Linux Desktop Monitoring Software

January 25, 2010 by Noah
Over a period of time I've put together two Perl scripts to help monitor a Linux desktop system.

Why? To see if anybody else uses my computer when I'm not there, and to see what they were doing with it.

screenspy - Linux desktop monitoring daemon

This is the visual desktop monitoring script. It takes quite a lot of screenshots during periods when the desktop is currently being used.

Basically, you run this script as root, and it monitors your major hardware input devices for any activity. By default it watches /dev/console (which, on Fedora systems, seems to output data whenever there's keyboard activity), and /dev/input/mice (which is a common node for the collective input of any and all mice attached to a computer).

When it sees any activity at all on either of these devices (it doesn't care what the devices are doing, it just cares that they're active), it begins taking screenshots. If you use the keyboard or mouse for a little bit, and then stop for 2 seconds, it takes a screenshot. If you use the keyboard or mouse constantly and don't stop, it will take a screenshot every 5 seconds.

So it essentially creates a visual log of everything you were doing on the computer; every time you type, stop typing, type like crazy, move the mouse, stop moving the mouse... anything that happens, a screenshot is taken.

It uses scrot to take the screenshot, since this is the lightest-weight screen capturing program I could find. Using ImageMagick's import command is slow, and makes the computer beep, and GNOME's screensaver application can't run without showing a GUI window.

You can check it out here. You'll be required to edit the script in the "configuration" section though, at least to change the directory where it saves the screenshots to.

Since the script runs as root, the images it creates are naturally owned by root as well, and can't be deleted by the nonprivileged user, even if the user does manage to find the screenshots. Better yet, you can have the screenshots saved under root's home directory, keeping them completely out-of-sight for the user. And, to kill the script, you have to be root since it will be a root-owned process. +1 if your unauthorized users don't know your root password!

keylog - A Simple Keylogger

This is just a simple keylogger that reads from one of the input event devices, like /dev/input/event0. You run it as root again, and it saves keystrokes to a file under /tmp.

Actually, it doesn't store all keystrokes; instead, it stores what the user "intended" to type. That is, if a user begins typing a sentence and makes a typo and hits backspace a few times and then continues typing, what gets logged is what they actually ended up typing... you don't see their typo; when they hit backspace, the log buffer also deleted the last character it logged, before saving it to disk.

It separates what they type based on certain "divider characters," which includes Tab, Return and Enter. So as they fill out a web form, the script would log one line of text for each field they filled out as they tab through the form. Also, if they delay their typing for a few seconds it will dump the current buffer to the log file as well, so if they're a particularly slow typer, one "sentence" may span multiple lines in the log file.

I can't recommend using this keylogger for malicious purposes, it's just being uploaded for educational purposes only and should only be used as a personal desktop monitoring solution, if it should be used at all.

Source code: keylog.



There are 5 comments on this page. Add yours.

Avatar image posted on November 8, 2010 @ 15:23 UTC

Hi Kirsle,

Sorry to bother you. I am interested in your perl scripts but I have no idea how to implement it. I have downloaded both of them but don't know what to do with it. I know it's boring to you explaining this to a newbie but I would really appreciate if you could do it.

Thanks Patrice

Avatar image posted on November 9, 2010 @ 01:32 UTC

Hi, It's me again. Actually I understood how to run the script by doing "chmod +x" but it doesn't work. I have change the line scalar(@ARGV) or die "Usage: keylog \nExample: keylog /dev/input/event0"; to scalar(@ARGV) or die "Usage: keylog /dev/input/event3"; cause when i am doing "cat /proc/bus/input/devices" the result is : I: Bus=0011 Vendor=0001 Product=0001 Version=ab41 N: Name="AT Translated Set 2 keyboard" P: Phys=isa0060/serio0/input0 S: Sysfs=/devices/platform/i8042/serio0/input/input3 U: Uniq= H: Handlers=kbd event3 B: EV=120013 B: KEY=402000000 3803078f800d001 feffffdfffefffff fffffffffffffffe B: MSC=10 B: LED=7

but when i look at my file in temp I don0t have anything.

If you could give me a hint.



Avatar image
Office 2007 Key posted on June 17, 2011 @ 08:12 UTC

I am interested in your perl scripts but I have no idea how to implement it.

Avatar image
Jonathan Pelletier posted on October 12, 2011 @ 08:32 UTC

ur keylogger sucks real hard and your pink sun background is really shitty as fuck.

im sorry you actually EXIST.

Avatar image
Michael Lush posted on January 6, 2013 @ 13:10 UTC

I found this post really useful... I've been on a long quest to find a reliable way to intercept USB HID input. I've built a RasPi box to play sound effects at the press of a wireless USB Keypad (I'm writing this up on as the Dramatron (still in draft form))

It occurs to me that you could combine a keylogger with X10 protocol so you can use a cheap wireless keypad as a home automation control system.

Also in my travels I've found there evtest ( which is great for probing the /dev/input filesystem and Linux::Input ( which parses /dev/input/event?

Add a Comment

Used for your Gravatar and optional thread subscription. Privacy policy.
You may format your message using GitHub Flavored Markdown syntax.