbose] Processes to kill:', to_kill)
# If the safe_option is set, prompt the user to confirm each kill
if safe_option:
for name in to_kill:
for pid in name_pid_dict[name]:
if confirm_kill_procces(name):
debug(debug_option, 'Killing process: ' + name)
debug(debug_option, 'type(id): ' + str(type(pid)))
kill_process(id)
if verbose_option:
print('[Verbose] Process killed:', name)
else:
for name in to_kill:
for pid in name_pid_dict[name]:
debug(debug_option, 'Killing process: ' + name)
debug(debug_option, 'type(id): ' + str(type(pid)))
kill_process(pid)
if verbose_option:
print('[Verbose] Process killed:', name)
############################
# 8. Update whitelist if option set
############################
debug(debug_option, 'Whitelist option:' + str(add_white_list_option))
if add_white_list_option:
print('Please type the names of any process to whitelist, separated by a spcace.')
to_whitelist = input().split()
if len(to_whitelist) == 0 and verbose_option:
print('[Verbose] No processes chosen to whitelist.')
else:
white_listed_programs += to_whitelist
if verbose_option:
print('[Verbose] Newly whitelisted programs: ', to_whitelist)
###########################
# 9. Cleanup
###########################
to_kill = list(set(to_kill))
auto_kill_programs = list(set(auto_kill_programs))
auto_kill_programs.extend(to_kill)
config['auto_kill_programs'] = auto_kill_programs
white_listed_programs = list(set(white_listed_programs))
config['white_listed_programs'] = white_listed_programs
kbd_names = list(set(kbd_names))
config['kbd_names'] = kbd_names
save_config(config)
if verbose_option:
print('[Verbose] Config file saved')
print('[+] Program completed. Exiting.')
if __name__ == '__main__':
detect_keyloggers()

41
src/kldetect.py → src/legacy/kldetect.py
View File

@ -13,37 +13,6 @@ auto_kill_option = False
verbose_option = False
safe_option = False
# Load Configurations
def load_config():
config = {}
# Check if file exists
if os.path.exists(CONFIG_FILE):
try:
with open(CONFIG_FILE, 'r') as file:
config = json.load(file)
except:
print("[-] Error: Failed to load config file")
else:
config = {
'white_listed_programs': [],
'auto_kill_programs': [],
'kbd_names': ['kbd']
}
save_config(config) # Save the default configuration
return config
# Save new configurations to json file
def save_config(config):
try:
with open(CONFIG_FILE, 'w') as file:
json.dump(config, file)
except IOError as e:
print(f"[-] Error! Failed to save config file: {e}")
# Check if the user is in sudo mode
def check_sudo():
if os.geteuid() != 0:
@ -148,6 +117,8 @@ def confirm_kill_programs(programs, times=0):
# kill list of processes
def kill_processes(pids):
print(pids) ## DEBUG
print("Killing processes with pids:", pids)
for pid in pids:
os.kill(pid, signal.SIGKILL)
if verbose_option:
@ -201,7 +172,7 @@ def detect_keyloggers():
# Get program names
for pid in pids:
program_name = get_program_name(pid)
program_pid_dict[program_name] = pid
program_pid_dict[program_name] = program_pid_dict[program_name].append(int(pid))
if auto_kill_option and program_name in auto_kill_programs:
os.kill(pid, signal.SIGKILL)
if verbose_option:
@ -268,9 +239,9 @@ def detect_keyloggers():
###############################
# Step 5: Save config
###############################
config['auto_kill_programs'] = auto_kill_programs
config['white_listed_programs'] = white_listed_programs
config['kbd_names'] = kbd_names
config['auto_kill_programs'] = list(set(auto_kill_programs))
config['white_listed_programs'] = list(set(white_listed_programs))
config['kbd_names'] = list(set(kbd_names))
save_config(config)

125
src/utils.py Executable file
View File

@ -0,0 +1,125 @@
import os # for path operations, getuid, kill
import subprocess # for executing shell commands
import signal # for sending signals to processes
import sys # for exit
def check_root():
"""
Check if script is run as root(sudo).
Raises:
SystemExit: If not run as root.
"""
if os.getuid() != 0:
print("[-] Please run as root.")
sys.exit(1)
def check_packages():
"""
Check if all required packages are installed.
Raises:
SystemExit: If any packges is missing.
"""
packages = ['fuser', 'which']
missing_packages = []
for package in packages:
if subprocess.call(['which', package]) != 0:
missing_packages.append(package)
if len(missing_packages) > 0:
print("[-] Missing packages: {}".format(', '.join(missing_packages)))
sys.exit(1)
def get_keyboard_device_files(names):
"""
Get paths corresponding to keyboard device files by searching /dev/input/by-path.
Uses get_real_path() to resolve symlinks.
Args:
names (list): List of strings to use for searching. e.g.['kbd']
Returns:
str: Path to keyboard device file.
"""
keyboard_device_files = []
for root, dirs, files in os.walk('/dev/input/by-path'):
for file in files:
if any(name in file for name in names):
keyboard_device_files.append(get_real_path(os.path.join(root, file)))
return keyboard_device_files
def get_real_path(path):
"""
Resolve a path of a file.
Args:
path (str): Path to a file. Possibly a symlink.
Returns:
str: The resolved (real) path.
"""
if os.path.islink(path):
return os.path.realpath(path)
else:
return path
def get_pids_using_file(path):
"""
Get all process IDs using a file. (Essentially a wrapper for fuser.)
Args:
path (str): Path to a file. Usually /dev/input/eventX.
Returns:
list: List of process IDs.
Raises:
SystemExit: If fuser fails to run.
"""
try:
pids = subprocess.check_output(['fuser', path]).decode('utf-8').split()
except subprocess.CalledProcessError:
print("[-] Error: fuser failed to run on", path)
sys.exit(1)
return pids
def get_process_name(pid):
"""
Get the name of a process.
Args:
pid (int): Process ID.
Returns:
str: Name of the process.
"""
with open('/proc/{}/comm'.format(pid)) as f:
return f.read().strip()
def kill_processes(pids):
"""
Kill processes.
Args:
pids (list): List of process IDs.
"""
for pid in pids:
try:
os.kill(int(pid), signal.SIGKILL)
except ProcessLookupError:
print("[-] Process {} not found.".format(pid))
def kill_process(pid):
"""
Kill single process.
Args:
pid (str): Process ID of process to kill
"""
try:
os.kill(int(pid), signal.SIGKILL) # pid apparently arrives as string
except ProcessLookupError:
print("[-] Process {} not found.".format(pid))