search

BackupGGCode / logkeys

a GNU/Linux keylogger that works!
Other
0 stars 0 forks source link

Wiki Enhancement - How to force correct eventX - needs root #92

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi!

I have a USB keyboard. So Every time my keyboard gets a different input event 
device.

I found out how to setup it a very nice way!

First I discovered the device this way:

As root, for each existing device eventX in /dev/input/, where X is a number 
between 0 and 31 inclusively, write:

 $ cat /dev/input/eventX

then type some arbitrary characters. If you see any output, that is the device 
to be used. If you don't see any output, press Ctrl+C and continue with the 
next device.

Then I found out this boot it was assigned to the event4!

Then I did:
udevadm info --attribute-walk -n /dev/input/event4 | less

And got this:

-- Start of output
Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.

  looking at device '/devices/pci0000:00/0000:00:12.0/usb4/4-5/4-5:1.0/input/input4/event4':
    KERNEL=="event4"
    SUBSYSTEM=="input"
    DRIVER==""

  looking at parent device '/devices/pci0000:00/0000:00:12.0/usb4/4-5/4-5:1.0/input/input4':
    KERNELS=="input4"
    SUBSYSTEMS=="input"
    DRIVERS==""
    ATTRS{name}=="Microsoft Wired Keyboard 600"
    ATTRS{phys}=="usb-0000:00:12.0-5/input0"
    ATTRS{uniq}==""
    ATTRS{modalias}=="input:b0003v045Ep0750e0111-e0,1,4,11,14,k71,72,73,74,75,77,79,7A,7B,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89,8A,8C,8E,96,98,9E,9F,A1,A3,A4,A5,A6,AD,B0,B1,B2,B3,B4,B7,B8,B9,BA,BB,BC,BD,BE,BF,C0,C1,C2,F0,ram4,l0,1,2,sfw"

  looking at parent device '/devices/pci0000:00/0000:00:12.0/usb4/4-5/4-5:1.0':
    KERNELS=="4-5:1.0"
    SUBSYSTEMS=="usb"
    DRIVERS=="usbhid"
    ATTRS{bInterfaceNumber}=="00"
    ATTRS{bAlternateSetting}==" 0"
    ATTRS{bNumEndpoints}=="01"
    ATTRS{bInterfaceClass}=="03"
    ATTRS{bInterfaceSubClass}=="01"
    ATTRS{bInterfaceProtocol}=="01"
    ATTRS{modalias}=="usb:v045Ep0750d0110dc00dsc00dp00ic03isc01ip01"
    ATTRS{supports_autosuspend}=="1"
-- End of output (The output is very long, so I truncated the first lines, 
because we already got all we need.)

So I created a file /etc/udev/rules.d/10-local.rules
KERNEL=="event?", 
ATTRS{modalias}=="usb:v045Ep0750d0110dc00dsc00dp00ic03isc01ip01", 
SYMLINK+="input/mskbd1"

This means:
When udev create the device eventX, if one of his parents has the specified 
ATTRS{modalias}, then create a symlink input/mskbd1.

After this I created a dir /var/log/logkeys and a file /etc/rc.d/rc.logkeys:
#!/bin/sh
while [ 1 ];
 do
  PROGRAM1="/usr/local/bin/logkeys"
  APPCHK=$(ps aux | grep -c $PROGRAM1)
  if [ $APPCHK = '1' ] ; then
   #echo logkeys is not running, lets start it
   if [ -c /dev/input/mskbd1 ] ; then
    #echo the correct device exists, lets start logkeys
    DTSTAMP=$(date "+%Y%m%d")
    HMSTAMP=$(date "+%H%M")
    /usr/local/bin/logkeys -s -m /usr/local/logkeys/pt_BR.map -o /var/log/logkeys/logkeys_${DTSTAMP}_${HMSTAMP}.log -d /dev/input/mskbd1
   fi
  fi
 done

Remember to chmod +x /etc/rc.d/rc.logkeys

This is a spawner that keeps logkeys running after a kill. The log file has a 
timestamp in filename.
And will use the device /dev/input/mskbd1 created in the udev rules above.

Thank you!
Weber Kai
Greetings from Brazil!

Original issue reported on code.google.com by weber...@gmail.com on 7 Jul 2012 at 12:50