Note: this is talking about the *nix oses.

Alright, now there are keyloggers and tcp-ip wrappers. (UDP too, i guess). So here goes my question.

I was reading a past issue of 2600, volume 19 number 3, that discussed creating a fake game in order to trick a new user into giving the game their root password. For example, it would go like this (the output):

Loading...
Error 14: flexer.dll not found
Fatal Error: Dropping to guest shell
Please su back to root.
$su root
Password:

Thats where the Key-Wrapper would come in. In this case, the game didn't ACTUALLY drop, but instead it simply is faking the new user into thinking there was a fatal error and giving the "game" their root password. Most advanced users would look at this and think it queer, but who knows how awake they are when they use it (3:00am linux game sessions. i think you know what I mean).

So what I was wondering is how to insert the equivilent of a TCP-Wrapper into your own system for keyboard input. After the information has been "input" (Carriage Return I guess...), the Wrapper would kick up, look at the information and where it is being sent. It would then have some sort of output:

Information "password" being sent to PID 779. Is this okay (Y/N)?

Maybe not even PID, but the actual program name. That way, if this situation did come around where you didn't know whether it was a real shell or a fake shell, this program would tell you "hey, sensitive data is being sent to this program!".

The program could be as simple as to simply check every single input with program arguments ('keywords' that the user wants under careful watch such as passwords) and if they match, have that output. Or it could have that output for every single input.

Now I could do all of the above except for one part, the most difficult one in my mind. How do I place the wrapper so it intercepts these inputs? Would I have to code it through the kernel, changing some of that information, or is there some system call I can change?

My idea now is to change the PATH location of the shell to my code. Then the code forwards the information to the shell and back or something -- but thats too upfront and in your face. I want a transparent program that scans in the background. I know that for a TCP-IP wrapper could can change the tcpd in inetd.conf (or xinetd) for the wrapper code. Is this possible with my kind of code?

an example wrapper: http://web.archive.org/web/20010604005016/void.box.sk/files/coding/VN-TCP-WRAPPER.c

Much thanks in advance (and tell me if it doesn't make any sense)
-visage
_________________________
http://www.javaspot.net