Locating the keyboard driver (and replacing it)

Tue Jan 8 11:11:54 EST 2013

On Tue, Jan 8, 2013 at 9:28 AM, Peter Teoh <htmldeveloper at gmail.com> wrote:

> This article gave a very indepth coverage of the keyboard processing in
> linux:
>
> http://www.phrack.com/issues.html?issue=59&id=14&mode=txt
>
>
> http://www.gadgetweb.de/programming/39-how-to-building-your-own-kernel-space-keylogger.html
>
> Not sure about your architecture, but for my Lenovo laptop, when I do a
> "cat /dev/input/by-path/platform-i8042-serio-0-event-kbd" and redirect to a
> file, every single key input I entered is captured into the the file.
>
> Therefore, looking into the kernel source, we can infer the files
> drivers/input/serio/i8042.c are responsible for the keyboard processing.
> Of course, this file is compiled into the kernel, not as a kernel module.
> So if u want to make any changes, instead of recompile the kernel and
> rebooting, one way to do dynamically is called "inline hooking" - look
> elsewhere for this method.   It is explained in the following article:
>
> http://www.phrack.com/issues.html?issue=59&id=14&mode=txt
>
> but note the difference between the Phrack's interception and intercepting
> the API inside the i8042.c:   when you do a
> "cat  /dev/input/by-path/platform-i8042-serio-0-event-kbd" the keyboard
> entry is always captured - irregardless of whichever windows/terminal you
> are in.   But the Phrack's method is cleaner - it is intercepting at the
> tty (eg drivers/tty/n_tty.c:receive_buf() inside the kernel source) level -
> so if you switch over to another window, the input got switch away - it is
> thus targetted to only that TTY.
>
> And btw, USB keyboard's processing path is altogether different
> again....another
>
> http://www.lrr.in.tum.de/Par/arch/usb/download/usbdoc/usbdoc-1.32.pdf
>
> and perhaps u can read here many good writeups:
>
> http://stackoverflow.com/search?q=usb+keyboard+kernel
>
>
> On Fri1, Dec 14, 2012 at 3:46 PM, manty kuma <mantykuma at gmail.com> wrote:
>
>> Hi,11
>>
>>
>> I have written a small module that toggles the capslock LED. To
>> demonstrate it i want to replace the Existing keyboard module with mine. I
>> tried lsmod|grep "key" without any success. also checked /proc/modules. I
>> couldnot find any clue regarding the name of the module i need to
>> uninstall. So, How can i remove the existing keyboard module and insert
>> mine?
>>
>> Regards,
>> Manty
>>
>>
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>>
>
>
> --
> Regards,
> Peter Teoh
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>

Hi Manty

You can share the interrupt from keyboard , in the code above you just need
to change the number 10 for the number of your keyboard interrupt. You can
find that number in cat /proc/interrupts

          CPU0
  0:        178    XT-PIC-XT        timer
  1:       1301    XT-PIC-XT        i8042 >>>> this is the old keyboard
interrupt
  2:          0    XT-PIC-XT        cascade
  5:      16528    XT-PIC-XT        ahci, Intel 82801AA-ICH
  8:          0    XT-PIC-XT        rtc0
  9:       2191    XT-PIC-XT        acpi, vboxguest
 10:        488    XT-PIC-XT        eth0
 11:         25    XT-PIC-XT        ohci_hcd:usb1
 12:        697    XT-PIC-XT        i8042
 14:       3186    XT-PIC-XT        ata_piix
 15:          0    XT-PIC-XT        ata_piix

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/interrupt.h>
#include <linux/init.h>

struct tasklet_struct task;
unsigned long counter;

irq_handler_t irq_handler (int irq, void *dev_id, struct pt_regs *regs)
{
  counter++;

  printk ("Top Half ISR is being hit counter = %d  !! \n",(int)counter);
  task.data = counter;
  tasklet_schedule(&task);
  return (irq_handler_t) IRQ_HANDLED;
}

void bottom_half(unsigned long data)
{
  printk("Executing bottom half.. data = %d\n",(int)data+10);

}

static int init_intkey ()
{
  printk("Hi there !!!!\n");
  tasklet_init(&task,&bottom_half,(unsigned long)&counter);
  request_irq (10,(irq_handler_t)irq_handler, IRQF_SHARED,
"MyIrqHangingOfAtaDev", (void*)(irq_handler));
  return 0;
}

static void exit_intkey(void) {
  free_irq(10,(void*)(irq_handler));
  tasklet_kill(&task);
  printk("Sayonara\n");
}

module_init(init_intkey);
module_exit(exit_intkey);

MODULE_LICENSE("GPL");

Hope it helps

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20130108/0e4ffb45/attachment-0001.html 