dtrace discuss - Mar 2008 - process snoop (shellsnoop for arbitrary application)

Hello all,

I am trying to write a keylogger using dtrace for all kinds of applications.
Shellsnoop written by Brendan Gregg, takes advantage of the fact that shells
uses standard io file descriptors 0,1,2 ,the java command line applications also
uses the same descriptors so the same technique works for them as well but gui
applications like firefox or gcaltool (calculator tool comes with solaris 10)
use a different mechanism for key inputs and i was not able to customize the
shellsnoop script for them.

GUI applications continuously calls syscall::read even if there are no key
presses,
fld field for syscall::read:entry was 4 or 5 etc, the size of the data read
obtained from arg0 of syscall::read:return was 32 or more bytes for all the
calls and trying to read the buffer produces garbage or corrupts the shell
altogether.

I searched for probes containing key pressed etc and found fbt:kbtrans module
which contained probes like kbtrans_keypressed and provide a mechanism to
capture key storkes. But I was not able to link keystrokes from kbtans_*
functions with the application which eventually reads the key press events qued
by kbtrans_queueevent function.

I have couple of questions. First what is the best way to write a generic
keylogger and mouse input logger using dtrace and second, for the situation
described above how can one establish link between kbtrans and other modules
consuming its output.

Thanks in advance.
Faisal.


--
This message posted from opensolaris.org

Faisal Mansoor wrote:
> Hello all,
> 
> I am trying to write a keylogger using dtrace for all kinds of
applications. Shellsnoop written by Brendan Gregg, takes advantage of the fact
that shells uses standard io file descriptors 0,1,2 ,the java command line
applications also uses the same descriptors so the same technique works for them
as well but gui applications like firefox or gcaltool (calculator tool comes
with solaris 10) use a different mechanism for key inputs and i was not able to
customize the shellsnoop script for them.
> 
> GUI applications continuously calls syscall::read even if there are no key
presses,
> fld field for syscall::read:entry was 4 or 5 etc, the size of the data read
obtained from arg0 of syscall::read:return was 32 or more bytes for all the
calls and trying to read the buffer produces garbage or corrupts the shell
altogether.
> 
> I searched for probes containing key pressed etc and found fbt:kbtrans
module which contained probes like kbtrans_keypressed and provide a mechanism to
capture key storkes. But I was not able to link keystrokes from kbtans_*
functions with the application which eventually reads the key press events qued
by kbtrans_queueevent function.
> 
> I have couple of questions. First what is the best way to write a generic
keylogger and mouse input logger using dtrace and second, for the situation
described above how can one establish link between kbtrans and other modules
consuming its output.
GUI applications don''t read the keyboard - they read events from the
X server - the X server reads the keyboard and passes out events to
whichever application has keyboard focus or has requested keyboard
notification.    The data format for these events is defined by the
X11 protocol.   You could monitor the X events sent by the X server
using the Xserver Dtrace provider:
	http://people.freedesktop.org/~alanc/dtrace/

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering

Alan Coopersmith wrote:
> Faisal Mansoor wrote:
>> Hello all,
>>
>> I am trying to write a keylogger using dtrace for all kinds of
applications. Shellsnoop written by Brendan Gregg, takes advantage of the fact
that shells uses standard io file descriptors 0,1,2 ,the java command line
applications also uses the same descriptors so the same technique works for them
as well but gui applications like firefox or gcaltool (calculator tool comes
with solaris 10) use a different mechanism for key inputs and i was not able to
customize the shellsnoop script for them.
>>
>> GUI applications continuously calls syscall::read even if there are no
key presses,
>> fld field for syscall::read:entry was 4 or 5 etc, the size of the data
read obtained from arg0 of syscall::read:return was 32 or more bytes for all the
calls and trying to read the buffer produces garbage or corrupts the shell
altogether.
>>
>> I searched for probes containing key pressed etc and found fbt:kbtrans
module which contained probes like kbtrans_keypressed and provide a mechanism to
capture key storkes. But I was not able to link keystrokes from kbtans_*
functions with the application which eventually reads the key press events qued
by kbtrans_queueevent function.
>>
>> I have couple of questions. First what is the best way to write a
generic keylogger and mouse input logger using dtrace and second, for the
situation described above how can one establish link between kbtrans and other
modules consuming its output.
> 
> GUI applications don''t read the keyboard - they read events from
the
> X server - the X server reads the keyboard and passes out events to
> whichever application has keyboard focus or has requested keyboard
> notification.    The data format for these events is defined by the
> X11 protocol.   You could monitor the X events sent by the X server
> using the Xserver Dtrace provider:
> 	http://people.freedesktop.org/~alanc/dtrace/
> 
The different keyboard modes are documented in kb(7M).

Thanks. I read about X11, and i understand that i''ll need to observe
the keyPress events, and fetch the keys and associate them with the process that
has the keyboard focus.

I have two issues.

1- I am using the latest Solaris Express Developer Edition 01/08, and I believe
it to have all the probes available for Xserver. Running # dtrace -l -n
''Xserver*:::'', returns me this:

 ID   PROVIDER            MODULE                          FUNCTION NAME
    4 Xserver621              Xorg                   CloseDownClient
client-disconnect
    5 Xserver621              Xorg                          Dispatch
request-done
    6 Xserver621              Xorg                          Dispatch
request-start
    7 Xserver621              Xorg                       AddResource
resource-alloc
    8 Xserver621              Xorg               FreeClientResources
resource-free
    9 Xserver621              Xorg    FreeClientNeverRetainResources
resource-free
   10 Xserver621              Xorg                FreeResourceByType
resource-free
   11 Xserver621              Xorg                      FreeResource
resource-free
   12 Xserver621              Xorg               WriteEventsToClient send-event

Now, there are a few probes missing here including client-auth for
ClientAuthorized. Are these deprecated, or is my system missing them?

Secondly, I am trying to understand the xEvent structure to retrieve the key
that is pressed. But my approach is more of a trial and error and adhoc. Is
there any way to understand xEvent structure and other code more clearly to get
to know more about each field, beside the data structures only?

Please state any script fragments if that may help. Thanks a lot.


--
This message posted from opensolaris.org

Is there any way to get client pid from a client id? 

client-auth is the only probe that has client pid as an argument, but this probe
is missing from in my OpenSolaris. Also, I need hints about how to get the
client id of the process having the keyboard focus. Please help.

Thanks!


--
This message posted from opensolaris.org

Salman Jamali wrote:
> Thanks. I read about X11, and i understand that i''ll need to
observe the keyPress events, and fetch the keys and associate them with the
process that has the keyboard focus.
> 
> I have two issues.
> 
> 1- I am using the latest Solaris Express Developer Edition 01/08, and I
believe it to have all the probes available for Xserver. Running # dtrace -l -n
''Xserver*:::'', returns me this:
> 
>  ID   PROVIDER            MODULE                          FUNCTION NAME
>     4 Xserver621              Xorg                   CloseDownClient
client-disconnect
>     5 Xserver621              Xorg                          Dispatch
request-done
>     6 Xserver621              Xorg                          Dispatch
request-start
>     7 Xserver621              Xorg                       AddResource
resource-alloc
>     8 Xserver621              Xorg               FreeClientResources
resource-free
>     9 Xserver621              Xorg    FreeClientNeverRetainResources
resource-free
>    10 Xserver621              Xorg                FreeResourceByType
resource-free
>    11 Xserver621              Xorg                      FreeResource
resource-free
>    12 Xserver621              Xorg               WriteEventsToClient
send-event
> 
> Now, there are a few probes missing here including client-auth for
ClientAuthorized. Are these deprecated, or is my system missing them?
There''s a bug in Nevada which has caused some of the probes to not be
built
into Xorg - unfortunately, I''ve not had time to try to figure out where
in
the compiler/linker/dtrace chain the probe is being lost.
> Secondly, I am trying to understand the xEvent structure to retrieve the
key that is pressed. But my approach is more of a trial and error and adhoc. Is
there any way to understand xEvent structure and other code more clearly to get
to know more about each field, beside the data structures only?
The xEvent structure is defined in the X11 Protocol.   You might also find some
description in the old O''Reilly X programming manuals, if you can still
find a set.

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering