0x333hpl.c compares pids in /proc with ps aux output.
d369beb106b3a6ea47350ebd43ea968f579778ad25d46ee20e18ae1a05875333/*
* 0x333-hpl.c hidden pid list
*
* check pids in /proc and compare with output given ps aux.
*
* there are many technique that make a stealth proc invisible /proc too.
*
* this is a simple tool, can be used for get hidden pid, of rootkits software level and not LKM.
*
* coded by nsn
*
* ~ www.0x333.org ~
*
*/
#include <stdio.h>
#define MAXPID 0x8000
/* return -1, if don't get size */
long
FileSize (char *path, FILE *stream)
{
long length = -1;
if ((stream = fopen(path, "r"))) {
fseek (stream, 0L, SEEK_END);
length = ftell(stream);
fseek (stream, 0L, SEEK_SET);
fclose(stream);
}
return length;
}
int
main ()
{
FILE *stream;
char proc[50], cmdline[50], c;
int i;
long size;
system("ps aux | awk '{print $2}' > proc");
printf("\n[*] Listing hidden process\n");
printf("\n[*] PID\t\t\tCMDLINE\n\n");
for (i=1; i < MAXPID; ++i) {
sprintf(proc,"/proc/%d/cmdline",i);
if ((stream = fopen(proc, "r"))) {
memset(cmdline,0,sizeof(cmdline));
fread(cmdline,sizeof(cmdline),1,stream);
fclose(stream);
if ((size = FileSize("proc",stream)) >= 0) {
sprintf(proc,"cat proc | grep -vw \"%d\" > proc",i);
system(proc);
if ((FileSize("proc",stream) >= 0) && (FileSize("proc",stream) == size))
printf("[*] %d\t\t\t%s\n",i,cmdline);
}
}
}
system("rm -f proc");
printf("\n[*] End list hidden process\n\n");
return 0;
}
/* EOF */
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed