Re: USB Examiner Package? Special USB Kernel Modules?
On Mon, Nov 25, 2019 at 10:37:42PM -0500, Kenneth Parker wrote:
> Here's an interesting one: A Windows friend handed me a USB Dongle,
> knowing that I'm a Linux user. He says he got it 3rd hand, with info that
> it might be "Very Dangerous". He would be interested, if I find out
> something about it. (And, indeed, Google has many hits on "USB Malware").
>
> So, what I want, is a USB Debugging Package, that will *NOT* attempt to,
> actually open this device, but will give me information about it.
>
> Obviously, this has to be handled carefully because, for one, it's not
> always obvious which USB goes where.
>
> For example, before I plug it in, "lsusb" should not show anything plugged
> in.
>
> -----
>
> End of preliminaries. When I plug in something, (i.e. Serial Mouse in Text
> Only environment, or a USB Thumb Drive), a Flurry of Activity ensues, with
> lots of Kernel Messages (and before I get to examine it). Does that mean
> I have to make a Custom Kernel for this, or limit the Kernel Modules used?
>
> Any insights so far?
First:
How are you looking at something without opening?
Unless you have some forensic electronics lab, where you can inspect
the underlying hardware, you alway have to "open" (aka get a handle) it.
It has been mentioned that there are devices which fry your hardware by
sending high voltage pulses to the host.
Get a raspberry pi and setup a usb debug stack there. It's
cheap. If you fry it it's only $35 you lose.
Insert a udev rule to capture all events (especially "add").
And from there slowly pry your way in.
--
Henning Follmann | hfollmann@itcfollmann.com
Reply to: