Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Linux Process Hunter - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Linux Process Hunter
I wrote prochunter around 2002, after the published SuckIT rootkit by sd [4], I just spent few hours to make it runnable on modern kernels (tested on 4.x) so don't blame me for the
bugs:)

Prochunter aims to find hidden process with all userspace and most of the kernelspace rootkits.
This tool is composed of a kernel module that prints out all running processes using the task_struct list and creates /sys/kernel/proc_hunter/set entry. A python script that invoke
the kernel function and diffs the module output and processes list collected with userspace pslist (/proc walking).

Almost all public linux kernel rootkits try to hide processes via /proc VFS to remove the hidden processes from ps/top/etc. output.
Others use the trick to change the evil process pid to 0 (but the exit call will panic the kernel) [1]

As far as I know only adore-ng, fuuld and some not working PoC from academic papers use DKOM (in particular: unlink process from task_struct/pidhash lists) [2] [3]

(Un)fortunately latters are stable only on kernel 2.4.x schedulers like SCHED_FIFO or SCHED_RR, because scheduler doesn't rely on task_struct or pidhash list to make a context switch
amoung the processes, but on modern kernels (2.6+, yeah not so modern) with CFS (the default on linux now) are very unusable, but..;p

https://gitlab.com/nowayout/prochunter
Anonymous

Sign Up for Free or Log In to start participating in the conversation!