Skip to content
🔍 Linux kernel mode debugfs keylogger
Branch: master
Clone or download
Latest commit e2ba03a Apr 12, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
dkms Add DKMS support Nov 12, 2017
CHANGELOG Prepare for release v1.7 Mar 6, 2018
LICENSE Changed the license to GPL v2. Oct 12, 2015
Makefile Add targets install, load, unload, uninstall Nov 12, 2017
Makefile.dkms Add DKMS support Nov 12, 2017 Update docs Apr 12, 2019
keysniffer.c Prepare for release v1.7 Mar 6, 2018


A Linux kernel module to grab keys pressed in the keyboard, or a keylogger.

It's also an academic project for devs willing to learn Linux kernel module programming, with extensive comments, scanned code, standards-compliant Makefile and DKMS support.

keysniffer was initially written for the US keyboard (and conforming laptops). By default it shows human-readable strings for the keys pressed. Optionally, the keycode shift_mask pair can be printed in hex or decimal. You can lookup the keycodes in /usr/include/linux/input-event-codes.h.

The keypress logs are recorded in debugfs as long as the module is loaded. Only root or sudoers can read the log. The module name has been camouflaged to blend-in with other kernel modules.

You can, however, execute a script at shutdown or reboot (the procedure would be distro-specific) to save the keys to a file.

DISCLAIMER: keysniffer is intended to track your own devices and NOT to trespass on others. The author has never used it to compromise any third-party device and is not responsible for any unethical application.

Love smart and efficient utilities? Explore my repositories. Buy me a cup of coffee if they help you.

Donate via PayPal!

Table of contents



Clone the repository and run:

# make

Note that you need to have the linux kernel headers installed for your running kernel version.

To insert the module into the kernel, run:

# insmod kisni.ko
# make load

To unload the module (and clear the logs), run:

# rmmod kisni

DKMS support

If you have DKMS installed, you can install keysniffer in such a way that it survives kernel upgrades. It is recommended to remove older versions of keysniffer by running dkms remove -m kisni -v OLDVERSION --all as root. To install the new version, run:

# make -f Makefile.dkms

To uninstall it, run:

# make -f Makefile.dkms uninstall


To view the pressed keys, run:

# cat /sys/kernel/debug/kisni/keys
modinfo kisni.ko
cat /sys/kernel/debug/kisni/keys

To log generic hex keycodes in the format keycode shift_mask, run:

# insmod kisni.ko codes=1
// Type something
# cat /sys/kernel/debug/kisni/keys
23 0
12 0
26 0
26 0
18 0
39 0
2a 0
2a 1
2a 1
11 1
18 0
13 0
26 0
20 0
2a 0
2a 1
2a 1
2 1
1c 0
1f 0
16 0
20 0
18 0
39 0
2e 0
1e 0
14 0
6a 0
1c 0

To log the keycodes in decimal, run:

# insmod kisni.ko codes=2

To check the module details:

# modinfo kisni.ko
filename:       kisni.ko
description:    Sniff and log keys pressed in the system to debugfs
version:        1.7
author:         Arun Prakash Jana <>
license:        GPL v2
srcversion:     26381298B8DB375C50B04EA
name:           kisni
vermagic:       4.13.0-32-generic SMP mod_unload
parm:           codes:log format (0:US keys (default), 1:hex keycodes, 2:dec keycodes) (int)




Copyright © 2015 Arun Prakash Jana


You can’t perform that action at this time.