Alan Coopersmith wrote: > Faisal Mansoor wrote: >> Hello all, >> >> I am trying to write a keylogger using dtrace for all kinds of applications. >> Shellsnoop written by Brendan Gregg, takes advantage of the fact that shells >> uses standard io file descriptors 0,1,2 ,the java command line applications >> also uses the same descriptors so the same technique works for them as well >> but gui applications like firefox or gcaltool (calculator tool comes with >> solaris 10) use a different mechanism for key inputs and i was not able to >> customize the shellsnoop script for them. >> >> GUI applications continuously calls syscall::read even if there are no key >> presses, >> fld field for syscall::read:entry was 4 or 5 etc, the size of the data read >> obtained from arg0 of syscall::read:return was 32 or more bytes for all the >> calls and trying to read the buffer produces garbage or corrupts the shell >> altogether. >> >> I searched for probes containing key pressed etc and found fbt:kbtrans >> module which contained probes like kbtrans_keypressed and provide a >> mechanism to capture key storkes. But I was not able to link keystrokes from >> kbtans_* functions with the application which eventually reads the key press >> events qued by kbtrans_queueevent function. >> >> I have couple of questions. First what is the best way to write a generic >> keylogger and mouse input logger using dtrace and second, for the situation >> described above how can one establish link between kbtrans and other modules >> consuming its output. > > GUI applications don't read the keyboard - they read events from the > X server - the X server reads the keyboard and passes out events to > whichever application has keyboard focus or has requested keyboard > notification. The data format for these events is defined by the > X11 protocol. You could monitor the X events sent by the X server > using the Xserver Dtrace provider: > http://people.freedesktop.org/~alanc/dtrace/ >
The different keyboard modes are documented in kb(7M). _______________________________________________ dtrace-discuss mailing list [email protected]
