Add files via upload

Contains Stap, python-script and whitelist.txt
Does not fully work. Requires return-value in start_stap function. If that works, it works fully. Then begin with tidy up work.

doc/dev_journal.md

@@ -177,4 +177,6 @@ All in all, the main functionality works as intended. Basically now would be the
 ## Wednesday, 7, June 2023
 ### Michel
 
+
 I have written 1 systemtap scripts, that can detect, whenever a module registers at the Keyboard-notifier. The Script can currently detect whenever a module registers. My script cant detect which kernel module registered. Here comes Sebastians idea of writing a python script, that can unload all un-known modules and loads them back in, whilst the stap-script is running. Whenever a module is loaded in, and it triggers the stap-script, we know it is tracking key-strokes. Those modules will be shown to the user and the user then has to decide whether to unload and remove them, or keep them. My script is based on a redhat-script. The redhat-script is called funcall_tracer2.stp . The idea behind both scripts is the same. My script is simplyfied for the use with python. 
+

src/funcall_trace1.stp

@@ -0,0 +1,8 @@
+
+probe kernel.function("register_keyboard_notifier").call
+	{
+		printf("%s (%d)\n", execname(),tid())
+	}
+probe end{
+	printf("end\n")
+}

src/funcall_trace2.stp

@@ -0,0 +1,58 @@
+#! /usr/bin/env stap
+#
+# Copyright (C) 2010-2015 Red Hat, Inc.
+# Written by William Cohen <wcohen@redhat.com>
+#
+# The linetimes.stp script takes two arguments: where to find the function
+# and the function name. linetimes.stp will instrument each line in the
+# function. It will print out the number of times that the function is
+# called, a table with the average and maximum time each line takes,
+# and control flow information when the script exits.
+#
+# For example all the lines of the do_unlinkat function:
+#
+# stap linetimes.stp kernel do_unlinkat
+
+global calls, times, last_pp, region, cfg
+
+probe $1.function(@2).call { calls <<< 1 }
+probe $1.function(@2).return {
+  t = gettimeofday_us()
+  s = times[tid()]
+  if (s) {
+    e = t - s
+    region[last_pp[tid()]] <<< e
+    cfg[last_pp[tid()], pp()] <<< 1
+  }
+  delete times[tid()]
+  delete last_pp[tid()]
+}
+
+probe $1.statement(@2 "@*:*") {
+  t = gettimeofday_us()
+  s = times[tid()]
+  if (s) {
+    e = t - s
+    region[last_pp[tid()]] <<< e
+    cfg[last_pp[tid()], pp()] <<< 1
+  }
+  times[tid()] = t
+  last_pp[tid()] = pp()
+}
+
+probe end {
+  printf("\n%s %s call count: %d\n", @1, @2, @count(calls));
+  printf("\n%-58s %10s %10s\n", "region", "avg(us)", "max(us)");
+  foreach (p+ in region) {
+    printf("%-58s %10d %10d\n", p, @avg(region[p]), @max(region[p]));
+  }
+
+  printf("\n\ncontrol flow graph information\n")
+  printf("from\n\tto\n=======================\n")
+  foreach ([src+] in region) {
+     printf("%-s\n", src)
+     foreach ([s,dest+] in cfg[src,*]) { # slice for all dest's
+        printf("\t%-s %d\n", dest, @count(cfg[src,dest]));
+     }
+  }
+}

src/keylogger_detector.py

@@ -3,6 +3,7 @@
 import sys
 from config import CONFIG_FILE, load_config, save_config
 from utils import (
+    check_platform,
     check_root,
     check_packages,
     get_keyboard_device_files,
@@ -113,8 +114,9 @@ def detect_keyloggers():
     # 1. Setup and initialization
     ############################   
     debug(True, str(sys.argv)) # Set manually to debug if args are being read
+    check_platform()
+
     global auto_kill_option, verbose_option, safe_option
-    global CONFIG_FILE
     set_input_options()
     if verbose_option:
         print('[Verbose] Input options set')

src/keylogger_detector_kernel/funcall_trace.stp

@@ -0,0 +1,6 @@
+
+probe kernel.function("register_keyboard_notifier").call
+	{
+		printf("triggered\n")
+	}
+

src/keylogger_detector_kernel/kernel_detector.py

@@ -0,0 +1,150 @@
+import subprocess
+import time
+import multiprocessing
+import os
+
+global Smell
+
+#==============================================================================================================
+#
+#Functions
+#
+#==============================================================================================================
+def list_modules(command):
+	result = subprocess.run(command, shell = True, capture_output=True, text=True)
+	
+	if result.returncode == 0:
+		return result.stdout.strip().split('\n')
+	else:
+		print(f"Failed with error:{result.stderr}")
+		return[]
+
+def get_whitelist(file_path):
+	try:
+		with open(file_path, 'r') as file:
+			lines = file.read().splitlines()
+			return lines
+	except IOError:
+		print(f'Error: Failed to load whitelist{file_path}')
+		
+def compare_mods(A, B):
+	setA = set(A)
+	setB = set(B)
+	
+	result = setB - setA
+	
+	return list(result)
+	
+def tidy_up(entries):
+	cleaned_entries = []
+	for entry in entries:
+		modules = entry.split()
+		if modules:
+			first_mod = modules[0]
+			cleaned_entries.append(first_mod)
+	return cleaned_entries
+			
+def unload_mod(modules):
+	tmp = []
+	for module in modules:
+		result = subprocess.run(['sudo','rmmod', module],capture_output = True, text = True)
+		if result.returncode == 0:
+			print(f"Unloaded module: {module}")
+		else:
+			print(f"Failed to unloaded module: {module}")
+			tmp.append(module)
+			print(result.stderr)
+	result_out = compare_mods(tmp, modules)
+	print(result_out)
+	return result_out
+			
+
+#TODO Get Return-value from start_stap()			
+def start_stap():
+	print("Starting Sniffer")
+	output = subprocess.Popen(['stap','funcall_trace.stp'],universal_newlines=True)
+	if output.stdout != "":
+		output.terminate()
+		print("fishy")
+		Smell = "fishy"
+	else:
+		output.terminate()
+		print("nothing fishy")
+		Smell = "not fishy"
+	print(Smell + " smell")
+
+
+
+	
+	
+	
+	
+def load_mod(module):
+	result = subprocess.run(['sudo','insmod', module],capture_output = True, text = True)
+	if result.returncode == 0:
+		print(f"Loaded module: {module}")
+		time.sleep(5)
+	else:
+		print(f"Failed to Loaded module: {module}")
+		print(result.stderr)
+	
+	
+def find_file(filename):
+    result = []
+    for root, dirs, files in os.walk("/"):
+        if filename in files:
+            file_path = os.path.join(root, filename)
+            result.append(file_path)
+    result_out = result[0]
+    result_out = ''.join(result_out)
+    return result_out
+	
+def getpath(sus_modules):
+	for i in range(len(sus_modules)):
+		sus_modules[i] = find_file(sus_modules[i] + ".ko")
+	return sus_modules
+	
+def detect_logger(module):
+	p1 = multiprocessing.Process(target=start_stap)
+	p1.start()
+	p2 = multiprocessing.Process(target=load_mod(module))
+	p2.start()
+
+	p1.join()
+	p2.join()
+
+
+
+
+#==============================================================================================================
+#
+#Work
+#
+#==============================================================================================================
+
+whitelist = get_whitelist("whitelist.txt")
+
+lsmod_output = list_modules("lsmod");
+
+sus_modules = compare_mods(whitelist, lsmod_output)
+
+sus_modules = tidy_up(sus_modules)
+print(sus_modules)
+
+sus_modules = unload_mod(sus_modules)
+time.sleep(1)
+print("waited")
+
+sus_modules = getpath(sus_modules)
+print(sus_modules)
+if len(sus_modules) == 0:
+	exit()
+suspects = []
+for module in range(len(sus_modules)):
+	suspects.append(detect_logger(sus_modules[module]))
+	
+print(suspects)
+
+
+
+

src/keylogger_detector_kernel/whitelist.txt

@@ -0,0 +1,68 @@
+Module                  Size  Used by
+tls                   147456  0
+uinput                 20480  0
+isofs                  65536  1
+snd_seq_dummy          16384  0
+snd_hrtimer            16384  1
+vboxvideo              36864  0
+drm_vram_helper        24576  1 vboxvideo
+nf_conntrack_netbios_ns    16384  1
+nf_conntrack_broadcast    16384  1 nf_conntrack_netbios_ns
+nft_fib_inet           16384  1
+nft_fib_ipv4           16384  1 nft_fib_inet
+nft_fib_ipv6           16384  1 nft_fib_inet
+nft_fib                16384  3 nft_fib_ipv6,nft_fib_ipv4,nft_fib_inet
+nft_reject_inet        16384  6
+nf_reject_ipv4         16384  1 nft_reject_inet
+nf_reject_ipv6         24576  1 nft_reject_inet
+nft_reject             16384  1 nft_reject_inet
+nft_ct                 24576  16
+nft_chain_nat          16384  3
+nf_nat                 65536  1 nft_chain_nat
+nf_conntrack          192512  4 nf_nat,nft_ct,nf_conntrack_netbios_ns,nf_conntrack_broadcast
+nf_defrag_ipv6         24576  1 nf_conntrack
+nf_defrag_ipv4         16384  1 nf_conntrack
+ip_set                 65536  0
+rfkill                 40960  3
+nf_tables             352256  237 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet
+nfnetlink              20480  3 nf_tables,ip_set
+qrtr                   57344  4
+snd_intel8x0           57344  2
+snd_ac97_codec        200704  1 snd_intel8x0
+ac97_bus               16384  1 snd_ac97_codec
+snd_seq               106496  7 snd_seq_dummy
+intel_rapl_msr         20480  0
+snd_seq_device         16384  1 snd_seq
+intel_rapl_common      36864  1 intel_rapl_msr
+snd_pcm               184320  2 snd_intel8x0,snd_ac97_codec
+snd_timer              53248  3 snd_seq,snd_hrtimer,snd_pcm
+sunrpc                815104  1
+rapl                   24576  0
+binfmt_misc            28672  1
+snd                   143360  12 snd_seq,snd_seq_device,snd_intel8x0,snd_timer,snd_ac97_codec,snd_pcm
+joydev                 28672  0
+pcspkr                 16384  0
+soundcore              16384  1 snd
+i2c_piix4              36864  0
+vboxguest              53248  6
+loop                   40960  0
+zram                   32768  2
+crct10dif_pclmul       16384  1
+crc32_pclmul           16384  0
+crc32c_intel           24576  3
+polyval_generic        16384  0
+video                  73728  0
+ghash_clmulni_intel    16384  0
+vmwgfx                458752  2
+drm_ttm_helper         16384  3 vmwgfx,drm_vram_helper,vboxvideo
+wmi                    45056  1 video
+sha512_ssse3           49152  0
+e1000                 188416  0
+serio_raw              20480  0
+ttm                   102400  3 vmwgfx,drm_vram_helper,drm_ttm_helper
+ata_generic            16384  0
+pata_acpi              16384  0
+ip6_tables             40960  0
+ip_tables              40960  0
+fuse                  212992  5
+

src/utils.py

@@ -3,6 +3,20 @@ import subprocess # for executing shell commands
 import signal # for sending signals to processes
 import sys # for exit
 
+
+
+
+def check_platform():
+    """
+    Check if platform is Linux.
+
+    Raises:
+        SystemExit: If the platform isn not LInux.
+    """
+    if sys.platform != 'linux':
+        print("[-] This script only works on Linux.")
+
+
 def check_root():
     """
     Check if script is run as root(sudo).