[Forensics-changes] [SCM] debian-forensics/unhide branch, debian, updated. debian/20080519-6-5-gfc16582
Christophe Monniez
christophe.monniez at fccu.be
Wed Feb 24 09:43:40 UTC 2010
The following commit has been merged in the debian branch:
commit 5245bd247094d3e77940fd90353f9ce7064ba984
Author: Christophe Monniez <christophe.monniez at fccu.be>
Date: Wed Feb 24 09:41:04 2010 +0100
Merging upstream version 20100201.
diff --git a/LEEME.txt b/LEEME.txt
index 7ca6c78..6360cfc 100644
--- a/LEEME.txt
+++ b/LEEME.txt
@@ -8,12 +8,12 @@ por rootkits / LKMs o cualquier otra tecnica de ocultacion.
Permite identificar procesos que hayan sido ocultados. Implementa tres tecnicas:
-·Comparacion de la informacion obtenida por /bin/ps frente a los directorios en /proc
+* Comparacion de la informacion obtenida por /bin/ps frente a los directorios en /proc
-·Comparacion de la informacion visible por /bin/ps frente a la que se puede obtener
+* Comparacion de la informacion visible por /bin/ps frente a la que se puede obtener
utilizando diversas sycalls del sistema (syscall scanning).
-·Ocupacion por fuerta bruta del espacio de PIDs disponibles en el sistema (PIDs bruteforcing)
+* Ocupacion por fuerta bruta del espacio de PIDs disponibles en el sistema (PIDs bruteforcing)
// Unhide-TCP
@@ -32,6 +32,15 @@ unhide-linux26.c --> Procesos ocultos, Linux 2.6.x
unhide-tcp.c --> Puertos tcp/udp ocultos
+// Compilación
+
+gcc --static unhide.c -o unhide
+
+gcc --static unhide-tcp.c -o unhide-tcp
+
+gcc -Wall --static -pthread unhide-linux26.c -o unhide-linux26
+
+
// Licencia
GPL V.3 (http://www.gnu.org/licenses/gpl-3.0.html)
@@ -50,3 +59,7 @@ Francois Marier (francois at debian.org) Por crear las paginas man y dar soporte en
Johan Walles (johan.walles at gmail.com) Por encontrar y solucionar un importante fallo del tipo "condicion de carrera"
+Jan Iven (jan.iven at cern.ch) Por sus magnÃficas mejoras, nuevos tests y bugfixing
+
+P. Gouin (pg.bug.cvs.pgn at free.fr) Por su increible trabajo 'fixeando' bugs y mejorando el rendimiento
+
diff --git a/README.txt b/README.txt
index 66f56c5..6830c67 100644
--- a/README.txt
+++ b/README.txt
@@ -7,11 +7,11 @@ or by another hidden technique.
Detecting hidden processes. Implements three techniques
-·Compare /proc vs /bin/ps output
+* Compare /proc vs /bin/ps output
-·Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
+* Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
-·Full PIDs space ocupation (PIDs bruteforcing)
+* Full PIDs space ocupation (PIDs bruteforcing)
// Unhide-TCP
@@ -28,6 +28,14 @@ unhide-linux26.c --> Hidden processes, Linux 2.6.x
unhide-tcp.c --> Hidden TCP/UDP Ports
+// Compiling
+
+gcc --static unhide.c -o unhide
+
+gcc --static unhide-tcp.c -o unhide-tcp
+
+gcc -Wall --static -pthread unhide-linux26.c -o unhide-linux26
+
// License
GPL V.3 (http://www.gnu.org/licenses/gpl-3.0.html)
@@ -45,3 +53,7 @@ Lorenzo Martinez (lorenzo at lorenzomartinez.homeip.net) Some ideas to improve and
Francois Marier (francois at debian.org) Author of the man pages and Debian support
Johan Walles (johan.walles at gmail.com) Find and fix a very nasty race condition bug
+
+Jan Iven (jan.iven at cern.ch) Because of his great improvements, new tests and bugfixing
+
+P. Gouin (pg.bug.cvs.pgn at free.fr) Because of his incredible work fixing bugs and improving the performance
diff --git a/unhide-linux26 b/unhide-linux26
deleted file mode 100755
index 1500530..0000000
Binary files a/unhide-linux26 and /dev/null differ
diff --git a/unhide-linux26.c b/unhide-linux26.c
index 29ba1ab..e280714 100644
--- a/unhide-linux26.c
+++ b/unhide-linux26.c
@@ -1,9 +1,16 @@
/* Unhide yjesus at security-projects.com */
+// Needed for unistd.h to declare getpgid() and others
+#define _XOPEN_SOURCE 500
+
+// Needed for sched.h to declare sched_getaffinity()
+#define _GNU_SOURCE
+
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
+#include <wait.h>
#include <sys/resource.h>
#include <errno.h>
#include <dirent.h>
@@ -12,474 +19,777 @@
#include <signal.h>
#include <stdlib.h>
#include <sys/sysinfo.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sys/syscall.h>
-#define COMMAND "nice -20 ps axHo sess,pid | awk '{ print $2 }' | grep -v PID"
-#define SESSION "ps axHo sess,pid | awk '{ print $1 }' | grep -v SESS"
-#define PGID "ps axHo pgid,pid | awk '{ print $1 }' | grep -v PGID"
+// we are looking only for real process not thread and only one by one
+#define COMMAND "ps --no-header -p %i o pid"
+// we ara looking for session ID one by one
+#define SESSION "ps --no-header -s %i o sess"
+// We are looking for group ID one by one
+// but ps can't select by pgid
+#define PGID "ps --no-header -eL o pgid"
+// We are looking for all processes even threads
+#define THREADS "ps --no-header -eL o lwp"
+// for sysinfo scanning, fall back to old command, as --no-header seems to create
+// an extra process
+#define SYS_COMMAND "ps -eL o lwp"
// sysctl kernel.pid_max
int maxpid= 32768;
+// For Threads sync
+int tid ;
-int isfaked(int pidtmp) {
-
-
- int count ;
- struct dirent *ptr;
- DIR *dirp;
- char path[1000] ;
-
- sprintf(path,"/proc/%i/task",pidtmp);
-
- errno= 0 ;
-
- dirp = opendir(path) ;
+void *funcionThread (void *parametro) {
- count = 0;
-
-
- if ( errno == 0) {
-
-
- while ((ptr = readdir(dirp)) != NULL) {
+ tid = (pid_t) syscall (SYS_gettid);
+ return(&tid) ;
+};
- count++;
- }
-
- if ( count > 3 ) { return(1) ;}
-
- else {return(0);}
+void get_max_pid(int* newmaxpid) {
+ char path[]= "/proc/sys/kernel/pid_max";
+ pid_t tmppid = 0;
+ FILE* fd= fopen(path,"r");
+ if(!fd) {
+ printf("[*] Error: cannot get current maximum PID: %s\n", strerror(errno));
+ return;
}
-
- else {return(0);}
+ if((fscanf(fd, "%d", &tmppid) != 1) || tmppid < 1) {
+ printf("[*] cannot get current maximum PID: Error parsing %s format\n", path);
+ return;
+ } else {
+ *newmaxpid = tmppid;
+ }
+ fclose(fd) ;
}
-void checkps(int tmppid, int morechecks) {
-
+int checkps(int tmppid, int morechecks) {
+
int ok = 0;
char pids[30];
- char sessionpids[30] ;
- char pgidpids[30] ;
-
+
char compare[100];
- char comparesession[100];
- char comparepgid[100];
-
-
+ char command[60];
+
+
FILE *fich_tmp ;
-
- fich_tmp=popen (COMMAND, "r") ;
-
-
+
+// The compare string is the same for all test
+ sprintf(compare,"%i\n",tmppid);
+
+ sprintf(command,COMMAND,tmppid) ;
+
+ fich_tmp=popen (command, "r") ;
+ if (fich_tmp == NULL) {
+ printf("Warning : popen failed while ps checking pid %d (memory, or something set errno: %s)\n", tmppid, strerror(errno));
+ return(0);
+ }
+
while (!feof(fich_tmp) && ok == 0) {
-
+ char* tmp_pids = pids;
+
fgets(pids, 30, fich_tmp);
-
- sprintf(compare,"%i\n",tmppid);
-
- if (strcmp(pids, compare) == 0) {ok = 1;}
-
-
- }
-
- pclose(fich_tmp);
-
+ pids[29] = 0;
+
+ while( *tmp_pids == ' ' && tmp_pids <= pids+29) {
+ tmp_pids++;
+ }
+
+ if (strncmp(tmp_pids, compare, 30) == 0) {ok = 1;}
+
+ }
+
+ if (fich_tmp != NULL)
+ pclose(fich_tmp);
+
+ if (1 == ok) return(ok) ; // pid is found, no need to go further
+
+ FILE *fich_thread ;
+
+ fich_thread=popen (THREADS, "r") ;
+ if (fich_thread == NULL) {
+ printf("Warning : popen failed while thread checking pid %d (memory, or something set errno: %s)\n", tmppid, strerror(errno));
+ return(0);
+ }
+
+ while (!feof(fich_thread) && ok == 0) {
+ char* tmp_pids = pids;
+
+ fgets(pids, 30, fich_thread);
+ pids[29] = 0;
+
+ while( *tmp_pids == ' ' && tmp_pids <= pids+29) {
+ tmp_pids++;
+ }
+
+ if (strncmp(tmp_pids, compare, 30) == 0) {ok = 1;}
+
+
+ }
+ if (fich_thread != NULL)
+ pclose(fich_thread);
+
+ if (1 == ok) return(ok) ; // thread is found, no need to go further
+
if (morechecks == 1) {
-
+
FILE *fich_session ;
-
- fich_session=popen (SESSION, "r") ;
-
-
+
+ sprintf(command,SESSION,tmppid) ;
+
+ fich_session=popen (command, "r") ;
+ if (fich_session == NULL) {
+ printf("Warning : popen failed while session checking pid %d (memory, or something set errno: %s)\n", tmppid, strerror(errno));
+ return(0);
+ }
+
+
while (!feof(fich_session) && ok == 0) {
-
- fgets(sessionpids, 30, fich_session);
-
- sprintf(comparesession,"%i\n",tmppid);
-
- if (strcmp(sessionpids, comparesession) == 0) {ok = 1;}
-
-
- }
-
+ char* tmp_pids = pids;
+
+ fgets(pids, 30, fich_tmp);
+ pids[29] = 0;
+
+ while( *tmp_pids == ' ' && tmp_pids <= pids+29) {
+ tmp_pids++;
+ }
+
+ if (strncmp(tmp_pids, compare, 30) == 0) {ok = 1;}
+
+ }
+
pclose(fich_session);
-
-
+
+ if (1 == ok) return(ok) ; // session is found, no need to go further
+
FILE *fich_pgid ;
-
+
fich_pgid=popen (PGID, "r") ;
-
-
+ if (fich_pgid == NULL) {
+ printf("Warning : popen failed while pgid checking pid %d (memory, or something set errno: %s)\n", tmppid, strerror(errno));
+ return(0);
+ }
+
while (!feof(fich_pgid) && ok == 0) {
-
- fgets(pgidpids, 30, fich_pgid);
-
- sprintf(comparepgid,"%i\n",tmppid);
-
- if (strcmp(pgidpids, comparepgid) == 0) {ok = 1;}
-
-
- }
-
+ char* tmp_pids = pids;
+
+ fgets(pids, 30, fich_pgid);
+ pids[29] = 0;
+
+ while( *tmp_pids == ' ' && tmp_pids <= pids+29) {
+ tmp_pids++;
+ }
+
+ if (strncmp(tmp_pids, compare, 30) == 0) {ok = 1;}
+
+ }
+
pclose(fich_pgid);
-
- }
-
-
- if ( ok == 0 ) {
-
- int faked ;
- int statuscmd ;
- char cmd[100] ;
-
- faked = isfaked(tmppid) ;
-
-
- if ( faked == 0 ) {
-
- struct stat buffer;
-
- printf ("Found HIDDEN PID: %i\n", tmppid) ;
-
-
- sprintf(cmd,"/proc/%i/cmdline",tmppid);
-
- statuscmd = stat(cmd, &buffer);
-
- if (statuscmd == 0) {
-
- FILE *cmdfile ;
- char cmdcont[1000];
-
- cmdfile=fopen (cmd, "r") ;
-
-
- while (!feof (cmdfile)) {
-
- fgets (cmdcont, 1000, cmdfile);
- printf ("Command: %s\n\n", cmdcont);
-
- }
+
+ }
+ return ok;
+}
+
+void printbadpid (int tmppid) {
+
+ int statuscmd ;
+ char cmd[100] ;
+ struct stat buffer;
+
+ printf ("Found HIDDEN PID: %i\n", tmppid) ;
+
+ sprintf(cmd,"/proc/%i/cmdline",tmppid);
+
+ statuscmd = stat(cmd, &buffer);
+
+ if (statuscmd == 0) {
+
+ FILE *cmdfile ;
+ char cmdcont[1000];
+
+ cmdfile=fopen (cmd, "r") ;
+
+ if (cmdfile != NULL) {
+
+ while (!feof (cmdfile)) {
+
+ fgets (cmdcont, 1000, cmdfile);
+ printf ("Command: %s\n\n", cmdcont);
}
- }
- }
-
+ fclose(cmdfile);
+ }
+ }
}
-
void checkproc() {
-
+
int procpids ;
- int statusproc;
+ int statusprocbefore, statusprocafter;
struct stat buffer;
-
+
printf ("[*]Searching for Hidden processes through /proc scanning\n\n") ;
-
+
for ( procpids = 1; procpids <= maxpid; procpids = procpids +1 ) {
-
+
char directory[100] ;
-
-
+
+
sprintf(directory,"/proc/%d",procpids);
-
-
- statusproc = stat(directory, &buffer) ;
-
- if (statusproc == 0) {
-
- checkps(procpids,0);
-
+
+ statusprocbefore = stat(directory, &buffer) ;
+ if (statusprocbefore != 0) {
+ continue;
}
-
+
+ if(checkps(procpids,0)) {
+ continue;
+ }
+
+ statusprocafter = stat(directory, &buffer) ;
+ if (statusprocafter != 0) {
+ continue;
+ }
+
+ printbadpid(procpids);
}
}
void checkgetpriority() {
-
+
int syspids ;
-
+
printf ("[*]Searching for Hidden processes through getpriority() scanning\n\n") ;
-
-
+
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
-
+
int which = PRIO_PROCESS;
-
+
int ret;
-
+
errno= 0 ;
-
+
+ ret = getpriority(which, syspids);
+ if ( errno != 0) {
+ continue;
+ }
+
+ if(checkps(syspids,0)) {
+ continue;
+ }
+
+ errno=0;
ret = getpriority(which, syspids);
-
- if ( errno == 0) {
-
- checkps(syspids,0);
+ if ( errno != 0) {
+ continue;
}
+
+ printbadpid(syspids);
}
}
-
+
void checkgetpgid() {
-
+
int syspids ;
-
-
+
+
printf ("[*]Searching for Hidden processes through getpgid() scanning\n\n") ;
-
-
-
+
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
-
+
int ret;
-
+
errno= 0 ;
-
+
ret = getpgid(syspids);
-
- if ( errno == 0) {
-
- checkps(syspids,0);
+ if ( errno != 0 ) {
+ continue;
}
+
+ if(checkps(syspids,0)) {
+ continue;
+ }
+
+ errno=0;
+ ret = getpgid(syspids);
+ if ( errno != 0 ) {
+ continue;
+ }
+
+ printbadpid(syspids);
}
-}
-
+}
+
void checkgetsid() {
-
+
int syspids ;
-
-
+
+
printf ("[*]Searching for Hidden processes through getsid() scanning\n\n") ;
-
-
+
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
-
+
int ret;
-
+
errno= 0 ;
-
+
ret = getsid(syspids);
-
- if ( errno == 0) {
-
- checkps(syspids,0);
+ if ( errno != 0) {
+ continue;
+ }
+ if(checkps(syspids,0)) {
+ continue;
}
+ errno=0;
+ ret = getsid(syspids);
+ if ( errno != 0) {
+ continue;
+ }
+
+ printbadpid(syspids);
+
}
-}
+}
void checksched_getaffinity() {
-
+
int syspids;
- unsigned long mask;
-
+ cpu_set_t mask;
+
printf ("[*]Searching for Hidden processes through sched_getaffinity() scanning\n\n") ;
-
-
+
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
-
+
int ret;
-
+
errno= 0 ;
-
- ret = sched_getaffinity(syspids, sizeof(unsigned int), &mask);
-
- if ( errno == 0) {
-
- checkps(syspids,0);
+
+ ret = sched_getaffinity(syspids, sizeof(cpu_set_t), &mask);
+ if (errno != 0) {
+ continue;
}
+ if (checkps(syspids,0)) {
+ continue;
+ }
+ errno=0;
+ ret = sched_getaffinity(syspids, sizeof(cpu_set_t), &mask);
+ if (errno != 0) {
+ continue;
+ }
+
+ printbadpid(syspids);
}
-}
+}
void checksched_getparam() {
-
+
int syspids;
struct sched_param param;
-
+
printf ("[*]Searching for Hidden processes through sched_getparam() scanning\n\n") ;
-
-
+
+
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
-
+
int ret;
-
+
errno= 0 ;
-
+
+ ret = sched_getparam(syspids, ¶m);
+ if ( errno != 0) {
+ continue;
+ }
+
+ if(checkps(syspids,0)) {
+ continue;
+ }
+
+ errno=0;
ret = sched_getparam(syspids, ¶m);
-
- if ( errno == 0) {
-
- checkps(syspids,0);
+ if ( errno != 0) {
+ continue;
}
+
+ printbadpid(syspids);
+
}
-}
+}
void checksched_getscheduler() {
-
+
int syspids ;
-
-
+
+
printf ("[*]Searching for Hidden processes through sched_getscheduler() scanning\n\n") ;
-
-
+
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
-
+
int ret;
-
+
errno= 0 ;
-
+
ret = sched_getscheduler(syspids);
-
- if ( errno == 0) {
-
- checkps(syspids,0);
+ if ( errno != 0) {
+ continue;
+ }
+
+ if(checkps(syspids,0)) {
+ continue;
}
+
+ errno=0;
+ ret = sched_getscheduler(syspids);
+ if ( errno != 0) {
+ continue;
+ }
+
+ printbadpid(syspids);
+
}
-}
+}
void checksched_rr_get_interval() {
-
+
int syspids;
struct timespec tp;
-
+
printf ("[*]Searching for Hidden processes through sched_rr_get_interval() scanning\n\n") ;
-
-
+
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
-
+
int ret;
-
+
errno= 0 ;
-
+
ret = sched_rr_get_interval(syspids, &tp);
-
- if ( errno == 0) {
-
- checkps(syspids,0);
+ if ( errno != 0) {
+ continue;
+ }
+
+ if(checkps(syspids,0)) {
+ continue;
+ }
+
+ errno=0;
+ ret = sched_rr_get_interval(syspids, &tp);
+ if ( errno != 0) {
+ continue;
+ }
+
+ printbadpid(syspids);
+ }
+}
+
+void checkkill() {
+
+ int syspids;
+
+ printf ("[*]Searching for Hidden processes through kill(..,0) scanning\n\n") ;
+
+ for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
+
+ int ret;
+
+ errno= 0 ;
+ ret = kill(syspids, 0);
+ if ( errno != 0) {
+ continue;
+ }
+
+ if(checkps(syspids,0)) {
+ continue;
+ }
+
+ errno= 0 ;
+ ret = kill(syspids, 0);
+ if ( errno != 0) {
+ continue;
+ }
+
+ printbadpid(syspids);
+ }
+}
+
+void checkallnoprocps() {
+
+ /* compare the various system calls against each other,
+ * without invoking 'ps' or looking at /proc */
+
+ int ret;
+ int syspids;
+ struct timespec tp;
+ struct sched_param param;
+ cpu_set_t mask;
+ int found=0;
+ int found_killbefore=0;
+ int found_killafter=0;
+
+ printf ("[*]Searching for Hidden processes through comparison of results of system calls\n\n") ;
+
+ for ( syspids = 1; syspids <= maxpid; syspids++ ) {
+
+ found=0;
+ found_killbefore=0;
+ found_killafter=0;
+
+ errno=0;
+ ret = kill(syspids, 0);
+ if (errno == 0) found_killbefore=1;
+
+ errno= 0 ;
+ ret = getpriority(PRIO_PROCESS, syspids);
+ if (errno == 0) found++;
+
+ errno= 0 ;
+ ret = getpgid(syspids);
+ if (errno == 0) found++;
+
+ errno= 0 ;
+ ret = getsid(syspids);
+ if (errno == 0) found++;
+
+ errno= 0 ;
+ ret = sched_getaffinity(syspids, sizeof(cpu_set_t), &mask);
+ if (ret == 0) found++;
+
+ errno= 0 ;
+ ret = sched_getparam(syspids, ¶m);
+ if (errno == 0) found++;
+
+ errno= 0 ;
+ ret = sched_getscheduler(syspids);
+ if (errno == 0) found++;
+
+ errno=0;
+ ret = sched_rr_get_interval(syspids, &tp);
+ if (errno == 0) found++;
+
+ errno=0;
+ ret = kill(syspids, 0);
+ if (errno == 0) found_killafter=1;
+
+
+ /* these should all agree, except if a process went or came in the middle */
+ if (found_killbefore == found_killafter) {
+ if ( ! ((found_killbefore == 0 && found == 0) ||
+ (found_killbefore == 1 && found == 7)) ) {
+ printf ("Found HIDDEN PID: %i\n", syspids) ;
+ }
+ } /* else: unreliable */
+ else {
+ printf("Warning : syscall comparison test skipped for PID %d", syspids);
}
}
}
void checksysinfo() {
-
+
struct sysinfo info;
int contador=0;
- int resultado=0;
+ int resultado_antes=0;
+ int resultado_despues=0;
int ocultos=0;
char buffer[500];
FILE *fich_proceso ;
-
+
printf ("[*]Searching for Hidden processes through sysinfo() scanning\n\n") ;
-
- fich_proceso=popen (COMMAND, "r") ;
-
-
+
+ sysinfo(&info);
+ resultado_antes=info.procs;
+
+ fich_proceso=popen (SYS_COMMAND, "r") ;
+ if (fich_proceso == NULL) {
+ printf("popen failed while checking sysinfo (memory, or something set errno: %s)\n", strerror(errno));
+ return;
+ }
+
+ buffer[499] = '\0';
while (!feof(fich_proceso)) {
-
- fscanf( fich_proceso, "%s", &buffer );
+
+ fscanf( fich_proceso, "%499s", &buffer[0] );
contador++;
-
- }
-
+
+ }
+
pclose(fich_proceso);
-
+
sysinfo(&info);
-
- resultado=contador-5;
- ocultos=info.procs-resultado;
-
- if (ocultos >0) {
-
- printf("HIDDEN Processes Found:%i\n",ocultos) ;
+ resultado_despues=info.procs;
+
+// resultado=contador-5;
+// ocultos=info.procs-resultado;
+ if (resultado_antes == resultado_despues) { /* otherwise intermittent activity.. */
+
+ ocultos=resultado_despues - contador + 3;
+
+ if (ocultos != 0) {
+
+ printf("HIDDEN Processes Found: %i\n",abs(ocultos)) ;
+
+ }
+ }
+ else {
+ printf("Warning : sysinfo test skipped due to intermittent activity");
}
}
void brute() {
-
+
int i=0;
- int vpid;
int allpids[maxpid] ;
int x;
int y;
int z;
-
-
- printf ("[*]Starting scanning using brute force against PIDS\n\n") ;
-
- for(x=0; x < 299; x++) {
-
- allpids[x] = '\0' ;
- }
-
-
+
+ printf ("[*]Starting scanning using brute force against PIDS with fork()\n\n") ;
+
+ // PID under 300 are reserved for kernel
+ for(x=0; x < 300; x++) {
+
+ allpids[x] = 0 ;
+ }
+
+
for(z=300; z < maxpid; z++) {
-
+
allpids[z] = z ;
}
-
-
+
+
for (i=0; i < maxpid; i++) {
-
+ int vpid;
+ int status;
+
+ errno= 0 ;
+
+ if ((vpid = vfork()) == 0) {
+
+// allpids[getpid()] = 0;
+
+ _exit(0);
+ }
+
+ if (0 == errno) {
+ allpids[vpid] = 0;
+ waitpid(vpid, &status, 0);
+ }
+ }
+
+ /* processes that quit at this point in time create false positives */
+
+ for(y=0; y < maxpid; y++) {
+
+ if (allpids[y] != 0) {
+
+ if(!checkps(allpids[y],1) ) {
+
+ printbadpid(allpids[y]);
+
+ }
+ }
+
+ }
+
+
+ printf ("[*]Starting scanning using brute force against PIDS with Threads\n\n") ;
+
+ // PID under 300 are reserved for kernel
+ for(x=0; x < 300; x++) {
+
+ allpids[x] = 0 ;
+ }
+
+
+ for(z=300; z < maxpid; z++) {
+
+ allpids[z] = z ;
+ }
+
+
+ for (i=0; i < maxpid ; i++) {
+ void *status;
+
errno= 0 ;
-
- if (vfork() == 0) {
-
- vpid = getpid();
-
- allpids[vpid] = '\0';
-
- exit(1);
- }
-
- waitpid(vpid);
-
- }
-
+
+ pthread_t idHilo;
+
+ int error;
+
+ error = pthread_create (&idHilo, NULL, funcionThread, NULL);
+
+ if (error != 0)
+ {
+ perror ("Warning : Cannot create thread !");
+ exit (-1);
+ }
+
+ error = pthread_join(idHilo, &status);
+
+ if (error != 0)
+ {
+ perror ("Warning : Cannot join thread !");
+ exit (-1);
+ }
+
+ allpids[tid] = 0;
+
+ }
+
+ /* processes that quit at this point in time create false positives */
+
for(y=0; y < maxpid; y++) {
-
- if (allpids[y] != '\0') {
-
- checkps(allpids[y],1) ;
-
- }
-
- }
-
-
-
-
+
+ if (allpids[y] != 0) {
+
+ if(!checkps(allpids[y],1) ) {
+
+ printbadpid(allpids[y]);
+
+ }
+ }
+
+ }
+
+
+
}
int main (int argc, char *argv[]) {
-
-
- printf ("Unhide 20080519 \n") ;
- printf ("yjesus at security-projects.com\n\n\n") ;
-
-
+
+ printf ("Unhide 20100201\n") ;
+ printf ("http://www.security-projects.com/?Unhide\n\n\n") ;
+ get_max_pid(&maxpid);
+
if(argc != 2) {
-
+
printf("usage: %s proc | sys | brute\n\n", argv[0]);
exit (1);
-
- }
-
+ }
+
+ setpriority(PRIO_PROCESS,0,-20); /* reduce risk from intermittent processes - may fail, dont care */
+
if (strcmp(argv[1], "proc") == 0) {checkproc();}
-
+
else if (strcmp(argv[1], "sys") == 0) {
+ checkkill();
+ checkallnoprocps();
checkgetpriority();
checkgetpgid() ;
checkgetsid();
@@ -488,14 +798,10 @@ int main (int argc, char *argv[]) {
checksched_getscheduler();
checksched_rr_get_interval();
checksysinfo();
-
+
}
-
else if(strcmp(argv[1], "brute") == 0) {
-
brute();
-
}
-
-
+ return 0;
}
diff --git a/unhide-tcp.c b/unhide-tcp.c
index 9d31b70..c9398ab 100644
--- a/unhide-tcp.c
+++ b/unhide-tcp.c
@@ -68,10 +68,9 @@ int main() {
int i ;
int u ;
-
- printf ("Unhide 20080519 \n") ;
- printf ("yjesus at security-projects.com\n\n\n") ;
-
+
+ printf ("Unhide 20100201\n") ;
+ printf ("http://www.security-projects.com/?Unhide\n\n\n") ;
printf ("Starting TCP checking\n\n") ;
diff --git a/unhide.c b/unhide.c
index 4ebe75a..ec31556 100644
--- a/unhide.c
+++ b/unhide.c
@@ -198,8 +198,8 @@ void checkgetsid() {
int main (int argc, char *argv[]) {
- printf ("Unhide 20080519 \n") ;
- printf ("yjesus at security-projects.com\n\n\n") ;
+ printf ("Unhide 20100201\n") ;
+ printf ("http://www.security-projects.com/?Unhide\n\n\n") ;
if(argc != 2) {
--
debian-forensics/unhide
More information about the forensics-changes
mailing list