seb/keylogger-detector
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: seb:SoulKindred-patch-1
Branches Tags
seb:main seb:sebaschi-patch-2 seb:sebaschi-patch-1 seb:SoulKindred-patch-1 seb:kernelland seb:stap-scripts seb:SoulKindred-patch-2 seb:userland
..
compare: seb:kernelland
Branches Tags
seb:main seb:sebaschi-patch-2 seb:sebaschi-patch-1 seb:SoulKindred-patch-1 seb:kernelland seb:stap-scripts seb:SoulKindred-patch-2 seb:userland

1 Commits
SoulKindre ... kernelland

Author SHA1 Message Date
SoulKindred
1a2849d698 Add files via upload 
Contains Stap, python-script and whitelist.txt
Does not fully work. Requires return-value in start_stap function. If that works, it works fully. Then begin with tidy up work.
 2023-06-08 19:32:47 +02:00
4 changed files with 81 additions and 94 deletions
Expand all files Collapse all files

21
LICENSE Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2023 Sebastian Lenzlinger
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

3
src/funcall_trace.stp → src/keylogger_detector_kernel/funcall_trace.stp
View File

@@ -1,7 +1,6 @@
probe kernel.function("register_keyboard_notifier").call
{
print("[-]")
exit()
printf("triggered\n")
}

127
src/kernel_detector.py → src/keylogger_detector_kernel/kernel_detector.py
View File

@@ -1,14 +1,9 @@
import subprocess
import time
import multiprocessing
import threading
import os
import sys
from io import TextIOWrapper, BytesIO
pipe1, pipe2 = multiprocessing.Pipe()
global Smell
#==============================================================================================================
#
@@ -64,24 +59,34 @@ def unload_mod(modules):
return result_out
#TODO Get Return-value from start_stap()
def start_stap():
print("Starting Sniffer")
output = subprocess.Popen(['stap','funcall_trace.stp'],universal_newlines=True)
if output.stdout != "":
output.terminate()
print("fishy")
Smell = "fishy"
else:
output.terminate()
print("nothing fishy")
Smell = "not fishy"
print(Smell + " smell")
def stap_start():
print("starting sniffing")
process = subprocess.Popen(['stap','funcall_trace.stp', '-T', '15'], flush = True)
process.wait()
print("ended sniffing")
def load_mod(module):
print(module)
for i in range(2):
subprocess.Popen(['sudo','insmod', module])
time.sleep(1)
subprocess.Popen(['sudo','rmmod', module])
time.sleep(1)
subprocess.Popen(['sudo', 'insmod', module])
result = subprocess.run(['sudo','insmod', module],capture_output = True, text = True)
if result.returncode == 0:
print(f"Loaded module: {module}")
time.sleep(5)
else:
print(f"Failed to Loaded module: {module}")
print(result.stderr)
def find_file(filename):
@@ -90,7 +95,7 @@ def find_file(filename):
if filename in files:
file_path = os.path.join(root, filename)
result.append(file_path)
result_out = result
result_out = result[0]
result_out = ''.join(result_out)
return result_out
@@ -100,34 +105,15 @@ def getpath(sus_modules):
return sus_modules
def detect_logger(module):
p1 = multiprocessing.Process(target=start_stap)
p1.start()
p2 = multiprocessing.Process(target=load_mod(module))
p2.start()
print("starting sniffing")
process = subprocess.Popen(['stap','funcall_trace.stp', '-T', '10'], stdout=subprocess.PIPE, text=True)
p1.join()
p2.join()
for i in range(2):
subprocess.Popen(['sudo','insmod', module])
time.sleep(1)
print("-")
subprocess.Popen(['sudo','rmmod', module])
time.sleep(1)
subprocess.Popen(['sudo','insmod', module])
print("-")
out = process.communicate()[0]
print("ended sniffing")
print(out)
if out == "[-]":
return module
print("FAILED")
return 0
#==============================================================================================================
@@ -136,47 +122,28 @@ def detect_logger(module):
#
#==============================================================================================================
def run_kernel_detection:
whitelist = get_whitelist("whitelist.txt")
whitelist = get_whitelist("whitelist.txt")
lsmod_output = list_modules("lsmod");
lsmod_output = list_modules("lsmod");
sus_modules = compare_mods(whitelist, lsmod_output)
sus_modules = compare_mods(whitelist, lsmod_output)
sus_modules = tidy_up(sus_modules)
sus_modules = tidy_up(sus_modules)
print(sus_modules)
sus_modules = unload_mod(sus_modules)
time.sleep(1)
sus_modules = unload_mod(sus_modules)
time.sleep(1)
print("waited")
sus_modules = getpath(sus_modules)
print(sus_modules)
if len(sus_modules) == 0:
print("nothing to do")
print("ALL CLEAN")
exit()
suspects = []
for module in sus_modules:
suspects.append(detect_logger(module))
time.sleep(1)
print("Following modules are logging your keystrokes: ")
for i in range(len(suspects)):
print( f"[{i}] {suspects[i]}")
print("Enter the number of the module you want to remove: ")
user_input = input().split()
for j in user_input:
to_remove = suspects[int(j)]
subprocess.Popen(['sudo','rmmod', to_remove])
print(f"Removed {to_remove}")
print("Finished")
sus_modules = getpath(sus_modules)
print(sus_modules)
if len(sus_modules) == 0:
exit()
suspects = []
for module in range(len(sus_modules)):
suspects.append(detect_logger(sus_modules[module]))
print(suspects)

24
src/whitelist.txt → src/keylogger_detector_kernel/whitelist.txt
View File

@@ -1,4 +1,5 @@
Module Size Used by
tls 147456 0
uinput 20480 0
isofs 65536 1
snd_seq_dummy 16384 0
@@ -22,26 +23,26 @@ nf_conntrack 192512 4 nf_nat,nft_ct,nf_conntrack_netbios_ns,nf_conntra
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
ip_set 65536 0
rfkill 40960 3
nf_tables 352256 237 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet
nfnetlink 20480 3 nf_tables,ip_set
rfkill 40960 3
qrtr 57344 4
sunrpc 815104 1
snd_intel8x0 57344 2
snd_ac97_codec 200704 1 snd_intel8x0
binfmt_misc 28672 1
intel_rapl_msr 20480 0
ac97_bus 16384 1 snd_ac97_codec
intel_rapl_common 36864 1 intel_rapl_msr
snd_seq 106496 7 snd_seq_dummy
intel_rapl_msr 20480 0
snd_seq_device 16384 1 snd_seq
intel_rapl_common 36864 1 intel_rapl_msr
snd_pcm 184320 2 snd_intel8x0,snd_ac97_codec
rapl 24576 0
snd_timer 53248 3 snd_seq,snd_hrtimer,snd_pcm
sunrpc 815104 1
rapl 24576 0
binfmt_misc 28672 1
snd 143360 12 snd_seq,snd_seq_device,snd_intel8x0,snd_timer,snd_ac97_codec,snd_pcm
joydev 28672 0
pcspkr 16384 0
soundcore 16384 1 snd
pcspkr 16453 0
i2c_piix4 36864 0
vboxguest 53248 6
loop 40960 0
@@ -50,19 +51,18 @@ crct10dif_pclmul 16384 1
crc32_pclmul 16384 0
crc32c_intel 24576 3
polyval_generic 16384 0
vmwgfx 458752 2
video 73728 0
ghash_clmulni_intel 16384 0
vmwgfx 458752 2
drm_ttm_helper 16384 3 vmwgfx,drm_vram_helper,vboxvideo
wmi 45056 1 video
sha512_ssse3 49152 0
e1000 188416 0
ttm 102400 3 vmwgfx,drm_vram_helper,drm_ttm_helper
serio_raw 20480 0
video 73728 0
wmi 45056 1 video
ttm 102400 3 vmwgfx,drm_vram_helper,drm_ttm_helper
ata_generic 16384 0
pata_acpi 16384 0
ip6_tables 40960 0
ip_tables 40960 0
fuse 212992 5
end