Created by Johan Walles and last modified
Get this branch:
bzr branch lp:unhide.rb
Only Johan Walles can upload to this branch. If you are Johan Walles please log in for upload directions.

Related bugs

Related blueprints

Branch information

Johan Walles

Recent revisions

22. By Johan Walles

Fix false positive on kernel threads when run as root

21. By Johan Walles

Add test that finds pids by listing all dirs in /proc

20. By Johan Walles

Add /proc/1234/status check and a plain Ruby readlink() check

The /proc/1234/status check will print the process name even when running
as a plain user. The name printed isn't the full path to the exe though,
so running as root is still better.

The plain Ruby readlink() check is a complement to the native Libc
readlink() check. They should of course return the same thing, but you
never know.

This change also adds encouragement to run unhide.rb as root to get
better diagnostics if something is found.

19. By Johan Walles

Remove trailing whitespace

18. By Johan Walles

Add /proc opendir and chdir scanning

17. By Johan Walles

Name the Jynx LD Poisoning library on an infected system

What we do is we check /proc/self/maps for paths we can't find or access,
that shouldn't happen.

16. By Johan Walles

Add kill(pid,0) PID scanner

15. By Johan Walles

Identify processes hidden by the Jynx rootkit

Before this change, processes hidden by Jynx were identified by
PID. Now the path to their binaries are also printed (this
requires you to run unhide.rb as root).

What the change does more precisely is to add a PID scanner that
runs the readlink() function directly from libc. Since Jynx
overrides the readlink() loaded by the dynamic linker, we need to
load it ourselves to make sure we get the right function on an
infected system.

Original bug report here:

14. By Johan Walles

Fix issues running with Ruby 1.9.

13. By Johan Walles

Add a second run where we filter out false positives occuring due to a
race between our detectors and processes starting up / shutting down.

Also, follow the documented behavior of reporting suspicious things on

Branch metadata

Branch format:
Branch format 6
Repository format:
Bazaar pack repository format 1 (needs bzr 0.92)
This branch contains Public information 
Everyone can see this information.