listps

listps is a small linux program to show all running processes, including hidden ones.
Download

listps Ranking & Summary

Advertisement

  • Rating:
  • License:
  • GPL
  • Price:
  • FREE
  • Publisher Name:
  • Christian Stigen Larsen
  • Publisher web site:

listps Tags


listps Description

listps is a small linux program to show all running processes, including hidden ones. listps project is a small linux program to show all running processes, including hidden ones. It only works with /proc filesystems.On systems compromised with various rootkits, like e.g. suckit 1.3e, listps will be able to explicitly list hidden processes that are running.It does this by explicitly querying the /proc filesystem for process IDs in the range 1 to 33000.Swapped out processes are printed in paranthesis.Example outputIn the session below I install suckit 1.3e on a linux box, hide two processes (crond and smbd) use listps to list them. First, let's install suckit 1.3e on the host: # uname -aLinux ares.sublevel3.org 2.4.20-20.7custom #1 SMP Tue Sep 23 14:30:50 CEST 2003 i686 unknown# ./sksuI love you babyShow begins Test mode 0 RK_Init: idt=0xc0328000, sct[]=0xc02c68e0kma_hint=0x00000000kmalloc()=0xc012fcb0, gfp=0x1f0Z_Init: Allocating kernel-code memory...KINIT(0xd04d9c64) sct 0xc02c68e0sctp 0xbfffcde0 oldsys 0xc010cf40Done, 11635 bytes, base=0xd04d8000Now let's hide crond and smbd (pids 577 and 613): # ./sksu I love you babyDetected version: 1.3euse:./sksu t - test instalation objectivef - force instalationu - uninstalli - make pid invisiblev - make pid visiblef - toggle file hidingp - toggle pid hiding# ./sksu i 577I love you babyDetected version: 1.3ePid 577 is hidden now!# ./sksu i 613I love you babyDetected version: 1.3ePid 613 is hidden now!Let's see if ps(1) finds them: # ps auxwww | egrep 'crond|smbd'root 2160 0.0 0.1 1516 552 pts/1 S 15:24 0:00 egrep crond|smbd# Try running listps: # listps -d PID COMMAND 577 crond (hidden) 613 smbd (hidden)# Finally, let's uninstall suckit: # ./sksu v 577I love you babyDetected version: 1.3ePid 577 is visible now!# ./sksu v 613I love you babyDetected version: 1.3ePid 613 is visible now!# ./sksu uI love you babyDetected version: 1.3eSuckit uninstalled sucesfully!# listps -d PID COMMAND#What's New in This Release:· The program was rewritten in plain ANSI C.· Parameters to specify PID ranges were added.· A "configure" install script was added.


listps Related Software

About SoftwareSea