From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22775 invoked by alias); 21 Oct 2013 18:27:59 -0000 Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org Received: (qmail 22760 invoked by uid 89); 21 Oct 2013 18:27:58 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-4.3 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 21 Oct 2013 18:27:58 +0000 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r9LIRui4011191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 21 Oct 2013 14:27:56 -0400 Received: from moya.vm.cuviper.com (ovpn-113-154.phx2.redhat.com [10.3.113.154]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r9LIRu5H018500 for ; Mon, 21 Oct 2013 14:27:56 -0400 Message-ID: <5265722C.6040708@redhat.com> Date: Mon, 21 Oct 2013 18:27:00 -0000 From: Josh Stone User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: systemtap@sourceware.org Subject: Re: rootkits and hidden processes References: <1555905208.2010315.1382180844427.JavaMail.ngmail@webmail11.arcor-online.net> In-Reply-To: <1555905208.2010315.1382180844427.JavaMail.ngmail@webmail11.arcor-online.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2013-q4/txt/msg00080.txt.bz2 On 10/19/2013 04:07 AM, ch2009@arcor.de wrote: > Dear all, > > is it possible to find rootkits with systemtap? How to list all processes? > > There's a presentation about systemtap and "rootkits made trivial", > so finding rootkits shouldn't be too hard! It's tough to say -- I think you'll be in an arms-race in detecting the various ways a rootkit can hide itself. For instance, that presentation only outlines how to hide from the module list. But it uses kprobes for this, so it will be visible in {debugfs}/kprobes/list. Thus, the next generation rootkit would be wise to also hide itself there. And so it continues. A systemtap rootkit-detector does have the advantage of more direct access to kernel data. The presentation's module-hiding worked by hooking m_start/m_stop, which only hides from procfs, but a stap script could read the modules list at any time. For listing all processes, I don't think we have any specific support. Perhaps probe process.begin or process.thread.begin will work for you, but those only trigger the first time a process/thread actually runs. If you drop to embedded-C, you can use for_each_process or even do_each_thread{...}while-each_thread, although those should use tasklist_lock, which isn't exported. You could cheat that by using a probe point where that is lock already held, much like the presentation did for tweaking the module list.