As a challenge to the paper “Unprivileged Black-Box Detection of User-Space Keyloggers“, we were askd to write a Linux keylogger that can hide behind the tool mentioned on the paper. A friend and I came up with several ideas to hide our keylogger from being detected. We didn’t manage to include all the ideas in the keylogger code because of time constraint but the professor approved that if we had included those options, their tool wouldn’t have detected it. Before writing the ideas we came up with, let me explain how their detection method works in a nutshell.
They assumed that, by design, keyloggers capture keystrokes and save them to file. If for example, “AbCdeF” was pressed on the keyboard, somewhere, some process is writing a file with the same bytes. So they check for this correlation by sending keys to all running processes and monitoring file activities and checking the number of bytes written. If the same amount of bytes were written to file, then the process that wrote that file is a keylogger.
Our ideas to circumvent this are presented below. Obviously, these are for educational purpose only.
1. Buffering. We have a buffer that changes its size every time it writes its content to file. Here is how it works.
Let’s say we have buf. And let the first random buffer size be 750. Then we keep buffering until 750 is reached and write it to file. Then the next buffer size would be randomly chosen. Say 900. The process continues like that.
2. If we’re on an Internet-connected computer, we directly post the logged keystrokes on a remote server. That’s it, nothing on file.
3. Being selective when we capture keys. Let’s face it, when we capture keys, usually it’s password or something related. So why would we be interested in keys that are entered on Sublime? So, we targeted web browsers: Mozilla Firefox and Google Chrome. What does it mean? Their tool sends our keylogger a key and it is ignored. Keeps logging like a boss 🙂
There were also other ideas like having a different sized output (different size than the entered keys) on file by applying cryptography but the paper says they addressed this issue very well so we didn’t bother to test it. Will post code if anybody is interested.
The C source code of X11 based Linux keylogger can be found here.
This work got us full points.
7 thoughts on “X11 based Linux keylogger”
Hello, Great post, Congrats!!
Maybe you could help me with a problem I’m having.
I’ve been working in a project for a while, but I want to know just when a key is pressed and also when a mouse button it’s pressed.
Because I manage to do this with X11/Xlib and X11/Xlib but I’ll need to create two new threads in my app to make it work properly.
So it’s there a way to call a function or emit a signal (I’m working with Qt/c++) to know this events (keypressed and mousepressed) are happening ??
It’s ncurses a possible solution ??
Hi there! Thanks for reading.
Have a look at the source code of the keylogger here: https://github.com/cristianstaicu/netsecunitn to have a general idea.
And here is an example code (i didn’t try though) that logs mouse events: http://stackoverflow.com/questions/14553435/how-to-listen-for-mouse-events-in-linux
I would do these in two separate threads to monitor both keyboard and mouse events.
I hope it helps and good luck! 🙂
Yes, thanks it works great, the only detail it’s to make work in all the windows not only the terminal.
The keylogger example should work for the browsers chrome and firefox. You can set this in the code or remove this check so that it works for every window
Hi guys its ahsan here i am Student of MSIT from cyber security department i need unprivileged black-box detection of user-space keyloggers project i have all Documents Regarding this project but i need model please any one help me here
Please contact the authors of the paper
i contact him but he did not respond me so that is why i post here the same Question i am looking for