On Sun, Jul 02, 2006 at 09:34:50PM +0200, Peter Philipp wrote: > On Sun, Jul 02, 2006 at 02:56:03PM -0400, Nick Guenther wrote: > > I have some questions though: > > How can you make a keylogger on UNIX? I thought that UNIX segmented > > it's memory spaces, unlike Windows which has the problem of a "global > > key trampoline" (I'm sorry, I read this somewhere once and do not > > remember exactly what it was called). I suppose if you replaced the > > kernel than you could do this but I don't think that's what was meant. > > I think this was meant. man wskbd tells a little about the keyboard and > the routines for this are in /sys/dev/wscons I think. Because you have > the source, can recompile and the code is written with KISS in mind you'll > be able to patch something up. However if you do you should check your > morals, they come back to haunt you if you abuse them. Running a default > kernel compiled by deraadt directly from the CD-ROM should ensure that no > keylogger of any sort is installed in the kernel.
Well, provided the BIOS (or equivalent) cannot be flashed from the kernel, yes. Of course, worrying about this requires raging paranoia. But from a quick look, flashing the BIOS and combining it with an attack like the recent Blue Pill <http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html> (and elsewhere, but this one looks pretty complete) method would make for a *very* nasty rootkit. Just rewriting the kernel that is loaded by the bootloader would also be nasty, and potentially undetectable from software, too - but that's old news, and I have a vague notion that the above could likely be done in fewer instructions, which means that it's easier to put in what limited space is available. Of course, if you have people who can do this and are willing to invest the time to actually do it after you, be glad you're running OpenBSD, be careful with ports and new code, and remember - it's not paranoia if they really are out to get you. > There really isn't much > reason to compile your own kernel unless you add your own stuff or want to > change something. Of course, that's still true. Joachim
