lsrootkit

Rootkit Detector for UNIX (the actual beta only works as expected in Linux)

Features

The idea is very simple: a lot of rootkits uses a MAGIC GID (a random GID generated) to hide processes and files. This tool finds rootkits bruteforcing all GIDs possible in the system.

• Processes: Full GIDs process occupation (processes GID bruteforcing)
• Files: Full GIDs file occupation (files GID bruteforcing)

It also can detect some rootkits safeguards and strange things in the hooked code.

Also, some rootkits use a MAGIC (kill) SIGNAL (a random SIGNAL generated) to hide processes. This tool can bruteforcing all Signals possible in the system:

• Processes: Kill Signal process occupation (processes Kill bruteforcing)

lsrootkit needs run as root or with caps for bruteforce: stat, chown, setgid & access to /proc

Warning: each analysis-feature can take: 48 hours in a QUADCORE CPU 3100.000 MHz (NO SSD).

For processes (GID)

1. It creates a PARENT and a CHILD processes.
2. The CHILD in a loop from 0 to MAX_GID_POSSIBLE calls to setgid(ACTUAL_GID).
3. The CHILD sends the new GID to PARENT via a pipe. (It calls to getgid() to get the new gid).
4. If the GID returned from getgid() is different from ACTUAL_GID (used in setgid(ACTUAL_GID)): Alert! this is impossible, can be a rootkit doing strange things.
5. If setgid(ACTUAL_GID) fails: Alert! this is impossible, can be a rootkit doing strange things.
6. If in two loop-iterations the GID returned is the same (last_gid == new_gid): Alert! this is impossible, can be a rootkit doing strange things.
7. In each iteration, the PARENT checks if exist the PID of the child in: /proc (readdir/getdents). When the child PID is not listed: bingo!! the new GID is the MAGIC_GID of a rootkit. The rootkit is hidding the process.
8. Also, the PARENT checks if the ACTUAL_GID recived from the PIPE is the same listed in /proc/pid/status. When is different: Alert! this is impossible, can be a rootkit doing strange things.

For files (GID)

1. It creates a loop from 0 to MAX_GID_POSSIBLE calling to chown(ACTUAL_GID).
2. If the GID returned from stat() is different from ACTUAL_GID (used in chown(ACTUAL_GID)): Alert! this is impossible, can be a rootkit doing strange things.
3. If chown(ACTUAL_GID) or stat() fails: Alert! this is impossible, can be a rootkit doing strange things.
4. If in two loop-iterations the GID returned is the same (last_gid == new_gid): Alert! this is impossible, can be a rootkit doing strange things.
5. In each iteration, the process checks if exist the file in the directory (readdir/getdents). When the file is not listed: bingo!! the new GID is the MAGIC_GID of a rootkit. The rootkit is hidding the file.

Install

git clone https://github.com/David-Reguera-Garcia-Dreg/lsrootkit.git
cd lsrootkit
gcc -lpthread -o lsrootkit lsrootkit.c

If fails try:

gcc -pthread -o lsrootkit lsrootkit.c

Use

Very Important: if lsrootkit process crash you can have a rootkit in the system with some bugs: memory leaks etc.

Usage: lsrootkit [OPTION...]

lsrootkit options (all analysis are ON by default):



      --disable-colors       Disable colours in output

      --disable-each-display Disable each display messages

      --only-gid-files       Only bruteforce files GID

      --only-gid-processes   Only bruteforce processes GID

      --only-kill-processes  Only bruteforce processes Kill

      --report-path[=FILE]   Set new report path. it needs also the name.

                             Example: --report-path=/root/analysis.txt

      --tmp-path[=FILE]      Set new temp path dir. Example:

                             --tmp-path=/var/tmp

  -?, --help                 Give this help list

      --usage                Give a short usage message

  -V, --version              Print program version

Copyright (c) 2018 David Reguera Garcia aka Dreg

Source: https://github.com/David-Reguera-Garcia-Dreg/