seb/keylogger-detector
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: seb:kernelland
Branches Tags
seb:main seb:sebaschi-patch-2 seb:sebaschi-patch-1 seb:SoulKindred-patch-1 seb:kernelland seb:stap-scripts seb:SoulKindred-patch-2 seb:userland
..
compare: seb:SoulKindred-patch-1
Branches Tags
seb:main seb:sebaschi-patch-2 seb:sebaschi-patch-1 seb:SoulKindred-patch-1 seb:kernelland seb:stap-scripts seb:SoulKindred-patch-2 seb:userland

2 Commits
kernelland ... SoulKindre

Author SHA1 Message Date
SoulKindred
02f6d6eba0 Kernel Detector 
Uploading kernel detection package
 2023-06-11 15:22:05 +02:00
Sebastian Lenzlinger
1988f0c021 Delete LICENSE 
Unsure About the LICENCE we need and if we get to use all the software we have.
 2023-06-10 13:21:19 +02:00
4 changed files with 99 additions and 86 deletions
Expand all files Collapse all files

21
LICENSE
View File

@@ -1,21 +0,0 @@
MIT License
Copyright (c) 2023 Sebastian Lenzlinger
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

3
src/keylogger_detector_kernel/funcall_trace.stp → src/funcall_trace.stp
View File

@@ -1,6 +1,7 @@
probe kernel.function("register_keyboard_notifier").call probe kernel.function("register_keyboard_notifier").call
{ {
printf("triggered\n") print("[-]")
exit()
} }

129
src/keylogger_detector_kernel/kernel_detector.py → src/kernel_detector.py
View File

@@ -1,9 +1,14 @@
import subprocess import subprocess
import time import time
import multiprocessing import multiprocessing
import os
global Smell import threading
import os
import sys
from io import TextIOWrapper, BytesIO
pipe1, pipe2 = multiprocessing.Pipe()
#============================================================================================================== #==============================================================================================================
# #
@@ -59,34 +64,24 @@ def unload_mod(modules):
return result_out return result_out
#TODO Get Return-value from start_stap()
def start_stap():
print("Starting Sniffer")
output = subprocess.Popen(['stap','funcall_trace.stp'],universal_newlines=True)
if output.stdout != "":
output.terminate()
print("fishy")
Smell = "fishy"
else:
output.terminate()
print("nothing fishy")
Smell = "not fishy"
print(Smell + " smell")
def stap_start():
print("starting sniffing")
process = subprocess.Popen(['stap','funcall_trace.stp', '-T', '15'], flush = True)
process.wait()
print("ended sniffing")
def load_mod(module): def load_mod(module):
result = subprocess.run(['sudo','insmod', module],capture_output = True, text = True) print(module)
if result.returncode == 0: for i in range(2):
print(f"Loaded module: {module}") subprocess.Popen(['sudo','insmod', module])
time.sleep(5) time.sleep(1)
else: subprocess.Popen(['sudo','rmmod', module])
print(f"Failed to Loaded module: {module}") time.sleep(1)
print(result.stderr) subprocess.Popen(['sudo', 'insmod', module])
def find_file(filename): def find_file(filename):
@@ -95,7 +90,7 @@ def find_file(filename):
if filename in files: if filename in files:
file_path = os.path.join(root, filename) file_path = os.path.join(root, filename)
result.append(file_path) result.append(file_path)
result_out = result[0] result_out = result
result_out = ''.join(result_out) result_out = ''.join(result_out)
return result_out return result_out
@@ -105,15 +100,34 @@ def getpath(sus_modules):
return sus_modules return sus_modules
def detect_logger(module): def detect_logger(module):
p1 = multiprocessing.Process(target=start_stap)
p1.start()
p2 = multiprocessing.Process(target=load_mod(module))
p2.start()
p1.join()
p2.join()
print("starting sniffing")
process = subprocess.Popen(['stap','funcall_trace.stp', '-T', '10'], stdout=subprocess.PIPE, text=True)
for i in range(2):
subprocess.Popen(['sudo','insmod', module])
time.sleep(1)
print("-")
subprocess.Popen(['sudo','rmmod', module])
time.sleep(1)
subprocess.Popen(['sudo','insmod', module])
print("-")
out = process.communicate()[0]
print("ended sniffing")
print(out)
if out == "[-]":
return module
print("FAILED")
return 0
#============================================================================================================== #==============================================================================================================
@@ -122,28 +136,47 @@ def detect_logger(module):
# #
#============================================================================================================== #==============================================================================================================
whitelist = get_whitelist("whitelist.txt") def run_kernel_detection:
whitelist = get_whitelist("whitelist.txt")
lsmod_output = list_modules("lsmod"); lsmod_output = list_modules("lsmod");
sus_modules = compare_mods(whitelist, lsmod_output) sus_modules = compare_mods(whitelist, lsmod_output)
sus_modules = tidy_up(sus_modules) sus_modules = tidy_up(sus_modules)
print(sus_modules)
sus_modules = unload_mod(sus_modules) sus_modules = unload_mod(sus_modules)
time.sleep(1) time.sleep(1)
print("waited")
sus_modules = getpath(sus_modules) sus_modules = getpath(sus_modules)
print(sus_modules) print(sus_modules)
if len(sus_modules) == 0: if len(sus_modules) == 0:
exit() print("nothing to do")
suspects = [] print("ALL CLEAN")
for module in range(len(sus_modules)): exit()
suspects.append(detect_logger(sus_modules[module]))
suspects = []
for module in sus_modules:
suspects.append(detect_logger(module))
time.sleep(1)
print("Following modules are logging your keystrokes: ")
for i in range(len(suspects)):
print( f"[{i}] {suspects[i]}")
print("Enter the number of the module you want to remove: ")
user_input = input().split()
for j in user_input:
to_remove = suspects[int(j)]
subprocess.Popen(['sudo','rmmod', to_remove])
print(f"Removed {to_remove}")
print("Finished")
print(suspects)

32
src/keylogger_detector_kernel/whitelist.txt → src/whitelist.txt
View File

@@ -1,5 +1,4 @@
Module Size Used by Module Size Used by
tls 147456 0
uinput 20480 0 uinput 20480 0
isofs 65536 1 isofs 65536 1
snd_seq_dummy 16384 0 snd_seq_dummy 16384 0
@@ -23,26 +22,26 @@ nf_conntrack 192512 4 nf_nat,nft_ct,nf_conntrack_netbios_ns,nf_conntra
nf_defrag_ipv6 24576 1 nf_conntrack nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack nf_defrag_ipv4 16384 1 nf_conntrack
ip_set 65536 0 ip_set 65536 0
rfkill 40960 3
nf_tables 352256 237 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet nf_tables 352256 237 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet
nfnetlink 20480 3 nf_tables,ip_set nfnetlink 20480 3 nf_tables,ip_set
rfkill 40960 3
qrtr 57344 4 qrtr 57344 4
sunrpc 815104 1
snd_intel8x0 57344 2 snd_intel8x0 57344 2
snd_ac97_codec 200704 1 snd_intel8x0 snd_ac97_codec 200704 1 snd_intel8x0
ac97_bus 16384 1 snd_ac97_codec
snd_seq 106496 7 snd_seq_dummy
intel_rapl_msr 20480 0
snd_seq_device 16384 1 snd_seq
intel_rapl_common 36864 1 intel_rapl_msr
snd_pcm 184320 2 snd_intel8x0,snd_ac97_codec
snd_timer 53248 3 snd_seq,snd_hrtimer,snd_pcm
sunrpc 815104 1
rapl 24576 0
binfmt_misc 28672 1 binfmt_misc 28672 1
intel_rapl_msr 20480 0
ac97_bus 16384 1 snd_ac97_codec
intel_rapl_common 36864 1 intel_rapl_msr
snd_seq 106496 7 snd_seq_dummy
snd_seq_device 16384 1 snd_seq
snd_pcm 184320 2 snd_intel8x0,snd_ac97_codec
rapl 24576 0
snd_timer 53248 3 snd_seq,snd_hrtimer,snd_pcm
snd 143360 12 snd_seq,snd_seq_device,snd_intel8x0,snd_timer,snd_ac97_codec,snd_pcm snd 143360 12 snd_seq,snd_seq_device,snd_intel8x0,snd_timer,snd_ac97_codec,snd_pcm
joydev 28672 0 joydev 28672 0
pcspkr 16384 0
soundcore 16384 1 snd soundcore 16384 1 snd
pcspkr 16453 0
i2c_piix4 36864 0 i2c_piix4 36864 0
vboxguest 53248 6 vboxguest 53248 6
loop 40960 0 loop 40960 0
@@ -51,18 +50,19 @@ crct10dif_pclmul 16384 1
crc32_pclmul 16384 0 crc32_pclmul 16384 0
crc32c_intel 24576 3 crc32c_intel 24576 3
polyval_generic 16384 0 polyval_generic 16384 0
video 73728 0
ghash_clmulni_intel 16384 0
vmwgfx 458752 2 vmwgfx 458752 2
ghash_clmulni_intel 16384 0
drm_ttm_helper 16384 3 vmwgfx,drm_vram_helper,vboxvideo drm_ttm_helper 16384 3 vmwgfx,drm_vram_helper,vboxvideo
wmi 45056 1 video
sha512_ssse3 49152 0 sha512_ssse3 49152 0
e1000 188416 0 e1000 188416 0
serio_raw 20480 0
ttm 102400 3 vmwgfx,drm_vram_helper,drm_ttm_helper ttm 102400 3 vmwgfx,drm_vram_helper,drm_ttm_helper
serio_raw 20480 0
video 73728 0
wmi 45056 1 video
ata_generic 16384 0 ata_generic 16384 0
pata_acpi 16384 0 pata_acpi 16384 0
ip6_tables 40960 0 ip6_tables 40960 0
ip_tables 40960 0 ip_tables 40960 0
fuse 212992 5 fuse 212992 5
end