Lets first understand what is a keylogger and then we can move on to build one:
A keylogger is a function which records keystrokes on your computer. It is a threat to a user and user’s important data as they can track the entered passwords typed on the keyboard. The hacker can then access the users sensitive information.
** this is for educational purpose **
Now lets start with making a keylogger and will understand the process of where are the keystrokes mapped from and how our code will save those keystrokes. We will be coding our keylogger in C language.
In linux, everything is a file and that means our keystrokes on the keyboard is also a file itself.
Where are all the input devices present in the system? The /dev/input folder have all of them. This file maintains the list of all events for different input devices.
Now the problem is, which one is our event that handles the keyboard inputs. For this we will take a look at a file devices a the location /proc/bus/input. Here we will find all the devices and can map the event for our keyboard that we were not able to do earlier.
So which one is our keyboard. The name of the input device will be “AT Translated Set 2 keyboard” and EV=120013. Here my event number is event4.
Now that we know out event for the keyboard and all the information from the devices file, we can start coding our logger using this information.
We will be storing our stored data (keystrokes) in a logfile named “data” in the /tmp folder.
The program makes a structure ev, and then read the /dev/input/event4 file (of my keyboard), and append the keystrokes to the logfile at the /tmp folder.
ev.type is a movement on the keyboard taken in EV_KEY and the ev.value is set to 0 as when there is a keypress on a keyboard there is a keyrelease afterwards, so to prevent recording the same value again on keyrelease it is set to 0.
This code will now print all the keystrokes.
But the keystrokes are being mapped as numbers but not the actual values. These numbers are the corresponding values to each keys.
Now we have to find the file that handles these values and then map them accordingly to have our output as readable text.
For this we have to take a look at the file “input-event-codes.h” file at /usr/include/linux. Here in this file you will find all the values corresponding to each key on our keyboard.
Using this we will make a key-map in our code that will give the readable input corresponding to the numerical key value.
I have used first two dots in our map for reversed and escape to skip them, then map 0–9, minus and equal, again skipped backspace and tab using dots, and further mapped alphabets and other inputs.
This code will now map the keystrokes in readable form.
Now that we have mapped the keystrokes, we are not mapping space, new line and we are printing the value on the terminal one word per line, for this we will modify our code to handle these situations.
This time our code will record all our keystrokes and save them to the /tmp folder in our logfile while taking care of spacing and new line.
So we have successfully made a keylogger for a linux system that will map all keystrokes and save them at /tmp folder in a logfile. This code can be modified for mapping backspaces and every key function.
Further it can be modified to be sent to a machine and recieve the keystrokes on your own machine.
The code is available on github: https://github.com/nayan4755/linux_keylogger.git
The video walkthrough of this code is available on youtube on Infosec Gamer channel: https://www.youtube.com/watch?v=M3MNoPPp0pU&t=108s
