Please, try this version of unhide 2009/3/26 Singer, Michael <i...@sinweb.de>
> Hi Francois, > here the answers to your questions. > > 1) > # uname -a > Linux bluelupomobile 2.6.29-0.slh.1-sidux-amd64 #1 SMP PREEMPT Tue Mar 24 > 01:15:50 UTC 2009 x86_64 GNU/Linux > > 2) normal installation of Sidux (based on Debin SID) > > 3) root > > 4) unhide.txt the attached file as an email attachment (compressed) > > Cheers > Michael >
/* Unhide yje...@security-projects.com */ #include <stdio.h> #include <string.h> #include <sys/stat.h> #include <unistd.h> #include <sys/resource.h> #include <errno.h> #include <dirent.h> #include <sched.h> #include <sys/types.h> #include <signal.h> #include <stdlib.h> #include <sys/sysinfo.h> #define COMMAND "nice -20 ps axHo sess,pid | awk '{ print $2 }' | grep -v PID" #define SESSION "ps axHo sess,pid | awk '{ print $1 }' | grep -v SESS" #define PGID "ps axHo pgid,pid | awk '{ print $1 }' | grep -v PGID" // sysctl kernel.pid_max int maxpid= 32768; int isfaked(int pidtmp) { int count ; struct dirent *ptr; DIR *dirp; char path[1000] ; sprintf(path,"/proc/%i/task",pidtmp); errno= 0 ; dirp = opendir(path) ; count = 0; if ( errno == 0) { while ((ptr = readdir(dirp)) != NULL) { count++; } if ( count > 3 ) { return(1) ;} else {return(0);} } else {return(0);} } void checkps(int tmppid, int morechecks) { int ok = 0; char pids[30]; char sessionpids[30] ; char pgidpids[30] ; char compare[100]; char comparesession[100]; char comparepgid[100]; FILE *fich_tmp ; fich_tmp=popen (COMMAND, "r") ; while (!feof(fich_tmp) && ok == 0) { fgets(pids, 30, fich_tmp); sprintf(compare,"%i\n",tmppid); if (strcmp(pids, compare) == 0) {ok = 1;} } pclose(fich_tmp); if (morechecks == 1) { FILE *fich_session ; fich_session=popen (SESSION, "r") ; while (!feof(fich_session) && ok == 0) { fgets(sessionpids, 30, fich_session); sprintf(comparesession,"%i\n",tmppid); if (strcmp(sessionpids, comparesession) == 0) {ok = 1;} } pclose(fich_session); FILE *fich_pgid ; fich_pgid=popen (PGID, "r") ; while (!feof(fich_pgid) && ok == 0) { fgets(pgidpids, 30, fich_pgid); sprintf(comparepgid,"%i\n",tmppid); if (strcmp(pgidpids, comparepgid) == 0) {ok = 1;} } pclose(fich_pgid); } if ( ok == 0 ) { int faked ; int statuscmd ; char cmd[100] ; faked = isfaked(tmppid) ; if ( faked == 0 ) { struct stat buffer; printf ("Found HIDDEN PID: %i\n", tmppid) ; sprintf(cmd,"/proc/%i/cmdline",tmppid); statuscmd = stat(cmd, &buffer); if (statuscmd == 0) { FILE *cmdfile ; char cmdcont[1000]; cmdfile=fopen (cmd, "r") ; while (!feof (cmdfile)) { fgets (cmdcont, 1000, cmdfile); printf ("Command: %s\n\n", cmdcont); } } } } } void checkproc() { int procpids ; int statusproc; struct stat buffer; printf ("[*]Searching for Hidden processes through /proc scanning\n\n") ; for ( procpids = 1; procpids <= maxpid; procpids = procpids +1 ) { char directory[100] ; sprintf(directory,"/proc/%d",procpids); statusproc = stat(directory, &buffer) ; if (statusproc == 0) { checkps(procpids,0); } } } void checkgetpriority() { int syspids ; printf ("[*]Searching for Hidden processes through getpriority() scanning\n\n") ; for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) { int which = PRIO_PROCESS; int ret; errno= 0 ; ret = getpriority(which, syspids); if ( errno == 0) { checkps(syspids,0); } } } void checkgetpgid() { int syspids ; printf ("[*]Searching for Hidden processes through getpgid() scanning\n\n") ; for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) { int ret; errno= 0 ; ret = getpgid(syspids); if ( errno == 0) { checkps(syspids,0); } } } void checkgetsid() { int syspids ; printf ("[*]Searching for Hidden processes through getsid() scanning\n\n") ; for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) { int ret; errno= 0 ; ret = getsid(syspids); if ( errno == 0) { checkps(syspids,0); } } } void checksched_getaffinity() { int syspids; unsigned long mask; printf ("[*]Searching for Hidden processes through sched_getaffinity() scanning\n\n") ; for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) { int ret; errno= 0 ; ret = sched_getaffinity(syspids, sizeof(unsigned int), &mask); if ( errno == 0) { checkps(syspids,0); } } } void checksched_getparam() { int syspids; struct sched_param param; printf ("[*]Searching for Hidden processes through sched_getparam() scanning\n\n") ; for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) { int ret; errno= 0 ; ret = sched_getparam(syspids, ¶m); if ( errno == 0) { checkps(syspids,0); } } } void checksched_getscheduler() { int syspids ; printf ("[*]Searching for Hidden processes through sched_getscheduler() scanning\n\n") ; for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) { int ret; errno= 0 ; ret = sched_getscheduler(syspids); if ( errno == 0) { checkps(syspids,0); } } } void checksched_rr_get_interval() { int syspids; struct timespec tp; printf ("[*]Searching for Hidden processes through sched_rr_get_interval() scanning\n\n") ; for ( syspids = 1; syspids <= maxpid; syspids = syspids +1 ) { int ret; errno= 0 ; ret = sched_rr_get_interval(syspids, &tp); if ( errno == 0) { checkps(syspids,0); } } } void checksysinfo() { struct sysinfo info; int contador=0; int resultado=0; int ocultos=0; char buffer[500]; FILE *fich_proceso ; printf ("[*]Searching for Hidden processes through sysinfo() scanning\n\n") ; fich_proceso=popen (COMMAND, "r") ; while (!feof(fich_proceso)) { fscanf( fich_proceso, "%s", &buffer ); contador++; } pclose(fich_proceso); sysinfo(&info); resultado=contador-5; ocultos=info.procs-resultado; if (ocultos >0) { printf("HIDDEN Processes Found:%i\n",ocultos) ; } } void brute() { int i=0; int vpid; int allpids[maxpid] ; int x; int y; int z; printf ("[*]Starting scanning using brute force against PIDS\n\n") ; for(x=0; x < 299; x++) { allpids[x] = '\0' ; } for(z=300; z < maxpid; z++) { allpids[z] = z ; } for (i=0; i < maxpid; i++) { errno= 0 ; if (vfork() == 0) { vpid = getpid(); allpids[vpid] = '\0'; _exit(2) ; } waitpid(vpid); } for(y=0; y < maxpid; y++) { if (allpids[y] != '\0') { checkps(allpids[y],1) ; } } } int main (int argc, char *argv[]) { printf ("Unhide 20080519 \n") ; printf ("yje...@security-projects.com\n\n\n") ; if(argc != 2) { printf("usage: %s proc | sys | brute\n\n", argv[0]); exit (1); } if (strcmp(argv[1], "proc") == 0) {checkproc();} else if (strcmp(argv[1], "sys") == 0) { checkgetpriority(); checkgetpgid() ; checkgetsid(); checksched_getaffinity(); checksched_getparam(); checksched_getscheduler(); checksched_rr_get_interval(); checksysinfo(); } else if(strcmp(argv[1], "brute") == 0) { brute(); } }