Wrapping char device monitor
I am working on a kind of forensic shim, another layer in file integrity monitoring.
Looking for a way to wrap or monitor a /dev/device character file for writes and logging what's being written to it. As example, I have a system that has a loaded .ko that will write data to /dev/device special char file. I want to capture all the writes to the device. Suggestions? |
I suppose one person's forensic shim is another person's keylogger.
Perhaps that is why the question has not attracted any replies. |
I guess in those terms, there does exist legit "keylogging", but in my case it's a .ko loaded in that writes data obtained from probing some SoC gpio pins to a char device. Not everything has bad-actor intent.
|
I was going to suggest Inotify, but couldn’t you just “”cat” or “tail” the device?
|
All times are GMT -5. The time now is 07:38 PM. |