[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [security] user mode keylogger?



Ben Hutchings wrote, On 02/22/2015 01:18 AM:
On Sat, 2015-02-21 at 20:07 +0100, U.Mutlu wrote:
Hi,
in the following video someone demonstrates a "user mode keylogger":
https://www.youtube.com/watch?v=Y1fZAZTwyPQ

Is that really possible that a non-admin user can run a program
to grab all key strokes on the system?

It can grab all key strokes typed in the same X session.  (Wayland
servers are likely to be more restrictive.)

Or is that guy misleadingly demonstrates only a kernel-level keylogger
that permits the non-admin user to use it?

I don't think so.

How best to check if a keylogger is running?

There is no good answer to that.  There are so many places that a
keylogger could operate - as a standalone application, in the X server,
a library, a driver, the kernel input core, in hardware, ...

Ben.

I have yet to see a real working user-level keylogger.

I tried the lkl keylogger ( http://sourceforge.net/projects/lkl/ ),
but it works only as root, even if it advertises as "LKL is a userspace
keylogger that runs under Linux on the x86 arch. LKL sniffs and logs
everything that passes through the hardware keyboard port (0x60)".

But there is this code snippet in its source:
  if(getuid() || getgid()){
    printf("Have to be root to perform a iopl()!\n");
    exit(1);
  }
Disabling that code leads to a "No permission error"
when it tries to call ioperm().

So, do you or anybody else know a working user-level keylogger
that allows capturing/logging the keystrokes of a different user
on the same machine?

My interest is only because of my concerns against keyloggers.

--
TIA
Uenal



Reply to: