From fbf62f0a7ca79c729e510556e1228d1fa187341e Mon Sep 17 00:00:00 2001
From: Sebastian Lenzlinger <74497638+sebaschi@users.noreply.github.com>
Date: Sat, 3 Jun 2023 19:38:14 +0200
Subject: [PATCH] Move old code to legacy folder. Git now ignores .txt files

---
 .gitignore                              |   2 +
 src/Makefile                            |   2 +
 src/find_logger_proc.c                  |  14 ---
 src/keyboard_script.sh                  |  27 ------
 src/{ => legacy}/find_logger_proc.h     |   0
 src/{ => legacy}/follow_symlinks.sh     |   2 +-
 src/{ => legacy}/get_kbd_event_files.py |   0
 src/{ => legacy}/keyloggers.sh          |   0
 src/legacy/test.c                       | 112 ++++++++++++++++++++++++
 src/main.c                              |   0
 src/user-space-detector.sh              |  67 ++++++++++++++
 11 files changed, 184 insertions(+), 42 deletions(-)
 delete mode 100644 src/find_logger_proc.c
 delete mode 100755 src/keyboard_script.sh
 rename src/{ => legacy}/find_logger_proc.h (100%)
 rename src/{ => legacy}/follow_symlinks.sh (96%)
 rename src/{ => legacy}/get_kbd_event_files.py (100%)
 rename src/{ => legacy}/keyloggers.sh (100%)
 create mode 100644 src/legacy/test.c
 delete mode 100644 src/main.c
 create mode 100755 src/user-space-detector.sh

diff --git a/.gitignore b/.gitignore
index 4497d0d..e7e5ccc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,5 @@
 /build/
 *.o
 *.out
+*.txt
+
diff --git a/src/Makefile b/src/Makefile
index e69de29..6192f1f 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -0,0 +1,2 @@
+clean: 
+	rm *.o *.txt *.out *.exe
diff --git a/src/find_logger_proc.c b/src/find_logger_proc.c
deleted file mode 100644
index 6209d97..0000000
--- a/src/find_logger_proc.c
+++ /dev/null
@@ -1,14 +0,0 @@
-#include <stdio.h> // for printf()
-#include <stdlib.h> // for exit()
-#include <string.h> // for strcmp()
-#include <dirent.h> // for opendir(), readdir(), closedir()
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h> // for readlink(), chdir(), getcwd()
-#include <errno.h> // for errno                   
-
-#include "find_logger.h"
-
-
-
-
diff --git a/src/keyboard_script.sh b/src/keyboard_script.sh
deleted file mode 100755
index 69dcfa8..0000000
--- a/src/keyboard_script.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-# Output file path
-output_file="keyboard_files.txt"
-
-# Find keyboard device files
-keyboard_files=()
-while IFS= read -r -d '' file; do
-  if [[ $file == *"kbd"* || $file == *"keyboard"* ]]; then
-    keyboard_files+=("$file")
-  fi
-done < <(find /dev/input -type c -name 'event*')
-
-# Write keyboard files to output file
-echo "Keyboard Device Files" > "$output_file"
-echo "======================" >> "$output_file"
-
-if [[ ${#keyboard_files[@]} -eq 0 ]]; then
-  echo "No keyboard device files found." >> "$output_file"
-else
-  for file in "${keyboard_files[@]}"; do
-    echo "$file" >> "$output_file"
-  done
-fi
-
-echo "Keyboard files written to $output_file"
-
diff --git a/src/find_logger_proc.h b/src/legacy/find_logger_proc.h
similarity index 100%
rename from src/find_logger_proc.h
rename to src/legacy/find_logger_proc.h
diff --git a/src/follow_symlinks.sh b/src/legacy/follow_symlinks.sh
similarity index 96%
rename from src/follow_symlinks.sh
rename to src/legacy/follow_symlinks.sh
index 3998b0e..9d9e492 100755
--- a/src/follow_symlinks.sh
+++ b/src/legacy/follow_symlinks.sh
@@ -51,7 +51,7 @@ done < "$pids_input_file"
 # sort and remove duplicates
 sorted_pids=$(printf '%s\n' "${pids_array[@]}" | sort -nu)
 
-# write unique pids to file, separated by newlines
+# write unique and sorted pids to file, separated by newlines
 printf '%s\n' "${sorted_pids[@]}" > "$pids_output_file"
 
 echo "Pids written to $pids_output_file"
diff --git a/src/get_kbd_event_files.py b/src/legacy/get_kbd_event_files.py
similarity index 100%
rename from src/get_kbd_event_files.py
rename to src/legacy/get_kbd_event_files.py
diff --git a/src/keyloggers.sh b/src/legacy/keyloggers.sh
similarity index 100%
rename from src/keyloggers.sh
rename to src/legacy/keyloggers.sh
diff --git a/src/legacy/test.c b/src/legacy/test.c
new file mode 100644
index 0000000..fea0089
--- /dev/null
+++ b/src/legacy/test.c
@@ -0,0 +1,112 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dirent.h>
+#include <unistd.h>
+
+#define DEVICE_DIR "/dev/input"
+#define BY_PATH_DIR "/dev/input/by-path"
+#define PROC_DIR "/proc"
+
+void get_program_name(long pid) {
+    char exe_file_path[256];
+    snprintf(exe_file_path, sizeof(exe_file_path), "/proc/%ld/exe", pid);
+
+    if (access(exe_file_path, F_OK) == 0) {
+        char program_path[256];
+        ssize_t path_len = readlink(exe_file_path, program_path, sizeof(program_path) - 1);
+        if (path_len != -1) {
+            program_path[path_len] = '\0';
+            printf("Corresponding program: %s\n\n", program_path);
+        }
+    }
+}
+
+void find_keyboard_files() {
+    DIR *by_path_dir = opendir(BY_PATH_DIR);
+    if (by_path_dir == NULL) {
+        perror("opendir");
+        exit(EXIT_FAILURE);
+    }
+
+    struct dirent *entry;
+    while ((entry = readdir(by_path_dir)) != NULL) {
+        if (strstr(entry->d_name, "kbd") != NULL || strstr(entry->d_name, "keyboard") != NULL) {
+            char device_file_path[256];
+            snprintf(device_file_path, sizeof(device_file_path), "%s/%s", BY_PATH_DIR, entry->d_name);
+
+            char link_dest[256];
+            ssize_t link_size = readlink(device_file_path, link_dest, sizeof(link_dest) - 1);
+            if (link_size == -1) {
+                perror("readlink");
+                continue;
+            }
+
+            link_dest[link_size] = '\0';
+            printf("Keyboard device file: %s\n", link_dest);
+
+            char event_file[256];
+            snprintf(event_file, sizeof(event_file), "%s/%s", DEVICE_DIR, link_dest);
+
+            DIR *proc_dir = opendir(PROC_DIR);
+            if (proc_dir == NULL) {
+                perror("opendir");
+                continue;
+            }
+
+            struct dirent *pid_entry;
+            while ((pid_entry = readdir(proc_dir)) != NULL) {
+                if (pid_entry->d_type != DT_DIR)
+                    continue;
+
+                // Check if the entry name is a numeric value (PID)
+                char *endptr;
+                long pid = strtol(pid_entry->d_name, &endptr, 10);
+                if (*endptr != '\0')
+                    continue;
+
+                char fd_dir_path[256];
+                snprintf(fd_dir_path, sizeof(fd_dir_path), "%s/%s/fd", PROC_DIR, pid_entry->d_name);
+
+                DIR *fd_dir = opendir(fd_dir_path);
+                if (fd_dir == NULL)
+                    continue;
+
+                struct dirent *fd_entry;
+                while ((fd_entry = readdir(fd_dir)) != NULL) {
+                    if (fd_entry->d_type != DT_LNK)
+                        continue;
+
+                    char fd_file_path[256];
+                    snprintf(fd_file_path, sizeof(fd_file_path), "%s/%s", fd_dir_path, fd_entry->d_name);
+
+                    char link_dest[256];
+                    ssize_t link_size = readlink(fd_file_path, link_dest, sizeof(link_dest) - 1);
+                    if (link_size == -1)
+                        continue;
+
+                    link_dest[link_size] = '\0';
+
+                    if (strcmp(link_dest, event_file) == 0) {
+                        printf("Process with PID %ld is using this file.\n", pid);
+                        get_program_name(pid);
+                    }
+                }
+
+                closedir(fd_dir);
+            }
+
+            closedir(proc_dir);
+        }
+    }
+
+    closedir(by_path_dir);
+}
+
+int main() {
+    printf("Finding keyboard files...\n\n");
+    find_keyboard_files();
+
+    return 0;
+}
+
diff --git a/src/main.c b/src/main.c
deleted file mode 100644
index e69de29..0000000
diff --git a/src/user-space-detector.sh b/src/user-space-detector.sh
new file mode 100755
index 0000000..9d9e492
--- /dev/null
+++ b/src/user-space-detector.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# =============================== 
+# Step1: Find keyboard file paths
+# ===============================
+
+# Output file path
+kbd_output_file="kbd_file_paths.txt"
+
+# Function to follow symbolic links recursively
+follow_symlinks() {
+  local filepath=$1
+
+  if [[ -L $filepath ]]; then
+    local resolved_path=$(readlink -f "$filepath")
+    echo "$resolved_path" >> "$kbd_output_file"
+    follow_symlinks "$resolved_path"
+  fi
+}
+
+# Traverse files in /dev/input/by-path
+echo -n > "$kbd_output_file"
+find /dev/input/by-path -type l -name '*kbd*' -print0 | while IFS= read -r -d '' filepath; do
+  #echo "$filepath" >> "$kbd_output_file"
+  follow_symlinks "$filepath"
+done
+
+echo "Keyboard file paths written to $kbd_output_file"
+
+# ===============================
+# Step2: Find pids using keyboard event files
+# ===============================
+
+# Use found kbd file paths to find corresponding pids
+pids_input_file="$kbd_output_file"
+pids_output_file="pids.txt"
+
+echo -n > "$pids_output_file"
+
+declare -a pids_array
+
+# Get pids of processes using the keyboard and put in array
+while IFS= read -r pathname; do
+    pids=$(fuser "$pathname")
+    # add pids to array
+    for pid in $pids; do
+      pids_array+=("$pid")
+    done
+done < "$pids_input_file"
+
+# sort and remove duplicates
+sorted_pids=$(printf '%s\n' "${pids_array[@]}" | sort -nu)
+
+# write unique and sorted pids to file, separated by newlines
+printf '%s\n' "${sorted_pids[@]}" > "$pids_output_file"
+
+echo "Pids written to $pids_output_file"
+
+# ===============================
+# Step3: Find processes/program names using pids
+# ===============================
+exe_input_file="$pids_output_file"
+exe_output_file="suspicous_exes.txt"
+
+# Clear output file
+echo -n > "$exe_output_file"
+