zhou88qiao / unhide_rootkit Goto Github PK
View Code? Open in Web Editor NEWunhide rootkit process and port
License: GNU General Public License v3.0
unhide rootkit process and port
License: GNU General Public License v3.0
**-Unhide-** http://www.unhide-forensics.info Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hiding technique. // Unhide (unhide-linux or unhide-posix) // ------------------------------------- Detecting hidden processes. Implements six main techniques 1- Compare /proc vs /bin/ps output 2- Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for unhide-linux version 3- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning). 4- Full PIDs space ocupation (PIDs bruteforcing). ONLY for unhide-linux version 5- Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for unhide-linux version Reverse search, verify that all thread seen by ps are also seen in the kernel. 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for unhide-linux version It's about 20 times faster than tests 1+2+3 but maybe give more false positives. // Unhide_rb // --------- It's a back port in C language of the ruby unhide.rb As the original unhide.rb, it is roughly equivalent to "unhide-linux quick reverse" : - it makes three tests less (kill, opendir and chdir), - it only run /bin/ps once at start and once for the double check, - also, its tests are less accurate (e.g.. testing return value instead of errno), - processes are only identified by their exe link (unhide-linux also use cmdline and "sleeping kernel process" name), - there's little protection against failures (failed fopen or popen by example), - there's no logging capability. It is very quick, about 80 times quicker than "unhide-linux quick reverse" // Unhide-TCP // ---------- Identify TCP/UDP ports that are listening but not listed in sbin/ss or /bin/netstat. It use two methods: - brute force of all TCP/UDP ports availables and compare with SS/netstat output. - probe of all TCP/UDP ports not reported by netstat. // Files // ----- unhide-linux.c -- Hidden processes, for Linux >= 2.6 unhide-linux.h unhide-tcp.c -- Hidden TCP/UDP Ports unhide-tcp-fast.c unhide-tcp.h unhide-output.c -- Common routines of unhide tools unhide-output.h unhide_rb.c -- C port of unhide.rb (a very light version of unhide-linux in ruby) unhide-posix.c -- Hidden processes, for generic Unix systems (*BSD, Solaris, linux 2.2 / 2.4) It doesn't implement PIDs brute forcing check yet. Needs more testing Warning : This version is somewhat outdated and may generate false positive. Prefer unhide-linux.c if you can use it. changelog -- As the name implied log of the change to unhide COPYING -- License file, GNU GPL V3 LEEME.txt -- Spanish version of this file LISEZ-MOI.TXT -- French version of this file NEWS -- Release notes README.txt -- This file sanity.sh -- unhide-linux testsuite file TODO -- Evolutions to do (any volunteers ?) man/unhide.8 -- English man page of unhide man/unhide-tcp.8 -- English man page of unhide-tcp man/fr/unhide.8 -- French man page of unhide man/fr/unhide-tcp.8 -- French man page of unhide-tcp // Compiling // --------- Build requires glibc-devel glibc-static-devel Require - unhide-tcp under linux : iproute2 net-tools (for netstat) lsof psmisc (for fuser) - unhide-tcp under freeBSD : sockstat lsof netstat unhide-linux, unhide-posix, unhide_rb : procps If you ARE using a Linux kernel >= 2.6 gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux gcc -Wall -O2 --static unhide_rb.c -o unhide_rb gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp ln -s unhide unhide-linux Else (Linux < 2.6, *BSD, Solaris and other Unice) gcc --static unhide-posix.c -o unhide-posix ln -s unhide unhide-posix // Using // ----- You MUST be root to use unhide-linux and unhide-tcp. Examples: # ./unhide-linux -vo quick reverse # ./unhide-linux -vom procall sys # ./unhide_rb # ./unhide-tcp -flov # ./unhide-tcp -flovs // License // ------- GPL V.3 (http://www.gnu.org/licenses/gpl-3.0.html) // Greets // ------ A. Ramos ([email protected]) for some regexps unspawn ([email protected]) CentOS support Martin Bowers ([email protected]) CentOS support Lorenzo Martinez ([email protected]) Some ideas to improve and betatesting Francois Marier ([email protected]) Author of the man pages and Debian support Johan Walles ([email protected]) Find and fix a very nasty race condition bug Jan Iven ([email protected]) Because of his great improvements, new tests and bugfixing P. Gouin ([email protected]) Because of his incredible work fixing bugs and improving the performance François Boisson for his idea of a double check in brute test Leandro Lucarella ([email protected]) for the fast scan method and his factorization work for unhide-tcp Nikos Ntarmos ([email protected]) for its invaluable help in the FreeBSD port of unhide-tcp and for packaging unhide on FreeBSD.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.