Skip to content

Instantly share code, notes, and snippets.

@shishirjindal

shishirjindal/keylogger.md

Last active July 9, 2017 17:12
Show Gist options
  • Save shishirjindal/b59b0caf3595938901bed6200618d2e6 to your computer and use it in GitHub Desktop.
Save shishirjindal/b59b0caf3595938901bed6200618d2e6 to your computer and use it in GitHub Desktop.
Download ZIP
Technical know how of keylogger
Raw
keylogger.md

Keylogger

WTF is this?

A keylogger is a program which is used to record every keystroke you make into a log file. It can be used to collect your personal information like your usernames, passwords, bank account information and other private data.

There are few unethical uses too like companies can use it to check whether their employees are doing there job or just surfing unproductive websites

It is advised to use this only for educational purposes.

Technical Details

For every external device there is a device file associated with it, afterall everything is a file in linux. These device files are located in /dev/input/ directory. So whenever a keyboard event happens CPU triggers an interrupt and it got stored in corresponding device file.

Now the keys typed are not stored as it is, it is stored in a well defined structure which is input_event. This is defined in /usr/include/linux/input.h

struct input_event {
  struct timeval time;
  __u16 type;
  __u16 code;
  __s32 value;
};

  • time returns the time at which the event occured.

  • type is for event types like EV_REL for relative movement, EV_KEY for keypress or release. It is listed in /usr/include/linux/input-event-codes.h

  • code is a number corresponds to that event for example 16 for key 'Q' and 54 for RightShift key. Complete list in /usr/include/linux/input-event-codes.h

  • value is the value for a for the event. For example EV_KEY has value 0 for release and 1 for keypress.

How to make one?

  • First you need to find your keyboard device file. You can find it by typing
$ echo '/dev/input/'$(grep -E 'Handlers|EV=' /proc/bus/input/devices |  grep -B1 'EV=120013' |  grep -Eo 'event[0-9]+')
  • Create an event of type input_event and read from the device file and store it in event buffer.
read(fp, &event, sizeof(input_event))>0

  • compare the event type with EV_KEY which is for keypress/keyrelease

  • If the event value is keypress then write the char corresponding to event code in the log file.

  • You can improve this by taking into account of shift and caps key.

static int isShiftPressed(int eventcode){
  if((eventcode == LEFTSHIFT) || (eventcode == RIGHTSHIFT)){
    return 1;
  }
  return 0;
}

Source Code is located here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment