Hello all, I am trying to write a keylogger using dtrace for all kinds of applications. Shellsnoop written by Brendan Gregg, takes advantage of the fact that shells uses standard io file descriptors 0,1,2 ,the java command line applications also uses the same descriptors so the same technique works for them as well but gui applications like firefox or gcaltool (calculator tool comes with solaris 10) use a different mechanism for key inputs and i was not able to customize the shellsnoop script for them.
GUI applications continuously calls syscall::read even if there are no key presses, fld field for syscall::read:entry was 4 or 5 etc, the size of the data read obtained from arg0 of syscall::read:return was 32 or more bytes for all the calls and trying to read the buffer produces garbage or corrupts the shell altogether. I searched for probes containing key pressed etc and found fbt:kbtrans module which contained probes like kbtrans_keypressed and provide a mechanism to capture key storkes. But I was not able to link keystrokes from kbtans_* functions with the application which eventually reads the key press events qued by kbtrans_queueevent function. I have couple of questions. First what is the best way to write a generic keylogger and mouse input logger using dtrace and second, for the situation described above how can one establish link between kbtrans and other modules consuming its output. Thanks in advance. Faisal. -- This message posted from opensolaris.org _______________________________________________ dtrace-discuss mailing list [email protected]
