/* * knarkfinder.c, part of the knark package v0.42 * Linux 2.1-2.2 hidden process detector * (c) Creed @ #hack.se 1999 * * This program finds processes hidden by kernel trojans like knark * (probably some others too). * * This program/lkm may NOT be used in an illegal way, * or to cause damage of any kind. * * See README for more info. */ #define __KERNEL__ #include #undef __KERNEL__ #include #include #include #include #include #include #include #include pid_t procpid[NR_TASKS]; void die(const char *reason) { perror(reason); exit(-1); } void update_procpids(void) { int i; DIR *dir; struct dirent *dirent; dir = opendir("/proc"); for(i = 0; (dirent = readdir(dir));) { if( (procpid[i] = atoi(dirent->d_name)) ) i++; } closedir(dir); } int is_procpid(pid_t pid) { int i; for(i = 0; procpid[i]; i++) if(procpid[i] == pid) return 1; return 0; } int main(void) { int kmem_fd, i; unsigned long kstat_addr = 0; char *p, buf[1024]; FILE *ksyms_fp; struct task_struct task, *tasks[NR_TASKS]; if( (ksyms_fp = fopen("/proc/ksyms", "r")) == NULL) die("Can't open /proc/ksyms"); while(fgets(buf, sizeof(buf), ksyms_fp)) { if(!strstr(buf, "kstat")) continue; *(p = strchr(buf, ' ')) = '\0'; kstat_addr = strtoul(buf, NULL, 16); break; } fclose(ksyms_fp); if(!kstat_addr) die("Couldn't get kstat address ?!"); if( (kmem_fd = open("/dev/kmem", O_RDONLY)) == -1) die("Can't open /dev/kmem"); lseek(kmem_fd, kstat_addr - NR_TASKS * sizeof(struct task_struct *), SEEK_SET); read(kmem_fd, tasks, NR_TASKS * sizeof(struct task_struct *)); for(i = 0; i < NR_TASKS; i++) { if(!tasks[i]) continue; lseek(kmem_fd, (off_t)tasks[i], SEEK_SET); read(kmem_fd, &task, sizeof(struct task_struct)); if(task.pid == 1) break; } if(task.pid != 1) { fprintf(stderr, "Couldn't find init task\n"); exit(-1); } update_procpids(); printf("Invisible processes:\n"); do { if(!is_procpid(task.pid)) printf("%d\n", task.pid); lseek(kmem_fd, (off_t)task.next_task, SEEK_SET); read(kmem_fd, &task, sizeof(struct task_struct)); } while(task.pid && task.pid != 1); close(kmem_fd); exit(0); }