Try convince me that input_register_handle is not best place for installing keylogger, it’s even strange that they were embarrassed to connect there their holy cow eBPF. Long story short – there are 3 structures in linux kernel for servicing of input devices:
试着说服我,input_register_handle不是安装键盘记录器的最佳地点,甚至奇怪的是,他们不好意思在那里连接他们的圣牛eBPF。长话短说 – linux 内核中有 3 个结构用于维护输入设备:
- input_dev chained in list (sure non-exported) input_dev_list
input_dev链接在列表中(确定未导出)input_dev_list
- input_handler chained in list input_handler_list
input_handler链接在列表input_handler_list
- input_handle with pointer to input_handler and attached to input_dev (in list h_list)
input_handle,指针指向input_handler并附加到input_dev(在列表 h_list 中)
So keylogger could 所以键盘记录器可以
- just call input_register_handle
只需致电input_register_handle
- to be more stealthy – patch functions pointers in already registered input_handler (very convenient that sysrq_handler missed out method event)
更隐蔽 – 补丁函数指针在已经注册的input_handler(非常方便,sysrq_handler错过了方法事件)
- attach own input_handle to desired input_dev but without registering corresponding input_handler – yes, this is perfectly legal
将自己的input_handle附加到所需的input_dev,但不注册相应的input_handler – 是的,这是完全合法的
- patch functions pointers directly in input_dev
Patch 函数指针直接在input_dev
Guess in three tries what exactly you can extract from sysfs?
猜猜在三次尝试中,您究竟可以从 sysfs 中提取什么?
So I add to my lkcd dumping of all above-mentioned structures. Sample of output
因此,我添加了上述所有结构的 lkcd 倾倒。输出示例
input handlers count: 7
[0] input_handler at addr: 0xffffffff921dac40 - kernel!rfkill_handler
Name: rfkill
event: 0xffffffff90c91300 - kernel!rfkill_event
connect: 0xffffffff90c91200 - kernel!rfkill_connect
disconnect: 0xffffffff90c911d0 - kernel!rfkill_disconnect
start: 0xffffffff90c915b0 - kernel!rfkill_start
[1] input_handler at addr: 0xffffffff920faa60 - kernel!kbd_handler
Name: kbd
event: 0xffffffff907f5890 - kernel!kbd_event
match: 0xffffffff907f3b80 - kernel!kbd_match
connect: 0xffffffff907f3120 - kernel!kbd_connect
disconnect: 0xffffffff907f30f0 - kernel!kbd_disconnect
start: 0xffffffff907f39b0 - kernel!kbd_start
[2] input_handler at addr: 0xffffffff920f9300 - kernel!sysrq_handler
Name: sysrq
filter: 0xffffffff907ef4f0 - kernel!sysrq_filter
connect: 0xffffffff907eed20 - kernel!sysrq_connect
disconnect: 0xffffffff907eeb60 - kernel!sysrq_disconnect
[3] input_handler at addr: 0xffffffff921749e0 - kernel!mousedev_handler
Name: mousedev
event: 0xffffffff909e3360 - kernel!mousedev_event
connect: 0xffffffff909e3d30 - kernel!mousedev_connect
disconnect: 0xffffffff909e3c80 - kernel!mousedev_disconnect
[4] input_handler at addr: 0xffffffff92174e40 - kernel!evdev_handler
Name: evdev
event: 0xffffffff909e63a0 - kernel!evdev_event
events: 0xffffffff909e62e0 - kernel!evdev_events
connect: 0xffffffff909e4e80 - kernel!evdev_connect
disconnect: 0xffffffff909e4e20 - kernel!evdev_disconnect
[5] input_handler at addr: 0xffffffffc075c0c0 - input_leds!input_leds_handler
Name: leds
event: 0xffffffffc075a000 - input_leds!input_leds_event
connect: 0xffffffffc075a0f0 - input_leds!input_leds_connect
disconnect: 0xffffffffc075a010 - input_leds!input_leds_disconnect
[6] input_handler at addr: 0xffffffffc081d580 - joydev!joydev_handler
Name: joydev
event: 0xffffffffc0817d60 - joydev!joydev_event
match: 0xffffffffc0817bf0 - joydev!joydev_match
connect: 0xffffffffc08181a0 - joydev!joydev_connect
disconnect: 0xffffffffc0818140 - joydev!joydev_disconnect
input devs count: 20
...
[2] input_dev at addr: 0xffffa0bc453e5800
name: AT Translated Set 2 keyboard
phys: isa0060/serio0/input0
handlers: 4
[0] 0xffffffff920f9300 sysrq
[1] 0xffffffff920faa60 kbd
[2] 0xffffffff92174e40 evdev
[3] 0xffffffffc075c0c0 leds
setkeycode: 0xffffffff909dcca0 - kernel!input_default_setkeycode
getkeycode: 0xffffffff909dd240 - kernel!input_default_getkeycode
event: 0xffffffff909e7420 - kernel!atkbd_event
