Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 0d60cee
Showing
5 changed files
with
1,536 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| MIT License | ||
|
|
||
| Copyright (c) 2018 David Reguera Garcia aka Dreg | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,218 @@ | ||
| # lsrootkit | ||
| Rootkit Detector for UNIX (the actual beta only works as expected in Linux) | ||
|
|
||
| Tool created in 2013 to complement Unhide Forensic Tool: http://www.unhide-forensics.info/ | ||
|
|
||
| **Warning!!: the code is bullshit (is only a beta prototype).** | ||
|
|
||
| # Compile & Run | ||
| Compile: gcc -lpthread -o lsrootkit lsrootkit.c | ||
|
|
||
| If fails try: gcc -pthread -o lsrootkit lsrootkit.c | ||
|
|
||
| Execute: ./lsrootkit | ||
|
|
||
| **Very Important: if lsrootkit process crash you can have a rootkit in the system with some bugs: memory leaks etc.** | ||
|
|
||
| Real scenario example: vlany rootkit crash the process because their readdir hook: https://github.com/mempodippy/vlany | ||
|
|
||
|  | ||
|
|
||
| This is very funny because vlany is designed to avoid this kind of tool. It tries avoid GID bruteforcing using xattrs in files instead of a MAGIC_GID. But the code in their readdir hook crash the process in 2-3 mins. This kind of crash can be interpreted like: there are something bad coded hooking me. | ||
|
|
||
| Also vlany tries avoid GID bruteforcing in processes but lsrootkit can detect their setgid safeguard. | ||
|
|
||
| # Features | ||
|
|
||
| The idea is very simple: a lot of rootkits uses a MAGIC GID (a random GID generated) to hide processes and files. This tool find rootkits bruteforcing all GIDs possible in the system. | ||
|
|
||
| * **Processes**: Full GIDs process occupation (processes GID bruteforcing) | ||
| * **Files**: Full GIDs file occupation (files GID bruteforcing) | ||
|
|
||
| It also can detect some rootkits safe-guards and strange things in the hooked code. | ||
|
|
||
| Also some rootkits uses a MAGIC (kill) SIGNAL (a random SIGNAL generated) to hide processes. This tool can bruteforcing all Signals possible in the system: | ||
|
|
||
| * **Processes**: Kill Signal process occupation (processes Kill bruteforcing) | ||
|
|
||
| lsrootkit needs run **as root** or **with caps** for bruteforce: **stat, chown, setgid & access to /proc** | ||
|
|
||
| **Warning: each analysis-feature can take: <60 hours in a QUADCORE CPU 3100.000 MHz (NO SSD).** | ||
|
|
||
| ## For processes (GID) | ||
|
|
||
| 1) It creates a PARENT and a CHILD processes. | ||
| 2) The CHILD in a loop from 0 to MAX_GID_POSSIBLE calls to: setgid(ACTUAL_GID). | ||
| 3) The CHILD send the new GID to PARENT via pipe. (It calls to getgid() to get the new gid). | ||
| 4) If the GID returned from getgid() is different from ACTUAL_GID (used in setgid(ACTUAL_GID)): Alert! this is impossible, can be a rootkit doing strange things. | ||
| 5) If setgid(ACTUAL_GID) fails: Alert! this is impossible, can be a rootkit doing strange things. | ||
| 6) If in two loop-iterations the GID returned is the same (last_gid == new_gid): Alert! this is impossible, can be a rootkit doing strange things. | ||
| 7) In each iteration, the PARENT check if exist the PID of the child in: /proc (readdir/getdents). When the child PID is not listed: bingo!! the new GID is the MAGIC_GID of a rootkit. The rootkit is hidding the process. | ||
| 8) Also the PARENT check if the ACTUAL_GID recived from the PIPE is the same listed in /proc/pid/status. When is different: Alert! this is impossible, can be a rootkit doing strange things. | ||
|
|
||
| *IMPORTANT: The 4, 5 and 6 checks are useful in real scenarios. Example: when the ACTUAL_GID of a process is the MAGIC_GID some rootkits make impossible for the process to change their GID, this is a safe guard to avoid detections. Then, we are detecting the safe guard of the rootkit. | ||
|
|
||
| How the check if the analysis is working good: | ||
|
|
||
| ``` | ||
| [!! root@fr33project 14:17:21 ~]# ps o user,pid,gid,comm | grep lsrootkit | ||
| root 2614 0 lsrootkit | ||
| root 2631 828390172 lsrootkit | ||
| root 2632 1096822881 lsrootkit | ||
| root 2633 1365307256 lsrootkit | ||
| root 2634 1633704931 lsrootkit | ||
| root 2635 1902096925 lsrootkit | ||
| root 2636 -2124457736 lsrootkit | ||
| root 2637 559915649 lsrootkit | ||
| root 2638 -1855971818 lsrootkit | ||
| root 2639 -1319109121 lsrootkit | ||
| root 2640 -1587593627 lsrootkit | ||
| root 2641 -1050718186 lsrootkit | ||
| root 2642 -782346219 lsrootkit | ||
| root 2643 -513848494 lsrootkit | ||
| root 2644 -245456886 lsrootkit | ||
| root 2645 291438594 lsrootkit | ||
| root 2646 23009595 lsrootkit | ||
| ``` | ||
|
|
||
| ``` | ||
| [!! root@fr33project 14:17:27 ~]# ps o user,pid,gid,comm | grep lsrootkit | ||
| root 2614 0 lsrootkit | ||
| root 2631 828395894 lsrootkit | ||
| root 2632 1096828582 lsrootkit | ||
| root 2633 1365313071 lsrootkit | ||
| root 2634 1633710689 lsrootkit | ||
| root 2635 1902102633 lsrootkit | ||
| root 2636 -2124452025 lsrootkit | ||
| root 2637 559921448 lsrootkit | ||
| root 2638 -1855966060 lsrootkit | ||
| root 2639 -1319103376 lsrootkit | ||
| root 2640 -1587587943 lsrootkit | ||
| root 2641 -1050712491 lsrootkit | ||
| root 2642 -782340414 lsrootkit | ||
| root 2643 -513842741 lsrootkit | ||
| root 2644 -245451101 lsrootkit | ||
| root 2645 291444348 lsrootkit | ||
| root 2646 23015307 lsrootkit | ||
| ``` | ||
|
|
||
| You should see 16 processes changing their GID very fast in each ps. | ||
|
|
||
| ## For files (GID) | ||
|
|
||
| 1) It creates a loop from 0 to MAX_GID_POSSIBLE calling to: chown(ACTUAL_GID). | ||
| 2) If the GID returned from stat() is different from ACTUAL_GID (used in chown(ACTUAL_GID)): Alert! this is impossible, can be a rootkit doing strange things. | ||
| 3) If chown(ACTUAL_GID) or stat() fails: Alert! this is impossible, can be a rootkit doing strange things. | ||
| 4) If in two loop-iterations the GID returned is the same (last_gid == new_gid): Alert! this is impossible, can be a rootkit doing strange things. | ||
| 5) In each iteration, the process checks if exist the file in the directory (readdir/getdents). When the file is not listed: bingo!! the new GID is the MAGIC_GID of a rootkit. The rootkit is hidding the file. | ||
|
|
||
|
|
||
| How the check if the analysis is working good: ls in the temp path of lsrootkit | ||
|
|
||
| ``` | ||
| [!! root@fr33project 14:22:04 ~]# ls -l /tmp/lsroot.SdbfpS | ||
| total 0 | ||
| -rw-r--r-- 1 root 4026594762 0 May 27 14:21 140675378259712.files | ||
| -rw-r--r-- 1 root 3758158753 0 May 27 14:21 140675388749568.files | ||
| -rw-r--r-- 1 root 3489726270 0 May 27 14:21 140675399239424.files | ||
| -rw-r--r-- 1 root 3221289355 0 May 27 14:21 140675409729280.files | ||
| -rw-r--r-- 1 root 2952853954 0 May 27 14:21 140675420219136.files | ||
| -rw-r--r-- 1 root 2684416720 0 May 27 14:21 140675430708992.files | ||
| -rw-r--r-- 1 root 2415982578 0 May 27 14:21 140675441198848.files | ||
| -rw-r--r-- 1 root 2147546885 0 May 27 14:21 140675451688704.files | ||
| -rw-r--r-- 1 root 1879112486 0 May 27 14:21 140675462178560.files | ||
| -rw-r--r-- 1 root 1610675753 0 May 27 14:21 140675472668416.files | ||
| -rw-r--r-- 1 root 1342242039 0 May 27 14:21 140675483158272.files | ||
| -rw-r--r-- 1 root 1073805230 0 May 27 14:21 140675493648128.files | ||
| -rw-r--r-- 1 root 805369459 0 May 27 14:21 140675504137984.files | ||
| -rw-r--r-- 1 root 536932663 0 May 27 14:21 140675514627840.files | ||
| -rw-r--r-- 1 root 268497886 0 May 27 14:21 140675525117696.files | ||
| -rw-r--r-- 1 root 60838 0 May 27 14:21 140675535607552.files | ||
| ``` | ||
|
|
||
| ``` | ||
| [!! root@fr33project 14:22:10 ~]# ls -l /tmp/lsroot.SdbfpS | ||
| total 0 | ||
| -rw-r--r-- 1 root 4026614564 0 May 27 14:21 140675378259712.files | ||
| -rw-r--r-- 1 root 3758177213 0 May 27 14:21 140675388749568.files | ||
| -rw-r--r-- 1 root 3489745995 0 May 27 14:21 140675399239424.files | ||
| -rw-r--r-- 1 root 3221308027 0 May 27 14:21 140675409729280.files | ||
| -rw-r--r-- 1 root 2952872962 0 May 27 14:21 140675420219136.files | ||
| -rw-r--r-- 1 root 2684435702 0 May 27 14:21 140675430708992.files | ||
| -rw-r--r-- 1 root 2416001384 0 May 27 14:21 140675441198848.files | ||
| -rw-r--r-- 1 root 2147565897 0 May 27 14:21 140675451688704.files | ||
| -rw-r--r-- 1 root 1879132036 0 May 27 14:21 140675462178560.files | ||
| -rw-r--r-- 1 root 1610694197 0 May 27 14:21 140675472668416.files | ||
| -rw-r--r-- 1 root 1342261085 0 May 27 14:21 140675483158272.files | ||
| -rw-r--r-- 1 root 1073823702 0 May 27 14:21 140675493648128.files | ||
| -rw-r--r-- 1 root 805388313 0 May 27 14:21 140675504137984.files | ||
| -rw-r--r-- 1 root 536951073 0 May 27 14:21 140675514627840.files | ||
| -rw-r--r-- 1 root 268516353 0 May 27 14:21 140675525117696.files | ||
| -rw-r--r-- 1 root 80117 0 May 27 14:21 140675535607552.files | ||
| ``` | ||
|
|
||
| You should see 16 files changing their GID very fast in each ls -l | ||
|
|
||
| ## For processes (KILL) | ||
|
|
||
| 1) It creates a PARENT and a CHILD processes. | ||
| 2) The CHILD is sleeping forever. | ||
| 3) The PARENT send all possibles signals to child using kill. | ||
| 4) In each iteration, the PARENT check if exist the PID of the child in: /proc (readdir/getdents). When the child PID is not listed: bingo!! the kill ACTUAL_SIGNAL is used by a rootkit to hidding the process. | ||
|
|
||
| ## Help & cmdline | ||
|
|
||
| ``` | ||
| Usage: lsrootkit [OPTION...] | ||
| lsrootkit options (all analysis are ON by default): | ||
| --disable-colors Disable colours in output | ||
| --disable-each-display Disable each display messages | ||
| --only-gid-files Only bruteforce files GID | ||
| --only-gid-processes Only bruteforce processes GID | ||
| --only-kill-processes Only bruteforce processes Kill | ||
| --report-path[=FILE] Set new report path. it needs also the name. | ||
| Example: --report-path=/root/analysis.txt | ||
| --tmp-path[=FILE] Set new temp path dir. Example: | ||
| --tmp-path=/var/tmp | ||
| -?, --help Give this help list | ||
| --usage Give a short usage message | ||
| -V, --version Print program version | ||
| ``` | ||
|
|
||
| # Detected Rootkits | ||
|
|
||
| Please, I need your help to mantain this list!! (create an issue with info) | ||
|
|
||
| - enyelkm: LKM rootkit for Linux x86 with the 2.6 kernel. https://github.com/David-Reguera-Garcia-Dreg/enyelkm | ||
| - detected via: normal detection. | ||
| - reported by: Dreg | ||
| - vlany: Linux LD_PRELOAD rootkit (x86 and x86_64 architectures). https://github.com/mempodippy/vlany | ||
| - detected via: crash of the process & setgid safe-guard. | ||
|  | ||
| - reported by: Dreg | ||
| - reptile: LKM Linux rootkit. https://github.com/f0rb1dd3n/Reptile | ||
| - detected via: normal detection. | ||
| - reported by: Dreg | ||
| - jynx2: LD_PRELOAD userland rootkit based on the original JynxKi. https://github.com/chokepoint/Jynx2 | ||
| - detected via: normal detection. | ||
| - reported by: Dreg | ||
| - jynxkit: LD_PRELOAD userland rootkit for Linux. https://github.com/chokepoint/jynxkit | ||
| - detected via: normal detection. | ||
| - reported by: Dreg | ||
|
|
||
| # TODO | ||
|
|
||
| empty | ||
|
|
||
| # Referenced by | ||
|
|
||
| empty | ||
|
|
||
| # Credits | ||
|
|
||
| * **Main Developer from 2013**: David Reguera Garcia aka Dreg dreg@fr33project.org http://www.fr33project.org https://github.com/David-Reguera-Garcia-Dreg | ||
|
|
||
| ## Contributors | ||
|
|
||
| * **micronn**: https://github.com/micronn https://twitter.com/micronn386?lang=en |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.