{"id":13437333,"url":"https://github.com/jarun/spy","last_synced_at":"2025-04-05T01:06:35.810Z","repository":{"id":41543705,"uuid":"43768891","full_name":"jarun/spy","owner":"jarun","description":":eyes: Linux kernel mode debugfs keylogger","archived":false,"fork":false,"pushed_at":"2022-04-15T12:09:09.000Z","size":102,"stargazers_count":634,"open_issues_count":0,"forks_count":81,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-10-25T14:01:37.128Z","etag":null,"topics":["debugfs","kernel","kernel-module","kernel-programming","keylogger","linux-kernel","linux-kernel-module","linux-keylogger"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jarun.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":"jarun"}},"created_at":"2015-10-06T18:06:57.000Z","updated_at":"2024-10-21T07:55:22.000Z","dependencies_parsed_at":"2022-08-10T03:10:24.648Z","dependency_job_id":null,"html_url":"https://github.com/jarun/spy","commit_stats":null,"previous_names":["jarun/keysniffer"],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jarun%2Fspy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jarun%2Fspy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jarun%2Fspy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jarun%2Fspy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jarun","download_url":"https://codeload.github.com/jarun/spy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247271530,"owners_count":20911587,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debugfs","kernel","kernel-module","kernel-programming","keylogger","linux-kernel","linux-kernel-module","linux-keylogger"],"created_at":"2024-07-31T03:00:56.062Z","updated_at":"2025-04-05T01:06:35.789Z","avatar_url":"https://github.com/jarun.png","language":"C","funding_links":["https://github.com/sponsors/jarun"],"categories":["C","Applications","kernel"],"sub_categories":["Security"],"readme":"# spy\nA Linux kernel module to grab keys pressed in the keyboard, or a keylogger.\n\nIt's also an academic project for devs willing to learn Linux kernel module programming, with extensive comments, checkpatch.pl scanned code, standards-compliant Makefile and DKMS support.\n\nspy was initially written for the US keyboard (and conforming laptops). By default it shows human-readable strings for the keys pressed. Optionally, the `keycode shift_mask` pair can be printed in hex or decimal. You can lookup the keycodes in `/usr/include/linux/input-event-codes.h`.\n\nThe keypress logs are recorded in debugfs as long as the module is loaded. Only root or sudoers can read the log. The module name has been camouflaged to blend-in with other kernel modules.\n\nYou can, however, execute a script at shutdown or reboot (the procedure would be distro-specific) to save the keys to a file.\n\n**DISCLAIMER:** spy is intended to track your own devices and NOT to trespass on others. The author is not responsible for any unethical application.\n\n## Table of contents\n\n- [Compilation](#compilation)\n    - [Build](#build)\n    - [DKMS support](#dkms-support)\n- [Usage](#usage)\n- [License](#license)\n- [Developer](#developer)\n- [Links](#links)\n\n## Compilation\n### Build\nClone the repository and run:\n\n    # make\nNote that you need to have the linux kernel headers installed for your running kernel version.\n\nTo insert the module into the kernel, run:\n\n    # insmod kisni.ko\n    OR\n    # make load\n\nTo unload the module (and clear the logs), run:\n\n    # rmmod kisni\n\n### DKMS support\nIf you have DKMS installed, you can install spy in such a way that it survives kernel upgrades. It is recommended to remove older versions of spy by running `dkms remove -m kisni -v OLDVERSION --all` as root. To install the new version, run:\n\n    # make -f Makefile.dkms\n\nTo uninstall it, run:\n\n    # make -f Makefile.dkms uninstall\n\n## Usage\nTo view the pressed keys, run:\n\n```\n# cat /sys/kernel/debug/kisni/keys\nmodinfo kisni.ko\ncat /sys/kernel/debug/kisni/keys\n#\n```\n\nTo log generic hex keycodes in the format `keycode shift_mask`, run:\n\n```\n# insmod kisni.ko codes=1\n// Type something\n# cat /sys/kernel/debug/kisni/keys\n23 0\n12 0\n26 0\n26 0\n18 0\n39 0\n2a 0\n2a 1\n2a 1\n11 1\n18 0\n13 0\n26 0\n20 0\n2a 0\n2a 1\n2a 1\n2 1\n1c 0\n1f 0\n16 0\n20 0\n18 0\n39 0\n2e 0\n1e 0\n14 0\n6a 0\n1c 0\n```\n\nTo log the keycodes in decimal, run:\n\n    # insmod kisni.ko codes=2\n\nTo check the module details:\n\n```\n# modinfo kisni.ko\nfilename:       kisni.ko\ndescription:    Sniff and log keys pressed in the system to debugfs\nversion:        1.8\nauthor:         Arun Prakash Jana \u003cengineerarun@gmail.com\u003e\nlicense:        GPL v2\nsrcversion:     F62F351D06A999293307C20\ndepends:\nretpoline:      Y\nname:           kisni\nvermagic:       5.4.0-48-generic SMP mod_unload\nparm:           codes:log format (0:US keys (default), 1:hex keycodes, 2:dec keycodes) (int)\n```\n\n## License\n\u003ca href=\"https://github.com/jarun/googler/blob/master/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-GPLv2-yellow.svg?maxAge=2592000\" alt=\"License\" /\u003e\u003c/a\u003e\n\n## Developer\nCopyright © 2015 [Arun Prakash Jana](mailto:engineerarun@gmail.com)\n\n## Links\n- http://www.gadgetweb.de/programming/39-how-to-building-your-own-kernel-space-keylogger.html\n- https://wiki.archlinux.org/index.php/Xmodmap\n- http://www.osdever.net/bkerndev/Docs/keyboard.htm\n- http://arjunsreedharan.org/post/99370248137/kernel-201-lets-write-a-kernel-with-keyboard\n- http://www.linuxquestions.org/questions/slackware-14/how-to-match-x-keyboard-layout-with-the-the-kernel-keyboard-map-4175455061/\n- http://www.tldp.org/LDP/lkmpg/2.4/html/x1210.html\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjarun%2Fspy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjarun%2Fspy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjarun%2Fspy/lists"}