Writing a Linux Keylogger

16 Apr 2016

So I had the brilliant idea of writing a keylogger for Linux. In Linux, there is the /dev/ folder that contains a lot of FIFO pipes for certain processes. Among these, there were 2 that stood out to me regarding the keyboard;

  1. hidraw0
  2. hidraw1

HID means Human Interface Device. These are peripherals, like keyboards, mice, touchpads, etc.

Doing a simple ls -l yielded that these were owned by root, so I used sudo cat /dev/hidraw0 to check the output. To my great satisfaction, as soon as I typed in some letters, it spit out a bunch of gibberish and special symbols: low decimal value keycodes that were converted to ASCII.

To check out what these were, I opened a Python shell as root:

$ sudo python
>>> f = open("/dev/hidraw0")
>>> while True:
        print ord(f.read(1))

What this yielded was many many printouts of a bunch of numbers. Through some experimentation, I found that every keystroke was a list of 10 bytes:

$ sudo python
>>> f = open("/dev/hidraw0")
>>> while True:
        print [ ord(x) for x in f.read(10) ]

I don’t know if it’s 10 for all keyboards, but I’m using a MacBook Air 4.2, running LXLE. After it started printing out, I noticed a few things:

The 2nd element (index 1) of the list correlated to modifier keys. In fact, they behaved in the way that permissions are stored in C: bit switches. Through some experimentation, I discovered the following schema:


0 0 0 0 0 0 0 0
| | | | | | | |___ Left Control
| | | | | | |_____ Left Shift
| | | | | |_______ Left Alt
| | | | |_________ Left Super
| | | |___________ Right Control
| | |_____________ Right Shift
| |_______________ Right Alt
|_________________ Right Super

I was unsure about the keycodes themselves, and since I was a bit bored in class, I decided to test out every key that was available on the built-in MacBook Air 2011 keyboard.

The source can be found here: keylogger