Viewing all changes in revision 15.
- Committer: Johan Walles
- Date: 2013-01-12 11:57:07 UTC
- Revision ID: johan.walles@gmail.com-20130112115707-fe863p5n08avh4l1
Identify processes hidden by the Jynx rootkit
Before this change, processes hidden by Jynx were identified by
PID. Now the path to their binaries are also printed (this
requires you to run unhide.rb as root).
What the change does more precisely is to add a PID scanner that
runs the readlink() function directly from libc. Since Jynx
overrides the readlink() loaded by the dynamic linker, we need to
load it ourselves to make sure we get the right function on an
infected system.
Original bug report here:
http://sourceforge.net/mailarchive/message.php?msg_id=28258660
Before this change, processes hidden by Jynx were identified by
PID. Now the path to their binaries are also printed (this
requires you to run unhide.rb as root).
What the change does more precisely is to add a PID scanner that
runs the readlink() function directly from libc. Since Jynx
overrides the readlink() loaded by the dynamic linker, we need to
load it ourselves to make sure we get the right function on an
infected system.
Original bug report here:
http://sourceforge.net/mailarchive/message.php?msg_id=28258660
- files modified:
- unhide.rb
expand all
collapse all
added
removed
