Repository files navigation

A Linux kernel module to grab keys pressed in the keyboard, or a keylogger.

It's also an academic project for devs willing to learn Linux kernel module programming, with extensive comments, checkpatch.pl scanned code, standards-compliant Makefile and DKMS support.

spy was initially written for the US keyboard (and conforming laptops). By default it shows human-readable strings for the keys pressed. Optionally, thekeycode shift_mask pair can be printed in hex or decimal. You can lookup the keycodes in/usr/include/linux/input-event-codes.h.

The keypress logs are recorded in debugfs as long as the module is loaded. Only root or sudoers can read the log. The module name has been camouflaged to blend-in with other kernel modules.

You can, however, execute a script at shutdown or reboot (the procedure would be distro-specific) to save the keys to a file.

DISCLAIMER: spy is intended to track your own devices and NOT to trespass on others. The author is not responsible for any unethical application.

• Compilation
  • Build
  • DKMS support
• Usage
• License
• Developer
• Links

Clone the repository and run:

# make

Note that you need to have the linux kernel headers installed for your running kernel version.

To insert the module into the kernel, run:

# insmod kisni.koOR# make load

To unload the module (and clear the logs), run:

# rmmod kisni

If you have DKMS installed, you can install spy in such a way that it survives kernel upgrades. It is recommended to remove older versions of spy by runningdkms remove -m kisni -v OLDVERSION --all as root. To install the new version, run:

# make -f Makefile.dkms

To uninstall it, run:

# make -f Makefile.dkms uninstall

To view the pressed keys, run:

# cat /sys/kernel/debug/kisni/keysmodinfo kisni.kocat /sys/kernel/debug/kisni/keys#

To log generic hex keycodes in the formatkeycode shift_mask, run:

# insmod kisni.ko codes=1// Type something# cat /sys/kernel/debug/kisni/keys23 012 026 026 018 039 02a 02a 12a 111 118 013 026 020 02a 02a 12a 12 11c 01f 016 020 018 039 02e 01e 014 06a 01c 0

To log the keycodes in decimal, run:

# insmod kisni.ko codes=2

To check the module details:

# modinfo kisni.kofilename:       kisni.kodescription:    Sniff and log keys pressed in the system to debugfsversion:        1.8author:         Arun Prakash Jana <engineerarun@gmail.com>license:        GPL v2srcversion:     F62F351D06A999293307C20depends:retpoline:      Yname:           kisnivermagic:       5.4.0-48-generic SMP mod_unloadparm:           codes:log format (0:US keys (default), 1:hex keycodes, 2:dec keycodes) (int)

Copyright © 2015Arun Prakash Jana

• http://www.gadgetweb.de/programming/39-how-to-building-your-own-kernel-space-keylogger.html
• https://wiki.archlinux.org/index.php/Xmodmap
• http://www.osdever.net/bkerndev/Docs/keyboard.htm
• http://arjunsreedharan.org/post/99370248137/kernel-201-lets-write-a-kernel-with-keyboard
• http://www.linuxquestions.org/questions/slackware-14/how-to-match-x-keyboard-layout-with-the-the-kernel-keyboard-map-4175455061/
• http://www.tldp.org/LDP/lkmpg/2.4/html/x1210.html