KLDetect is a keylogger detector for the Linux Desktop.
It can detect processes reading from /dev/input/event*
devices and kernel modules registered to listen to keyboard events.
Download or clone this repository:
git clone https://github.com/sebaschi/keylogger-detector.git
Navigate into the src directory:
cd keylogger-detector/src
Run a keylogger. KLDetect has been tested and shown to work on the following keylogger.
User progams:
Kernel Module:
KLDetect must be run as root (sudo). If KLDetect is not run as root the user is reminded to try again with root permissions.
Running without options just runs userspace detection:
./kldetect.py
To get a list of command line options:
./kldetect.py -h
To run with kernel module detection:
./kldetect.py -k
To run just kernel module detection
./kernel_detector.py
Running any part if this program in a lightheaded manner may break your system.
Killing processes and unloading modules should be done with caution. We suggest testing it an a VM.
If one runs the KLDetect with the kernel module keylogger detection option set, make sure to update the whitelist.txt with the safe kernel modules that you know you have on your system. In particular we highly suggest running lsmod > <path-to-kldetect>/whitelist.txt
, before inserting a kernel keylogger. This writes the modules currently inserted in the kernel to the whitelist. This way 'normal' modules that you already have installed on the 'clean' kernel will not accidentally be unloaded. Altough KLDetect should not unload any kernel modules currently used, better safe than sorry.
Copyright © 2023Michel Romancuk, Sebastian Lenzlinger
This project is Part of a Univeristy project at the Operating Systems lecture at the University of Basel, Switzerland. A project journal can be found here.