unhide-linux-bruteforce.c: move PID tables from stack to heap

unhide-linux.c and unhide-posix.c: change default max_pid value (for 64 bits systems) unhide_rb.c: Increase the max number of PID so it doesn't crash in 64 bits systems. update version date update README.txt (build instruction) update NEWS file
illicius · Oct 16, 2021 · 307ba45 · 307ba45
1 parent ea06893
commit 307ba45
Show file tree

Hide file tree

Showing 7 changed files with 189 additions and 55 deletions.
diff --git a/NEWS b/NEWS
@@ -1,3 +1,22 @@
+Changes since 20210124 :
+**********************
+
+BUG FIXES
+  - Correct two typo in english man pages
+  - Dirty hacks in unhide_rb to increase the max number of PID so it doesn't crash in 64 bits systems.
+
+ENHANCEMENTS
+  - In brute test, allocate PID tables on the heap instead of stack, as maxpid on 64 bits Linux may cause a stack overflow.
+  - unhide-linux and unhide-posix: set the default value of max_pid to 8388608.
+
+GUI
+  - N/A
+
+MISCELLANOUS
+  - Update README.txt (build instructions and some document layout)
+  - Clearly indicate in its display header of unhide_rb that it SHOULD NOT be used for serious work.
+
+
 Changes since 20130526 :
 **********************
 

diff --git a/README.txt b/README.txt
@@ -27,15 +27,20 @@ Detecting hidden processes. Implements six main techniques
 // ---------
 
 It's a back port in C language of the ruby unhide.rb
-As the original unhide.rb, it is roughly equivalent to "unhide-linux quick reverse" :
+
+As the original unhide.rb, it is roughly equivalent to "unhide-linux quick reverse" but:
 - it makes three tests less (kill, opendir and chdir),
-- it only run /bin/ps once at start and once for the double check,
-- also, its tests are less accurate (e.g.. testing return value instead of errno),
+- it only run /bin/ps once at start and once for the double check, this gives more false positives:
+   short live processes are seen as hidden.
+- also, its tests are less accurate (e.g. testing return value instead of errno),
+- it doesn't scale well when max_PID number increases,
 - processes are only identified by their exe link (unhide-linux also use cmdline and
   "sleeping kernel process" name),
 - there's little protection against failures (failed fopen or popen by example),
 - there's no logging capability.
-It is very quick, about 80 times quicker than "unhide-linux quick reverse"
+
+On 32 bits system (with max_PID = 2^16) It is about 80 times quicker than "unhide-linux quick reverse"
+On 64 bits system (with max_PID = 2^22) It is about 2 times quicker than "unhide-linux quick reverse"
 
 // Unhide-TCP
 // ----------
@@ -92,29 +97,33 @@ man/fr/unhide-tcp.8 -- French man page of unhide-tcp
 // Compiling
 // ---------
 
-Build requires
+ Build requires :
+ --------------
    glibc-devel
    glibc-static-devel
 
-Require
-- unhide-tcp under linux :
-   iproute2
-   net-tools (for netstat)
-   lsof
-   psmisc (for fuser)
-- unhide-tcp under freeBSD :
-   sockstat
-   lsof
-   netstat
+ Requires :
+ --------
+   - unhide-tcp under linux :
+      iproute2
+      net-tools (for netstat)
+      lsof
+      psmisc (for fuser)
+   - unhide-tcp under freeBSD :
+      sockstat
+      lsof
+      netstat
 
-unhide-linux, unhide-posix, unhide_rb :
-   procps
+   - unhide-linux, unhide-posix, unhide_rb :
+      procps
+
 
+IMPORTANT : Notes that, as a forensic tool, unhide is built statically as the host system libraries may be compromised.
 
 If you ARE using a Linux kernel >= 2.6
-      gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
-      gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
-      gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
+      gcc -Wall -Wextra -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
+      gcc -Wall -Wextra -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
+      gcc -Wall -Wextra -O2 --static unhide_rb.c -o unhide_rb
       ln -s unhide unhide-linux
 
 Else (Linux < 2.6, *BSD, Solaris and other Unice)

diff --git a/unhide-linux-bruteforce.c b/unhide-linux-bruteforce.c
@@ -66,32 +66,64 @@ void *functionThread (void *parametro)
 void brute(void) 
 {
    int i=0;
-   int allpids[maxpid] ;
-   int allpids2[maxpid] ;
+   int* allpids;
+   int* allpids2;
    int x;
    int y;
    int z;
 
    msgln(unlog, 0, "[*]Starting scanning using brute force against PIDS with fork()\n") ;
 
-   // PID under 301 are reserved for kernel
-   for(x=0; x < 301; x++) 
+   if ( NULL == (allpids = (int *)malloc(sizeof(int) * maxpid)))
    {
-      allpids[x] = 0 ;
-      allpids2[x] = 0 ;
+      die(unlog, "Error: Cannot allocate pid arrays ! Exiting.");
    }
 
-   for(z=301; z < maxpid; z++) 
+   if(FALSE == brutesimplecheck)   // allocate second table
    {
-      allpids[z] = z ;
-      allpids2[z] = z ;
+      if ( NULL == (allpids2 = (int *)malloc(sizeof(int) * maxpid)))
+      {
+         die(unlog, "Error: Cannot allocate pid arrays ! Exiting.");
+      }
    }
 
+
+
+   if(FALSE == brutesimplecheck)   // Init the two tables
+   {
+      // PID under 301 are reserved for kernel
+      for(x=0; x < 301; x++) 
+      {
+         allpids[x] = 0 ;
+         allpids2[x] = 0 ;
+      }
+
+      for(z=301; z < maxpid; z++) 
+      {
+         allpids[z] = z ;
+         allpids2[z] = z ;
+      }
+   }
+   else   // Init only the first table
+   {
+      for(x=0; x < 301; x++) 
+      {
+         allpids[x] = 0 ;
+      }
+
+      for(z=301; z < maxpid; z++) 
+      {
+         allpids[z] = z ;
+      }
+   }
+
+   // printf("Maxpid : %06d\n", maxpid);
    for (i=301; i < maxpid; i++) 
    {
       int vpid;
       int status;
 
+      // printf("Tested pid : %06d\r", i);
       errno= 0 ;
 
       if ((vpid = vfork()) == 0) 
@@ -143,21 +175,36 @@ void brute(void)
 
    msgln(unlog, 0, "[*]Starting scanning using brute force against PIDS with pthread functions\n") ;
 
-   // PID under 301 are reserved for kernel
-   for(x=0; x < 301; x++) 
+   if(FALSE == brutesimplecheck)   // Init the two tables
    {
-      allpids[x] = 0 ;
-      allpids2[x] = 0 ;
+      // PID under 301 are reserved for kernel
+      for(x=0; x < 301; x++) 
+      {
+         allpids[x] = 0 ;
+         allpids2[x] = 0 ;
+      }
+
+      for(z=301; z < maxpid; z++) 
+      {
+         allpids[z] = z ;
+         allpids2[z] = z ;
+      }
    }
-
-
-   for(z=301; z < maxpid; z++) 
+   else   // Init only the first table
    {
-      allpids[z] = z ;
-      allpids2[z] = z ;
+      for(x=0; x < 301; x++) 
+      {
+         allpids[x] = 0 ;
+      }
+
+      for(z=301; z < maxpid; z++) 
+      {
+         allpids[z] = z ;
+      }
    }
 
 
+
    for (i=301; i < maxpid ; i++) 
    {
       void *status;
@@ -216,4 +263,12 @@ void brute(void)
          }
       }
    }
+
+   if ( NULL != allpids)
+      free((void *)allpids) ;
+
+   if ( NULL != allpids2)
+      free((void *)allpids2) ;
+
+
 }
diff --git a/unhide-linux.c b/unhide-linux.c
@@ -51,14 +51,15 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 // header
 const char header[] =
-   "Unhide 20210124\n"
+   "Unhide 20211016\n"
    "Copyright © 2010-2021 Yago Jesus & Patrick Gouin\n"
    "License GPLv3+ : GNU GPL version 3 or later\n"
    "http://www.unhide-forensics.info\n\n"
    "NOTE : This version of unhide is for systems using Linux >= 2.6 \n\n";
 
 // defauly sysctl kernel.pid_max
-int maxpid = 32768;
+# define MAX_PID 8388608
+int maxpid = MAX_PID;
 
 // Threads id for sync
 int tid ;

diff --git a/unhide-posix.c b/unhide-posix.c
@@ -65,7 +65,8 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
 
-int maxpid= 999999;
+# define MAX_PID 8388608
+int maxpid = MAX_PID;
 // Temporary string for output
 char scratch[1000];
 
@@ -219,7 +220,7 @@ void checkgetsid() {
 
 int main (int argc, char *argv[]) {
 
-	strncpy(scratch,"Unhide-posix 20210124\n", sizeof(scratch)-1) ;
+	strncpy(scratch,"Unhide-posix 20211016\n", sizeof(scratch)-1) ;
 	strncat(scratch, "Copyright © 2013-2021 Yago Jesus & Patrick Gouin\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "License GPLv3+ : GNU GPL version 3 or later\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "http://www.unhide-forensics.info\n\n", sizeof(scratch)-strlen(scratch)-1);

diff --git a/unhide-tcp.c b/unhide-tcp.c
@@ -38,7 +38,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 // header
 const char header[] =
-       "Unhide-tcp 20210124\n"
+       "Unhide-tcp 20211016\n"
        "Copyright © 2013-2021 Yago Jesus & Patrick Gouin\n"
        "License GPLv3+ : GNU GPL version 3 or later\n"
        "http://www.unhide-forensics.info\n";