|
If you compile your kernel with
CONFIG_INPUT_EVBUG=m, (don't put "y", otherwise you cannot even rmmod
it when u don't need it - it does generate lots of messages in dmesg
output buffer), then u can do a modprobe evbug and in dmesg you can see:
[4298922.635000] evbug.c: Event. Dev: isa0060/serio0/input0, Type: 1, Code: 103, Value: 0 [4298922.635000] evbug.c: Event. Dev: isa0060/serio0/input0, Type: 0, Code: 0, Value: 0 [4298923.302000] evbug.c: Event. Dev: isa0060/serio0/input0, Type: 4, Code: 4, Value: 200 [4298923.302000] evbug.c: Event. Dev: isa0060/serio0/input0, Type: 1, Code: 103, Value: 1 for each key pressed. For details see: http://www.linuxquestions.org/questions/linux-software-2/linux-keylogger-454869/ If you don't have the above kernel parameter compiled into the kernel, u can also use ftrace: Assuming your debugfs is mounted at /debug then u do this: echo 0 >/debug/tracing/tracing_enabled echo "atkbd*" > /debug/tracing/set_ftrace_filter echo function >/debug/tracing/current_tracer echo 1 >/debug/tracing/tracing_enabled sleep 3 echo 0 >/debug/tracing/tracing_enabled cat /debug/tracing/trace During the "sleep 3", if there is no keyboard input: sleep-19465 [001] 10654.927843: atkbd_interrupt <-serio_interrupt sleep-19465 [001] 10654.927854: atkbd_event <-input_handle_event But if there is keyboard input: <idle>-0 [001] 10676.932289: atkbd_interrupt <-serio_interrupt <idle>-0 [001] 10676.932301: atkbd_event <-input_handle_event firefox-8153 [001] 10677.091721: atkbd_interrupt <-serio_interrupt firefox-8153 [001] 10677.091733: atkbd_event <-input_handle_event <idle>-0 [001] 10677.133041: atkbd_interrupt <-serio_interrupt <idle>-0 [001] 10677.133051: atkbd_event <-input_handle_event firefox-8153 [001] 10677.247428: atkbd_interrupt <-serio_interrupt firefox-8153 [001] 10677.247439: atkbd_event <-input_handle_event <idle>-0 [001] 10677.266147: atkbd_interrupt <-serio_interrupt <idle>-0 [001] 10677.266155: atkbd_event <-input_handle_event firefox-8153 [001] 10677.270534: atkbd_interrupt <-serio_interrupt firefox-8153 [001] 10677.270543: atkbd_event <-input_handle_event <idle>-0 [001] 10677.343501: atkbd_interrupt <-serio_interrupt <idle>-0 [001] 10677.343510: atkbd_event <-input_handle_event So you can see that keyboard input is happening in the context of different processes, even the real source is at the current active local terminal. Instead of atkbd_* you can also replace it with input_*, which is what are the various possible exported API defined in drivers/input/*.c: drivers/input/ff-core.c:EXPORT_SYMBOL_GPL(input_ff_upload); drivers/input/ff-core.c:EXPORT_SYMBOL_GPL(input_ff_erase); drivers/input/ff-core.c:EXPORT_SYMBOL_GPL(input_ff_event); drivers/input/ff-core.c:EXPORT_SYMBOL_GPL(input_ff_create); drivers/input/ff-core.c:EXPORT_SYMBOL_GPL(input_ff_destroy); drivers/input/ff-memless.c:EXPORT_SYMBOL_GPL(input_ff_create_memless); drivers/input/input.c:EXPORT_SYMBOL(input_event); drivers/input/input.c:EXPORT_SYMBOL(input_inject_event); drivers/input/input.c:EXPORT_SYMBOL(input_grab_device); drivers/input/input.c:EXPORT_SYMBOL(input_release_device); drivers/input/input.c:EXPORT_SYMBOL(input_open_device); drivers/input/input.c:EXPORT_SYMBOL(input_flush_device); drivers/input/input.c:EXPORT_SYMBOL(input_close_device); drivers/input/input.c:EXPORT_SYMBOL(input_get_keycode); drivers/input/input.c:EXPORT_SYMBOL(input_set_keycode); drivers/input/input.c:EXPORT_SYMBOL_GPL(input_class); drivers/input/input.c:EXPORT_SYMBOL(input_allocate_device); drivers/input/input.c:EXPORT_SYMBOL(input_free_device); drivers/input/input.c:EXPORT_SYMBOL(input_set_capability); drivers/input/input.c:EXPORT_SYMBOL(input_register_device); drivers/input/input.c:EXPORT_SYMBOL(input_unregister_device); drivers/input/input.c:EXPORT_SYMBOL(input_register_handler); drivers/input/input.c:EXPORT_SYMBOL(input_unregister_handler); drivers/input/input.c:EXPORT_SYMBOL(input_register_handle); drivers/input/input.c:EXPORT_SYMBOL(input_unregister_handle); drivers/input/input-compat.c:EXPORT_SYMBOL_GPL(input_event_from_user); drivers/input/input-compat.c:EXPORT_SYMBOL_GPL(input_event_to_user); drivers/input/input-compat.c:EXPORT_SYMBOL_GPL(input_ff_effect_from_user); drivers/input/input-polldev.c:EXPORT_SYMBOL(input_allocate_polled_device); drivers/input/input-polldev.c:EXPORT_SYMBOL(input_free_polled_device); drivers/input/input-polldev.c:EXPORT_SYMBOL(input_register_polled_device); drivers/input/input-polldev.c:EXPORT_SYMBOL(input_unregister_polled_device); and the output are: <idle>-0 [001] 10572.066205: input_handle_event <-input_event <idle>-0 [001] 10572.066205: input_pass_event <-input_handle_event Xorg-7627 [000] 10572.066213: input_event_to_user <-evdev_read Xorg-7627 [000] 10572.066220: input_event_to_user <-evdev_read hald-addon-inpu-7290 [001] 10572.066230: input_event_to_user <-evdev_read hald-addon-inpu-7290 [001] 10572.066231: input_event_to_user <-evdev_read hald-addon-inpu-7290 [001] 10572.066232: input_event_to_user <-evdev_read Xorg-7627 [000] 10572.066233: input_event_to_user <-evdev_read <idle>-0 [001] 10572.144881: input_event <-atkbd_interrupt Alternatively: cat /dev/input/by-path/platform-i8042-serio-0-event-kbd u can
capture all the keyboard entries as well - so long as any of the
terminal are locally connected, but if ssh then it is not.
|
