Linux keylogger without root or sudo! Is it real?

Somebody on Youtube claims to have a keylogger on Ubuntu that was neither executed nor installed as root. The link below shows a demo of it working.

http://www.youtube.com/watch?v=Y1fZAZTwyPQ

Despite their claims to the contrary, this person could have installed it as root before demonstrating for the video. Is there any other semi-credible evidence that this is really possible without root for installation or execution?

UPDATE: The software referenced in the June 24 answer wouldn't install without sudo/root. I've added a bounty to whoever gives a link to a working Linux keylogger software that can be installed and run with regular user privileges.


Yes, it is real. If you have been exploited (via an open source supply chain attack, browser vulnerability, email attachment etc.) and an attacker can run code with your user privileges, they can register a program via GNOME or KDE autostart facilities which run programs on login.

Any program can get the scan codes of all pressed keys in the X Window System. This is easily demonstrated with the xinput command:

$ xinput list
# identify the ID of your keyboard device
$ xinput test <that id>

If nothing shows up, change the id to another one in the list.

See this post on GUI isolation for details, by a core contributor to Qubes OS, the only OS designed from the ground up to mitigate this risk (and many others).


The concept in that video is 100% real and the code is very simple.

Identify your keyboard id with: xinput --list

Log keystrokes with: xinput --test $id

Match numbers to keys with: xmodmap -pke


Yes it is possible.
You can try it on your own machine with similar software lkl .


I haven't watched the video, so I'm responding to the impression I got about what it claims from the SU thread rather than the video you cite.

If an attacker can run code on your machine as your user, then they can log your key presses.

Well, duh. All the applications you're running have access to your key presses. If you're typing stuff in your web browser, your web browser has access to your key presses.

Ah, you say, but what about logging key presses in another application? As long as the other application is running on the same X server, they can still be logged. X11 doesn't attempt to isolate applications — that's not its job. X11 allows programs to define global shortcuts, which is useful for input methods, to define macros, etc.

If the attacker can run code as your user, he can also read and modify your files, and cause all kinds of other harm.

This is not a threat. It's part of the normal expectations of a working system. If you allow an attacker to run code on your machine, your machine isn't safe anymore. It's like if you open your front door and allow an axe murderer in: if you then get cleaved in two, it's not because your front door is insecure.

The keylogger can only log keys pressed by the infected user. (At least as long as the infected user doesn't type the sudo password.)