Please, try this version of unhide
2009/3/26 Singer, Michael <i...@sinweb.de>
> Hi Francois,
> here the answers to your questions.
>
> 1)
> # uname -a
> Linux bluelupomobile 2.6.29-0.slh.1-sidux-amd64 #1 SMP PREEMPT Tue Mar 24
> 01:15:50 UTC 2009 x86_64 GNU/Linux
>
> 2) normal installation of Sidux (based on Debin SID)
>
> 3) root
>
> 4) unhide.txt the attached file as an email attachment (compressed)
>
> Cheers
> Michael
>
/* Unhide yje...@security-projects.com */
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/resource.h>
#include <errno.h>
#include <dirent.h>
#include <sched.h>
#include <sys/types.h>
#include <signal.h>
#include <stdlib.h>
#include <sys/sysinfo.h>
#define COMMAND "nice -20 ps axHo sess,pid | awk '{ print $2 }' | grep -v PID"
#define SESSION "ps axHo sess,pid | awk '{ print $1 }' | grep -v SESS"
#define PGID "ps axHo pgid,pid | awk '{ print $1 }' | grep -v PGID"
// sysctl kernel.pid_max
int maxpid= 32768;
int isfaked(int pidtmp) {
int count ;
struct dirent *ptr;
DIR *dirp;
char path[1000] ;
sprintf(path,"/proc/%i/task",pidtmp);
errno= 0 ;
dirp = opendir(path) ;
count = 0;
if ( errno == 0) {
while ((ptr = readdir(dirp)) != NULL) {
count++;
}
if ( count > 3 ) { return(1) ;}
else {return(0);}
}
else {return(0);}
}
void checkps(int tmppid, int morechecks) {
int ok = 0;
char pids[30];
char sessionpids[30] ;
char pgidpids[30] ;
char compare[100];
char comparesession[100];
char comparepgid[100];
FILE *fich_tmp ;
fich_tmp=popen (COMMAND, "r") ;
while (!feof(fich_tmp) && ok == 0) {
fgets(pids, 30, fich_tmp);
sprintf(compare,"%i\n",tmppid);
if (strcmp(pids, compare) == 0) {ok = 1;}
}
pclose(fich_tmp);
if (morechecks == 1) {
FILE *fich_session ;
fich_session=popen (SESSION, "r") ;
while (!feof(fich_session) && ok == 0) {
fgets(sessionpids, 30, fich_session);
sprintf(comparesession,"%i\n",tmppid);
if (strcmp(sessionpids, comparesession) == 0) {ok = 1;}
}
pclose(fich_session);
FILE *fich_pgid ;
fich_pgid=popen (PGID, "r") ;
while (!feof(fich_pgid) && ok == 0) {
fgets(pgidpids, 30, fich_pgid);
sprintf(comparepgid,"%i\n",tmppid);
if (strcmp(pgidpids, comparepgid) == 0) {ok = 1;}
}
pclose(fich_pgid);
}
if ( ok == 0 ) {
int faked ;
int statuscmd ;
char cmd[100] ;
faked = isfaked(tmppid) ;
if ( faked == 0 ) {
struct stat buffer;
printf ("Found HIDDEN PID: %i\n", tmppid) ;
sprintf(cmd,"/proc/%i/cmdline",tmppid);
statuscmd = stat(cmd, &buffer);
if (statuscmd == 0) {
FILE *cmdfile ;
char cmdcont[1000];
cmdfile=fopen (cmd, "r") ;
while (!feof (cmdfile)) {
fgets (cmdcont, 1000, cmdfile);
printf ("Command: %s\n\n", cmdcont);
}
}
}
}
}
void checkproc() {
int procpids ;
int statusproc;
struct stat buffer;
printf ("[*]Searching for Hidden processes through /proc scanning\n\n")
;
for ( procpids = 1; procpids <= maxpid; procpids = procpids +1 ) {
char directory[100] ;
sprintf(directory,"/proc/%d",procpids);
statusproc = stat(directory, &buffer) ;
if (statusproc == 0) {
checkps(procpids,0);
}
}
}
void checkgetpriority() {
int syspids ;
printf ("[*]Searching for Hidden processes through getpriority()
scanning\n\n") ;
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
int which = PRIO_PROCESS;
int ret;
errno= 0 ;
ret = getpriority(which, syspids);
if ( errno == 0) {
checkps(syspids,0);
}
}
}
void checkgetpgid() {
int syspids ;
printf ("[*]Searching for Hidden processes through getpgid()
scanning\n\n") ;
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
int ret;
errno= 0 ;
ret = getpgid(syspids);
if ( errno == 0) {
checkps(syspids,0);
}
}
}
void checkgetsid() {
int syspids ;
printf ("[*]Searching for Hidden processes through getsid()
scanning\n\n") ;
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
int ret;
errno= 0 ;
ret = getsid(syspids);
if ( errno == 0) {
checkps(syspids,0);
}
}
}
void checksched_getaffinity() {
int syspids;
unsigned long mask;
printf ("[*]Searching for Hidden processes through sched_getaffinity()
scanning\n\n") ;
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
int ret;
errno= 0 ;
ret = sched_getaffinity(syspids, sizeof(unsigned int), &mask);
if ( errno == 0) {
checkps(syspids,0);
}
}
}
void checksched_getparam() {
int syspids;
struct sched_param param;
printf ("[*]Searching for Hidden processes through sched_getparam()
scanning\n\n") ;
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
int ret;
errno= 0 ;
ret = sched_getparam(syspids, ¶m);
if ( errno == 0) {
checkps(syspids,0);
}
}
}
void checksched_getscheduler() {
int syspids ;
printf ("[*]Searching for Hidden processes through sched_getscheduler()
scanning\n\n") ;
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
int ret;
errno= 0 ;
ret = sched_getscheduler(syspids);
if ( errno == 0) {
checkps(syspids,0);
}
}
}
void checksched_rr_get_interval() {
int syspids;
struct timespec tp;
printf ("[*]Searching for Hidden processes through
sched_rr_get_interval() scanning\n\n") ;
for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) {
int ret;
errno= 0 ;
ret = sched_rr_get_interval(syspids, &tp);
if ( errno == 0) {
checkps(syspids,0);
}
}
}
void checksysinfo() {
struct sysinfo info;
int contador=0;
int resultado=0;
int ocultos=0;
char buffer[500];
FILE *fich_proceso ;
printf ("[*]Searching for Hidden processes through sysinfo()
scanning\n\n") ;
fich_proceso=popen (COMMAND, "r") ;
while (!feof(fich_proceso)) {
fscanf( fich_proceso, "%s", &buffer );
contador++;
}
pclose(fich_proceso);
sysinfo(&info);
resultado=contador-5;
ocultos=info.procs-resultado;
if (ocultos >0) {
printf("HIDDEN Processes Found:%i\n",ocultos) ;
}
}
void brute() {
int i=0;
int vpid;
int allpids[maxpid] ;
int x;
int y;
int z;
printf ("[*]Starting scanning using brute force against PIDS\n\n") ;
for(x=0; x < 299; x++) {
allpids[x] = '\0' ;
}
for(z=300; z < maxpid; z++) {
allpids[z] = z ;
}
for (i=0; i < maxpid; i++) {
errno= 0 ;
if (vfork() == 0) {
vpid = getpid();
allpids[vpid] = '\0';
_exit(2) ;
}
waitpid(vpid);
}
for(y=0; y < maxpid; y++) {
if (allpids[y] != '\0') {
checkps(allpids[y],1) ;
}
}
}
int main (int argc, char *argv[]) {
printf ("Unhide 20080519 \n") ;
printf ("yje...@security-projects.com\n\n\n") ;
if(argc != 2) {
printf("usage: %s proc | sys | brute\n\n", argv[0]);
exit (1);
}
if (strcmp(argv[1], "proc") == 0) {checkproc();}
else if (strcmp(argv[1], "sys") == 0) {
checkgetpriority();
checkgetpgid() ;
checkgetsid();
checksched_getaffinity();
checksched_getparam();
checksched_getscheduler();
checksched_rr_get_interval();
checksysinfo();
}
else if(strcmp(argv[1], "brute") == 0) {
brute();
}
}
