Try convince me that input_register_handle is not best place for installing keylogger, it's even strange that they were embarrassed to connect there their holy cow eBPF. Long story short - there are 3 structures in linux kernel for servicing of input devices:
- input_dev chained in list (sure non-exported) input_dev_list
- input_handler chained in list input_handler_list
- input_handle with pointer to input_handler and attached to input_dev (in list h_list)
So keylogger could
- just call input_register_handle
- to be more stealthy - patch functions pointers in already registered input_handler (very convenient that sysrq_handler missed out method event)
- attach own input_handle to desired input_dev but without registering corresponding input_handler - yes, this is perfectly legal
- patch functions pointers directly in input_dev
Guess in three tries what exactly you can extract from sysfs?
So I add to my lkcd dumping of all above-mentioned structures. Sample of output