System Administration

Prochunter – Linux Process Hunter

Prochunter aims to find hidden process with all userspace and most of the kernelspace rootkits.  This tool is composed of a kernel module that prints out all running processes walking the task_struct list and creates /sys/kernel/proc_hunter/set entry. A python script that invokes the kernel function and diffs the module output with processes list collected from userspace (/proc walking).

Almost all public linux kernel rootkits try to hide processes via /proc VFS to remove the hidden processes from ps/top/etc. output. Others use the trick to change the evil process pid to 0 (but the exit call will panic the kernel)

 

Compilation

  • The python script requires python3 and psutil.
  • The kernel module just needs the kernel headers.
make

 

How to use

$ ./prochunter.py 
usage: prochunter.py [-h] [--ps] [--pstree] [-p] [-d] [-r] [-S hostname]

optional arguments:
-h, --help   show this help message and exit
--ps         Print process list from kmod.
--pstree     Print process tree from kmod.
-p           Install prochunter in persistence mode (https://cdn-cyberpunk.netdna-ssl.com/sys entry created).
-d           Run process list diff when in persistence mode.
-r           Run process list diff once.
-S hostname  remote syslog server



 - Print running process including the hidden processes. :)
 sudo ./prochunter.py --ps

 - Print running process tree
 sudo ./prochunter --pstree

 - Install the module in persistence mode.
sudo ./prochunter.py -p 

 - Invoke prochunter via /sys and show hidden processes (if any), useful with cron.
sudo ./prochunter.py -d

- Invoke prochunter via /sys and show hidden processes and send logs to a remote syslog server.
sudo ./prochunter.py -d -S 10.0.0.2

 - Run prochunter without persistence.
sudo ./prochunter.py -r

 

Example

$ ./chkrootkit 
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
[...]
Checking `rlogind'... not infected
Checking `rshd'... not found
Checking `slogin'... not found
Checking `sendmail'... not found
Checking `sshd'... /usr/bin/strings: Warning: '/' is a directory
not infected
[...]
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
[...]
chkutmp: nothing deleted


this is with prochunter

$ sudo ./prochunter.py -r

[!] Found 1 hidden process

PID Name
0   sshd

Download Prochunter