2.60 LGPL (GNU Lesser General Public License)    
2.5/5 24
ttyrpld is a Kernel-based keylogger and screenlogger for Linux.





ttyrpld is a Kernel-based keylogger and screenlogger for Linux, FreeBSD and OpenBSD, and includes a real-time, tail-following log analyzer.

ttyrpld supports most tty types, including vc, bsd and unix98-style ptys (xterm/ssh), serial, isdn, etc.

Being implemented within the Kernel makes it unavoidable for the default user. Another benefit is that it runs with no overhead if the user-space logging daemon is not active.

ttyrpld consists of four components:

kpatch: The Kernel patch adds a few lines to provide the rpldev extension hooks, which (any) module can then get onto. The system was not directly written for black-hats who want to leave as little traces as possible, keep in mind.

rpldev: The Kernel module is responsible for grabbing the data off the tty line and providing a character device for the user-space logging daemon. Data grabbed of the tty is directly passed to the overlying daemons, so with the correct terminal settings you can get a 1:1 replay.

For systems where module loading is not possible (OpenBSD for example), these two components are integrated into the kpatch.

rpld: Having received the captured data, the logging daemon can store them in any format and/or facility, with or without compression, just as it likes, for this happens in user-space and thus you have all the fluffy libraries available. (That would not be the case from Kernel space.)
Last updated on October 10th, 2009

0 User reviews so far.