lp:unhide.rb
- Get this branch:
- bzr branch lp:unhide.rb
Branch information
Recent revisions
- 20. By Johan Walles
-
Add /proc/1234/status check and a plain Ruby readlink() check
The /proc/1234/status check will print the process name even when running
as a plain user. The name printed isn't the full path to the exe though,
so running as root is still better.The plain Ruby readlink() check is a complement to the native Libc
readlink() check. They should of course return the same thing, but you
never know.This change also adds encouragement to run unhide.rb as root to get
better diagnostics if something is found. - 17. By Johan Walles
-
Name the Jynx LD Poisoning library on an infected system
What we do is we check /proc/self/maps for paths we can't find or access,
that shouldn't happen. - 15. By Johan Walles
-
Identify processes hidden by the Jynx rootkit
Before this change, processes hidden by Jynx were identified by
PID. Now the path to their binaries are also printed (this
requires you to run unhide.rb as root).What the change does more precisely is to add a PID scanner that
runs the readlink() function directly from libc. Since Jynx
overrides the readlink() loaded by the dynamic linker, we need to
load it ourselves to make sure we get the right function on an
infected system.Original bug report here:
http://sourceforge. net/mailarchive /message. php?msg_ id=28258660 - 13. By Johan Walles
-
Add a second run where we filter out false positives occuring due to a
race between our detectors and processes starting up / shutting down.Also, follow the documented behavior of reporting suspicious things on
stderr.
Branch metadata
- Branch format:
- Branch format 6
- Repository format:
- Bazaar pack repository format 1 (needs bzr 0.92)