Merge branch 'main' of github.com:sebaschi/keylogger-detector

doc/dev_journal.md

@@ -177,4 +177,6 @@ All in all, the main functionality works as intended. Basically now would be the
 ## Wednesday, 7, June 2023
 ### Michel
 
-I have written 2 systemtap scripts, that can detect, whenever a module registers at the Keyboard-notifier. The Script can currently detect whenever a module registers. However, neither of them can detect which kernel module registered. Here comes Sebastians idea of writing a python script, that can unload all un-known modules and loads them back in, whilst the stap-script is running. Whenever a module is loaded in, and it triggers the stap-script, we know it is tracking key-strokes. Those modules will be shown to the user and the user then has to decide whether to unload and remove them, or keep them. 
+
+I have written 1 systemtap scripts, that can detect, whenever a module registers at the Keyboard-notifier. The Script can currently detect whenever a module registers. My script cant detect which kernel module registered. Here comes Sebastians idea of writing a python script, that can unload all un-known modules and loads them back in, whilst the stap-script is running. Whenever a module is loaded in, and it triggers the stap-script, we know it is tracking key-strokes. Those modules will be shown to the user and the user then has to decide whether to unload and remove them, or keep them. My script is based on a redhat-script. The redhat-script is called funcall_tracer2.stp . The idea behind both scripts is the same. My script is simplyfied for the use with python. 
+

src/funcall_trace1.stp

@@ -0,0 +1,8 @@
+
+probe kernel.function("register_keyboard_notifier").call
+	{
+		printf("%s (%d)\n", execname(),tid())
+	}
+probe end{
+	printf("end\n")
+}

src/funcall_trace2.stp

@@ -0,0 +1,58 @@
+#! /usr/bin/env stap
+#
+# Copyright (C) 2010-2015 Red Hat, Inc.
+# Written by William Cohen <wcohen@redhat.com>
+#
+# The linetimes.stp script takes two arguments: where to find the function
+# and the function name. linetimes.stp will instrument each line in the
+# function. It will print out the number of times that the function is
+# called, a table with the average and maximum time each line takes,
+# and control flow information when the script exits.
+#
+# For example all the lines of the do_unlinkat function:
+#
+# stap linetimes.stp kernel do_unlinkat
+
+global calls, times, last_pp, region, cfg
+
+probe $1.function(@2).call { calls <<< 1 }
+probe $1.function(@2).return {
+  t = gettimeofday_us()
+  s = times[tid()]
+  if (s) {
+    e = t - s
+    region[last_pp[tid()]] <<< e
+    cfg[last_pp[tid()], pp()] <<< 1
+  }
+  delete times[tid()]
+  delete last_pp[tid()]
+}
+
+probe $1.statement(@2 "@*:*") {
+  t = gettimeofday_us()
+  s = times[tid()]
+  if (s) {
+    e = t - s
+    region[last_pp[tid()]] <<< e
+    cfg[last_pp[tid()], pp()] <<< 1
+  }
+  times[tid()] = t
+  last_pp[tid()] = pp()
+}
+
+probe end {
+  printf("\n%s %s call count: %d\n", @1, @2, @count(calls));
+  printf("\n%-58s %10s %10s\n", "region", "avg(us)", "max(us)");
+  foreach (p+ in region) {
+    printf("%-58s %10d %10d\n", p, @avg(region[p]), @max(region[p]));
+  }
+
+  printf("\n\ncontrol flow graph information\n")
+  printf("from\n\tto\n=======================\n")
+  foreach ([src+] in region) {
+     printf("%-s\n", src)
+     foreach ([s,dest+] in cfg[src,*]) { # slice for all dest's
+        printf("\t%-s %d\n", dest, @count(cfg[src,dest]));
+     }
+  }
+}