/dev/console

Noah Petherbridge
kirsle
Posted by Noah Petherbridge on Thursday, March 05 2009 @ 05:44:03 PM
Somehow or another, I was playing around in a Linux terminal and discovered the program `showkey`. This program shows you the decimal key code for any key on the keyboard that you type in, and quits after 10 seconds since your last keypress.

More interestingly, it warned me that the X Server was running, and that the results might be off a little because the X Server also reads from /dev/console. Apparently /dev/console outputs some binary for all your keypresses, and only root has read access to it (this is probably a good thing). I'm not sure yet what /dev/console binds to, but it seems that whatever your active console (or X session) is, that's what keypresses can be seen there.

If you do `cat /dev/console` as root and type stuff, the terminal prints two binary characters for each keypress. With this one could theoretically make a keylogger. So, out of boredom and to see if I could, I started writing a Perl script to read from /dev/console. For obvious reasons I won't release any code, but for the curious (and those more knowledgeable than the script kiddies)...

I'm relatively sure that the two bytes should be read together as a signed short 32-bit integer. That is, I convert it to decimal and then 4 hex characters by doing this:

my $dec = unpack("S", $buffer);
my $hex = sprintf("%04x", $dec);
From now on, a "byte" refers to a pair of hexadecimal characters. So "1e9c" is two bytes, 1e and 9c.

It seems that the first byte tends to indicate the key typed on the keyboard, and when converted to decimal shows the same number as showkey does. The second byte might be a modifier on the first byte, for example all four arrow keys send the key code 0xE0 as their first byte, and then the second byte is 0x48 for up, 0x50 for down, 0x4D for right and 0x4B for left.

There's almost no documentation about how to read the binary coming in from /dev/console. I had to look at the source code of showkey.c to get more of an idea. Once I realized that the first byte lines up with the decimal codes given by showkey, that helped a lot. The second byte is weird though: it seems to depend on the character you typed before it. For instance:

1e 9c - Pressed a
1e 9e - Pressed a
1e 9e - Pressed a
30 9e - Pressed b
30 b0 - Pressed b
30 b0 - Pressed b
1e b0 - Pressed a
1e 9e - Pressed a
1e 9e - Pressed a
30 9e - Pressed b
1e b0 - Pressed a
So my Perl script catches a lot of keys, then every now and then the "mode" randomly changes or something and the whole entire keymap gets shifted by about 100; I've figured these were for capital letters or when the shift key was pressed and added the capital letters to my key map, but I don't know why it does this. At any rate, I forgot I left my script running when I locked my screen, and unlocked it to see that it logged my entire password.

It'd be great if there was actually some documentation about this, but I've discovered a lot about it just from tinkering with it so far.

Categories:

[ Blog ]

Comments

There is 1 comment on this page.

Avatar
guest
Posted on Saturday, November 14 2015 @ 06:20:16 PM by ari.

I want to download Ms-dos 6.22 on the virtual box but i don't have the download nor do I have the drivers. How can I get this so that I can download it into the virtual machine, thank you in advanced for your help.

Add a Comment

Your name:
Your Email:
Message:
Comments can be formatted with Markdown, and you can use
emoticons in your comment.

If you can see this, don't touch the following fields.