Try convince me that input_register_handle is not best place for installing keylogger, it's even strange that they were embarrassed to connect there their holy cow eBPF. Long story short - there are 3 structures in linux kernel for servicing of input devices:
- input_dev chained in list (sure non-exported) input_dev_list
- input_handler chained in list input_handler_list
- input_handle with pointer to input_handler and attached to input_dev (in list h_list)
So keylogger could
- just call input_register_handle
- to be more stealthy - patch functions pointers in already registered input_handler (very convenient that sysrq_handler missed out method event)
- attach own input_handle to desired input_dev but without registering corresponding input_handler - yes, this is perfectly legal
- patch functions pointers directly in input_dev
Guess in three tries what exactly you can extract from sysfs?
So I add to my lkcd dumping of all above-mentioned structures. Sample of output
input handlers count: 7
[0] input_handler at addr: 0xffffffff921dac40 - kernel!rfkill_handler
Name: rfkill
event: 0xffffffff90c91300 - kernel!rfkill_event
connect: 0xffffffff90c91200 - kernel!rfkill_connect
disconnect: 0xffffffff90c911d0 - kernel!rfkill_disconnect
start: 0xffffffff90c915b0 - kernel!rfkill_start
[1] input_handler at addr: 0xffffffff920faa60 - kernel!kbd_handler
Name: kbd
event: 0xffffffff907f5890 - kernel!kbd_event
match: 0xffffffff907f3b80 - kernel!kbd_match
connect: 0xffffffff907f3120 - kernel!kbd_connect
disconnect: 0xffffffff907f30f0 - kernel!kbd_disconnect
start: 0xffffffff907f39b0 - kernel!kbd_start
[2] input_handler at addr: 0xffffffff920f9300 - kernel!sysrq_handler
Name: sysrq
filter: 0xffffffff907ef4f0 - kernel!sysrq_filter
connect: 0xffffffff907eed20 - kernel!sysrq_connect
disconnect: 0xffffffff907eeb60 - kernel!sysrq_disconnect
[3] input_handler at addr: 0xffffffff921749e0 - kernel!mousedev_handler
Name: mousedev
event: 0xffffffff909e3360 - kernel!mousedev_event
connect: 0xffffffff909e3d30 - kernel!mousedev_connect
disconnect: 0xffffffff909e3c80 - kernel!mousedev_disconnect
[4] input_handler at addr: 0xffffffff92174e40 - kernel!evdev_handler
Name: evdev
event: 0xffffffff909e63a0 - kernel!evdev_event
events: 0xffffffff909e62e0 - kernel!evdev_events
connect: 0xffffffff909e4e80 - kernel!evdev_connect
disconnect: 0xffffffff909e4e20 - kernel!evdev_disconnect
[5] input_handler at addr: 0xffffffffc075c0c0 - input_leds!input_leds_handler
Name: leds
event: 0xffffffffc075a000 - input_leds!input_leds_event
connect: 0xffffffffc075a0f0 - input_leds!input_leds_connect
disconnect: 0xffffffffc075a010 - input_leds!input_leds_disconnect
[6] input_handler at addr: 0xffffffffc081d580 - joydev!joydev_handler
Name: joydev
event: 0xffffffffc0817d60 - joydev!joydev_event
match: 0xffffffffc0817bf0 - joydev!joydev_match
connect: 0xffffffffc08181a0 - joydev!joydev_connect
disconnect: 0xffffffffc0818140 - joydev!joydev_disconnect
input devs count: 20
...
[2] input_dev at addr: 0xffffa0bc453e5800
name: AT Translated Set 2 keyboard
phys: isa0060/serio0/input0
handlers: 4
[0] 0xffffffff920f9300 sysrq
[1] 0xffffffff920faa60 kbd
[2] 0xffffffff92174e40 evdev
[3] 0xffffffffc075c0c0 leds
setkeycode: 0xffffffff909dcca0 - kernel!input_default_setkeycode
getkeycode: 0xffffffff909dd240 - kernel!input_default_getkeycode
event: 0xffffffff909e7420 - kernel!atkbd_event
Комментариев нет:
Отправить комментарий