Modern Keystroke Logger
What Is SRKL?
SRKL (Secure Remote Keystroke Logger) is a modern keystroke logger. Instead of logging keystrokes to a file, it streams keystrokes in near real-time to a self-hosted server over HTTPS. The server stores the keystroke payload which includes the key pressed, and exact timestamp of the action allowing you to not only see what was done on a system, but when it was done. The transcriber can output highly readable visible-key only output, or highly verbose output including non-visible keys, like escape, shift, etc.
- The agent is not system resource intensive, it offloads as much work as possible to the server.
How SRKL Works
An agent running on a system bundles and delivers keystrokes to a self-hosted server component in near real-time over a TLS enabled connection. It's smart enough to retain keystrokes from an offline system and deliver them in a payload once the system is back online, when the agent then resumes near real-time delivery of keystrokes.
A transcriber enables delivered keystrokes to be sequenced and decoded into readable text, optionally displaying any non-character generating keystrokes, like shift, escape, function keys, etc.
MacOS (OS X / Darwin) only at the moment. Other platforms are on the project roadmap.
Extremely alpha. Functionality is known to be broken, missing or incomplete. More API, command, and file format changes will happen. The repository is open to solicit feedback and contributions from the community.
A few important things to note: it currently hasn't completely earned the "secure" in its name. While it does transmit payloads over HTTPS in a secure way, keystroke data is persisted to disk unencrypted currently. The server also stores the keystroke data to disk unencrypted at the moment. Encrypting data at these points is on the roadmap.
SRKL is to be used only on systems you own and have the right to run such programs on. It's for personal security and self-quantification.
Aid in recovery of lost or stolen laptops.
Log potential tampering or snooping by unauthorized or unwanted users.
The agent can only be started by the root user on a system. It's only meant to be installed by the owner of a device to monitor and secure their own systems.
It can be installed and ran as an OS X launch daemon. It will start on boot and capture input from any user. It listens for SIGTERMs to know when the system is being shutdown. It will persist any undelivered payloads to disk and re-load them at boot time then begin attempting delivery again once the system is online.
The agent WILL NOT capture input from OS X's secure input fields, and makes no attempt to bypass this. Some sensitive things, including passwords may be captured in non-secure input fields, like terminal prompts.
Download, load immediately, and configure to start on boot:
go get github.com/lukeheuer/srkl sudo srkl sudo srkl -fi
Full Run: Install, start agent, start server, capture payloads, transcribe payloads
# Installs to $GOBIN go get github.com/lukeheuer/srkl # Installs to /usr/local/bin, installs launch daemon sudo srkl -fi # Generate, and install dev certs sudo srkl -ic -oc # Generate, review, and edit config sudo srkl -nc sudo vi /usr/local/etc # Start the agent sudo srkl -ld # Start the server in another tab sudo srkl -s # Transcribe data in another sudo srkl -t
-a start agent -fi full install (install binary and launch daemon), shortcut for -i -il -gc generate dev cert -i install binary -id install launch daemon -ld launch daemon -nc write default config file -oc open generated dev cert -rd reload daemon -s start server -t start transcriber -tv start transcriber and include key symbols for invisible or other keys -u uninstall binary -ud unload daemon -uid uninstall launch daemon -v display version information
We must ask that you use this tool for its intended, lawful purpose.