Skip to content
/ inodeyou-c Public

Experimental program that detects files & directories hidden by Linux trojan/rootkits

License

GPL-3.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xF41/inodeyou-c

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
fs_inode.c
fs_inode.c
 
 
fs_inode.h
fs_inode.h
 
 
inodelinkedlist.c
inodelinkedlist.c
 
 
inodelinkedlist.h
inodelinkedlist.h
 
 
inodeyou.c
inodeyou.c
 
 
inodeyou.h
inodeyou.h
 
 
tsk_inode.c
tsk_inode.c
 
 
tsk_inode.h
tsk_inode.h
 
 

Repository files navigation

inodeyou-c

inodeyou-c is a userspace C program adapted from inodeyou that uses a simple cross-based check to detect inodes that are hidden by Linux rootkit(s) or malware(s).

inodeyou-c uses The Sleuth Kit (TSK) C library to compare the view of the filesystem inodes by two methods:

  1. Finding inodes visible to the disk's view of the file system (with read()) via TSK library
  2. Finding inodes visible from the user's view of the mounted file system (with getdent(), stat(), etc.).

With the results from both methods, we can cross-check to see if there are any inodes that are seen by the disk view of the file system (with TSK) and not from the user's view of the mounted file system (with the ls command). If so, those inodes might be hidden by a rootkit/malware.

Adapted from inodeyou:

⚠️Note: This program is made for experiemental and learning purposes and thus produces a large number of false positives. Results given by this program may NOT be 100% accurate or representative⚠️

Features

Limitations

  • A rootkit/malware may evade the scan if inodes are already hidden from TSK to begin with
  • Buggy on some directories like /run and /lib64 which creates false positives
  • Runtime of program is O(n^2), where n is the number of anomalies found
  • Some TSK functions have memory leaks which may create unexpected results
  • Does not detect special files such as file sockets, symbolic links, etc.
  • Only works on ext2/3/4 file system types, not compatible with xfs and other types.

Installation

For debian-based distros:

sudo apt update
sudo apt install gcc
sudo apt install libtsk-dev
sudo git clone https://github.com/0xf41/inodeyou-c.git
cd ./inodeyou-c/
sudo make

Usage

The example command scans for hidden inodes from /home/user1 recursively, whereby /home/user1 is on the root directory mountpoint on the /dev/sda1 volume

Usage: sudo ./inodeyou-c volume mountpoint [directory] 
Example: ./inodeyou-c /dev/sda1 / /home/user1

In the example below, inodeyou-c has successfully detected a inode /home/user1/lilyofthevalley2.txt hidden by the LilyOfTheValley rootkit.

demo

About

Experimental program that detects files & directories hidden by Linux trojan/rootkits

Topics

malware inodes tsk malware-detection rootkits

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages