Basic Keylogger in ubuntu

Today I am going to help you guys started with a basic keylogger on your linuxbox. The program will have everything you expect out of a keylogger:

  • It will run in the background(kind of incognito or stealth mode).
  • It would map almost all of the keys entered by the user into a log file.
  • It can be stopped and consequently started by specious commands :P

This post is going to be a tad bit longer than my other posts, so brace yourselves. I hope you guys would use this for learning purposes only.

How does a keylogger work?

From what I could figure out after making one, a keylogger is essentially a script which can be written in a language of your choice. It captures the keystrokes punched in by the user and logs those keys into a file. So two questions that need to be addressed immediately:

  1. How to get the keystrokes?
  2. How to make sense out of those keystrokes from a C/Python/Java script?

To get the keystrokes, we need to know how the Operating System makes sense of keystrokes and find if there are any internal/debug commands avaiable to set/load keymaps. Ubuntu makes it quite easy for you. There is a command called showkey that does what its name says. You can check out the manual page for this command or alternatively type the following command on your terminal to get the manual entry:

Now the keys on your laptop are associated with a unique keycode that tells ubuntu which key was pressed by you. To get a feel of how it internally works, type the following in your terminal:

You should see the keystrokes getting logged with there pressed/release events and being associated with their keycodes like so:


So now the workflow of our keylogger is going to look something like this:

  1. Continuously use the showkey command in the background to get the keycodes of the keys pressed by the user.
  2. Some how map the keycodes back to the unique keys (A log file loaded with keycodes won’t really make sense to any one)

For the first part, yes we are going to use a bash script and the second part can be accomplished using a programming language of your choice.

We first need to however get a list of all the mappings of keys to their keycodes for the script in part(2) to work. Thankfully those bindings are already tabulated in a logical manner in the /usr/share/ibus/keymaps  folder in the commons textfile. You can make a copy of it in your keylogger project folder(if you created one) or refer to it directly. For those who could not find this file, it looks like this:

Save the above file as keymaps.txt in your project folder. Now the bash script can do its magic. Initialise a bash script with some misleading name(preferably like or something) in your project folder. The code for looks something like this:

Look at the only while loop in the script. You should note that I simply dump the contents of showkey into logger.txt and after every dump I call my python script(you will shortly find out what it does.). The input arguments to a bash script can be referenced as $1(first argument),$2(second argument) and so on. So we pass one argument to start and stop the process. Actually the bash script will start even with no arguments however if you give start as the first argument, it prints a fun and misleading message :P

For the above command to work, make the script executable first(you won’t be able to refer to it as ./backup) otherwise run it like primitive shell scripts. Now that we have our shell script running, you can take it for a spin and initially comment out the lines that refer to the python script. You should see the logger.txt crowded with all kind of showkey outputs. If you don’t see an output and instead get an error on running the bash script saying:

Try running the bash script with super-user previleges and it should all work now. Assuming you have got this sorted out, we successfully logged the keystrokes into a text file and therefore you have already made a keylogger now (the “hard” part is over :P). All you need to accomplish now is some window dressing to make the output look presentable. I chose python, you can do it with any language of your choice.

The referred to in the bash script looks something like this:

This logs the keystrokes(with date and time) into a file called output.log. I captured the press and release events of shift and capslock keys separately for obvious reasons. So now your project folder should have the following files: | keymaps.txt | | logger.txt (if you took a dry run on the bash script with the python code commented out.)

Note: Please fix the paths of all your files(logs and scripts) as per your project folder. For example: The path of logger.txt should look something like-  /home/YourUserName/YourKeyloggerProjectFolder/logger.txt


Run the bash script as it is now and the output.log should look something like this:

Now that you have your keylogger up and logging, there is still some work cut out for us. We still need to automate the process of starting the logging session (on startup probably and we can end whenever by issuing the stop command to the bash script mentioned before). To make the bash script run on start up. Just edit your /etc/rc.local file to this:

 Note: Again, fix the path of as per your project folder. The “&” at the end makes it run in the background :)


Now you have a fully functional and stealthy keylogger installed in your linuxbox. You can always customize it as per your needs, set up cron jobs to automatically mail you the logs!(I am working on it :D)