BackupGGCode / logkeys

a GNU/Linux keylogger that works!
Other
0 stars 0 forks source link

Improved code snippet for reading the /proc/bus/input/devices #89

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Hi
I was reading the keylogger.cc code and came upon the "grep" based commands 
that extract the event id for the keyboard. Here is a snippet that I wrote 
(albeit in C) that works and extracts the event name "event1" or "event2" etc. 
correctly. Please test and if you like it you can use it instead of doing a 
fork-exec with grep's which is very shell programming.

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char *extract_keyboard_eventname()
{
    FILE *fp = NULL;
    char buffer[1024];
    char *eventname = NULL;
    fp = fopen("/proc/bus/input/devices", "r");
    if (!fp) {
        int err = errno;
        fprintf(stderr, "Unable to open file. %s\n", strerror(err));
        return NULL;
    }
    memset(buffer, 0, sizeof(buffer));
    while (fgets(buffer, sizeof(buffer), fp)) {
        char *ptr = NULL;
        if ((ptr = strstr(buffer, "Handlers="))) {
            ptr += strlen("Handlers=");
            ptr = strstr(ptr, "event");
            if (ptr) {
                char *ptr2 = strchr(ptr, ' ');
                if (ptr2)
                    *ptr2 = '\0';
                eventname = strdup(ptr);
                if (!eventname) {
                    fprintf(stderr, "Out of memory.\n");
                    break;
                }
            }
        }
        if (strstr(buffer, "EV=120013")) {
            fprintf(stderr, "Keyboard event is /dev/input/%s\n", eventname);
            break;
        }
    }
    fclose(fp);
    return eventname;
}

Original issue reported on code.google.com by walb...@gmail.com on 13 Jun 2012 at 2:53

GoogleCodeExporter commented 9 years ago
Even though this is limited to searching for the string "event" you can enhance 
it to search for "kbd" or "mice" or "mouse" as well by adding more if 
statements.

Original comment by walb...@gmail.com on 13 Jun 2012 at 2:55

GoogleCodeExporter commented 9 years ago
yes, a great idea! I've been thinking about it too.

but your presenting it now reminds me of this unix koan:
http://catb.org/~esr/writings/unix-koans/ten-thousand.html

so we'll keep the issue open for now.

Original comment by kernc...@gmail.com on 13 Jun 2012 at 3:14

GoogleCodeExporter commented 9 years ago
Well, that is your choice. You asked for a better way in the code and what I 
felt was better I suggested. Fork-exec'ing can be a security hole since you do 
not know that the shell you are forking into is compromised or not.

Original comment by walb...@gmail.com on 13 Jun 2012 at 3:37

GoogleCodeExporter commented 9 years ago
ok, thanks. but if the shell is compromised, what other security holes are left 
open?

Original comment by kernc...@gmail.com on 13 Jun 2012 at 3:46

GoogleCodeExporter commented 9 years ago
the question is real: if you know of such a vector where default user shell is 
compromised and the rest of the system (as if any:D) isn't, please do point me 
to it.

Original comment by kernc...@gmail.com on 13 Jun 2012 at 5:02