I wrote prochunter around 2002, after the published SuckIT rootkit by sd , I just spent few hours to make it runnable on modern kernels (tested on 4.x) so don't blame me for the
Prochunter aims to find hidden process with all userspace and most of the kernelspace rootkits.
This tool is composed of a kernel module that prints out all running processes using the task_struct list and creates /sys/kernel/proc_hunter/set entry. A python script that invoke
the kernel function and diffs the module output and processes list collected with userspace pslist (/proc walking).
Almost all public linux kernel rootkits try to hide processes via /proc VFS to remove the hidden processes from ps/top/etc. output.
Others use the trick to change the evil process pid to 0 (but the exit call will panic the kernel) 
As far as I know only adore-ng, fuuld and some not working PoC from academic papers use DKOM (in particular: unlink process from task_struct/pidhash lists)  
(Un)fortunately latters are stable only on kernel 2.4.x schedulers like SCHED_FIFO or SCHED_RR, because scheduler doesn't rely on task_struct or pidhash list to make a context switch
amoung the processes, but on modern kernels (2.6+, yeah not so modern) with CFS (the default on linux now) are very unusable, but..;p
|thread locked Quote Subscribe||
Nov 8th 2017
4 years ago