So I had the brilliant idea of writing a keylogger for Linux. In Linux, there is
/dev/ folder that contains a lot of FIFO pipes for certain processes.
Among these, there were 2 that stood out to me regarding the keyboard;
HID means Human Interface Device. These are peripherals, like keyboards, mice, touchpads, etc.
Doing a simple
ls -l yielded that these were owned by
root, so I used
cat /dev/hidraw0 to check the output. To my great satisfaction, as soon as I
typed in some letters, it spit out a bunch of gibberish and special symbols: low
decimal value keycodes that were converted to ASCII.
To check out what these were, I opened a Python shell as
$ sudo python >>> f = open("/dev/hidraw0") >>> while True: print ord(f.read(1))
What this yielded was many many printouts of a bunch of numbers. Through some experimentation, I found that every keystroke was a list of 10 bytes:
$ sudo python >>> f = open("/dev/hidraw0") >>> while True: print [ ord(x) for x in f.read(10) ]
I don’t know if it’s 10 for all keyboards, but I’m using a MacBook Air 4.2, running LXLE. After it started printing out, I noticed a few things:
The 2nd element (index 1) of the list correlated to modifier keys. In fact, they behaved in the way that permissions are stored in C: bit switches. Through some experimentation, I discovered the following schema:
MODIFIER KEYS: 8 BIT CODE: 0 0 0 0 0 0 0 0 | | | | | | | |___ Left Control | | | | | | |_____ Left Shift | | | | | |_______ Left Alt | | | | |_________ Left Super | | | |___________ Right Control | | |_____________ Right Shift | |_______________ Right Alt |_________________ Right Super
I was unsure about the keycodes themselves, and since I was a bit bored in class, I decided to test out every key that was available on the built-in MacBook Air 2011 keyboard.
The source can be found here: keylogger