Prochunter aims to find hidden process with all userspace and most of the kernelspace rootkits. This tool is composed of a kernel module that prints out all running processes walking the task_struct list and creates /sys/kernel/proc_hunter/set entry. A python script that invokes the kernel function and diffs the module output with processes list collected from userspace (/proc walking).
Almost all public linux kernel rootkits try to hide processes via /proc VFS to remove the hidden processes from ps/top/etc. output. Others use the trick to change the evil process pid to 0 (but the exit call will panic the kernel)
Compilation
- The python script requires python3 and psutil.
- The kernel module just needs the kernel headers.
make
Leave a Reply