Why Use a Keylogger?
I was volunteering as a health insurance advisor when I first decided I wanted a keylogger. I reported client contacts via a web interface that would constantly timeout while I was typing. Upon clicking “Submit”, my data would become lost in cyberspace. When I remembered, I would copy the data to the clipboard first, but even then, if I accidentally hit Ctrl+C again instead of Ctrl+V to paste from the clipboard, all the data would still be lost. If only I could record everything that I typed, I would never have to worry about losing my data again.
There are several other reasons to have a personal keylogger. Install one on your home PC and tell your kids it’s there, just to keep them honest while they’re browsing the web. Help yourself remember where you found that really interesting web page yesterday. Retrieve the text from the document you prepared after it closed without saving. These are just a few examples. It can be very helpful. Yes, keyloggers catch passwords too. However, as long as you keep your PC safe from intrusion behind a firewall, the data in your keylogger database is as safe as your flatscreen TV.
Greeenlog
Greeenlog is my Keylogger for Linux. I have used an excellent C++ keylogger named logkeys and I have used pykeylogger, but Greeenlog is my favorite. Of course, I’m biased. You can decide for yourself. Here are the features:
- Keylogger
- My keylogger is written in pure python, does not use external modules, connects directly to the keyboard driver, and was heavily inspired by Micah Dowty’s evdev module.
- Web Monitor
- Packet capture powered by libpcap via the pypcap module allows you to see every HTTP GET request sent from your computer over the active network interface. I have integrated a method I learned from R. Bhavesh to continuously check for the networking device actually in use, so no traffic is missed. To clear up the clutter captured by most packet sniffers, I developed custom filters to isolate (mostly) the specific requests you would see in the address bar of your browser.
- Screenshots
- Thanks to PyGTK, I was able to easily take a screenshot with each capture, and I used the Python Imaging Library to resize it and save it in the database.
- Clipboard Text
- Yes, I even catch periodic glimpses of the clipboard, again thanks to PyGTK.
- Idle
- Looking through a database full of empty data to find something useful is frustrating. Thanks to Jean Schurger, I’ve integrated a method to check the idle time in X. Nothing will be logged when the computer is idle.
- SQLite Database
- Data collected by Greeenlog is stored in a SQLite database, rather than a text file as other Linux keyloggers tend to do. You can then read the data with my custom viewer, as demonstrated below.
- Information Assurance
- Before storage in the database, collected data is analyzed by a security algorithm (SHA1) to produce a Hash-based Message Authentication Code (HMAC), which is stored with the data. When you view the data in my custom viewer, the HMAC is re-calculated and compared to the original to ensure the data has not been altered. You will be alerted if someone tech-savvy has deleted information from the database to cover their tracks. For the same reasons, I also record system uptime and compare it side-by-side with keylogger uptime (that’s the time, in seconds, the system/program has been running). If the times don’t match, you know someone killed Greeenlog and then restarted it later.
- Graphical User Interface
- My custom database viewer is built with wxPython, as is the control dialog that appears when you press the secret key combination (Right ALT + Right CTRL + g). You can use the control dialog to kill the application, change settings, or change your password. The control dialog is password protected, and I used HMAC for password authentication, so the password does not need to be stored anywhere on your file system.
- Archive Management
- Database files are automatically named by date and stored in the Archive. Old files are automatically deleted from the archive. The database for one day is only about 5.3 MB, even after taking a screenshot every 10 minutes.
Weaknesses
There are several things I would improve about this application if I had more time to spend on it. The GUI is as simple as they get, for one thing. I would like to add some features to the viewer. Also, there are not nearly enough options. The only thing the user can change at this point is the logging interval. I’d also like to work on security a little more. I’ve actually written encryption methods for the database files (included in the utils.py file), but I haven’t implemented them yet.
Requirements
I developed Greeenlog to run on Ubuntu linux, but it will probably run on any linux distribution that uses the GNOME Display Manager. I guarantee it will not run on Windows. You will also need to have the following software installed:
- Python
- The whole application is written in Python. I specify version 2.6 at the top of all my files, they would all probably run fine on an earlier version. This is installed by default on Ubuntu.
- pypcap
- Python extension module for libpcap. Get it on Ubuntu with sudo apt-get install python-pypcap.
- PyGTK
- Graphical User Interface module I use to interface with GNOME. Get it on Ubuntu with sudo apt-get install python-gtk2.
- wxPython
- Python binding for the wxWidgets GUI toolkit. If it isn’t already installed on your version of ubuntu, you can get it with sudo apt-get install python-wxgtk2.8.
- Python Imaging Library (PIL)
- Image processing for Python. If you don’t have this installed already, get it in Ubuntu with sudo apt-get install python-imaging.
Download and Installation
Disclaimer: Greeenlog is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. That being said, I might be a bit of an amateur in some ways, but I am not a hacker. The software I’ve uploaded does not contain malware, and the program will not attempt to leak your personal information.
If you choose to try this, all you have to do is download greeenlog (zipped archive), extract it, and run the file called main.pyw. Assuming you’ve met all the dependencies above, it should run perfectly. Just make sure you run it with elevated priveleges (sudo), because you can’t run a packet sniffer / keylogger without elevated priveleges. You wont see anything until you use the top secret key combination (Right ALT + Right CTRL + g). Also, nothing will be logged for about 10 minutes, so the logviewer wont really have anything to display for the first 10 minutes. Be patient. If the program runs from the terminal without any errors, then you’re in business.
If you want more detailed instructions, download greeenlog using the link above, save it to your Desktop, and follow along:
Open a terminal and run:
~$ cd Desktop ~/Desktop$ tar zxvf ./greeenlog.tar.gz ./greeenlog/ ./greeenlog/keylog.ico ./greeenlog/african.ttf ./greeenlog/keylog.py ./greeenlog/controls.py ./greeenlog/GNU_GPL_3_license.txt ./greeenlog/utils.py ./greeenlog/logviewer.pyw ./greeenlog/main.pyw ./greeenlog/logger.py ~/Desktop$ sudo ./greeenlog/main.pyw
At this point, the program should be running. If you see errors instead, ensure you have all the dependencies installed. If the program is running correctly, you’ll be able to open the control dialog with the key combination (Right ALT + Right CTRL + g). If it doesn’t work, sorry. Troubleshoot it if you can. If it does work, you might want to store it in a better location and set it up to start at login. Here’s where I keep it:
~/Desktop$ sudo mv ./greeenlog /usr/local
Now, to make it run at login is a bit tricky, because it needs to run with elevated priveleges, which usually requires that you enter your password. I have outlined a workaround for this problem on this page: Run Application as Root at Startup. Just follow the directions and you’ll be ready to log!
thanks for a great keylogger!
Hi, great work! I use Ubuntu Lucid 64bit and this is so far the only of the early mentioned keyloggers that works. I have one question though, it does not log the keyboard – is it maybe because it’s an USB keyboard?
It’s nice to know my keylogger is working for someone else. I’m disappointed to hear it’s not logging keystrokes though. It very well could be because my method for finding your keyboard device driver wasn’t effective for a USB keyboard. It should work if you add the driver manually. Try looking up your keyboard device driver from the terminal with this:
sudo cat /var/log/Xorg.0.log | grep /dev/input/event | egrep -i 'keyboard|kbd'
You should see which device driver is used for your keyboard. It should be /dev/input/event5 or something similar with a different number. If this was effective, then you can modify my program to default to your specific device driver. I’m not sure where you put the program, but if you have placed it in /usr/local/greeenlog as I have, then you can open the file that needs editing from the terminal with: sudo gedit /usr/local/greeenlog/utils.py. Regardless, open the file called utils.py and look on line 119. You should see something like this:
if found_device == True: return device else: return NoneModify that last line and change it from return None to return “/dev/input/event5″ (substitute with your specific device driver number of course). Then save the file and exit. Make sure you have quit the keylogger then restart it. You can run it from the terminal with sudo /usr/local/greeenlog/main.pyw (substitute with the location you chose) so that any error messages will be displayed. Hopefully, after 10 minutes or whatever you set the logging interval to, you will now have keystrokes captured. If you do, please let me know! If not, please let me know that too and any error messages you received. Thanks for the feedback and good luck.