listps

About

listps is a small linux program to show all running processes, including hidden ones. It only works with /proc filesystems.

On systems compromised with various rootkits, like e.g. suckit 1.3e, listps will be able to explicitly list hidden processes that are running.

It does this by explicitly querying the /proc filesystem for process IDs in the range 1 to 33000.

Swapped out processes are printed in paranthesis.

Download

Version	Date	Description	Filename	Notes
0.9.0	20070208	source	listps-0.9.0.tar.gz (newest)	Added configure package, rewritten in plain C code, added params for PID-ranges
n/a	20041221	source	listps-src.tar.gz
n/a	20041221	static binary	listps.static.linux_2.2.5_i386
n/a	20041220	source	listps-src-20041220.tar.gz

You can also browse the source (156 lines; ANSI C) or browse the distribution package.

License

Copyright © 2004, 2007 Christian Stigen Larsen. Distributed under the GNU General Public License v2 or later.

Links

• listps on Freshmeat.
• The kernel-injection technique used by suckit was first described in phrack 58.
• The idea for listps was gotten from this suckit investigation transcript.
• The chkrootkit package will check for the presence of known rootkits, including listing hidden processes, and is a much bigger package than listps. Check it out.
• Another suckit investigation in Italian.
• A tool for detecting and removing suckit called skdetect.

Example output

In the session below I install suckit 1.3e on a linux box, hide two processes (crond and smbd) use listps to list them.

First, let's install suckit 1.3e on the host:

$ uname -a
Linux ares.sublevel3.org 2.4.20-20.7custom #1 SMP Tue Sep 23 14:30:50 CEST
2003 i686 unknown
$ ./sksu
I love you baby
Show begins Test mode 0 
RK_Init: idt=0xc0328000, sct[]=0xc02c68e0
kma_hint=0x00000000
kmalloc()=0xc012fcb0, gfp=0x1f0
Z_Init: Allocating kernel-code memory...KINIT(0xd04d9c64) sct 0xc02c68e0
sctp 0xbfffcde0 oldsys 0xc010cf40
Done, 11635 bytes, base=0xd04d8000

Now let's hide crond and smbd (pids 577 and 613):

$ ./sksu 
I love you baby
Detected version: 1.3e
use:
./sksu <uivfp> [args]
t       - test instalation objective
f       - force instalation
u       - uninstall
i       - make pid invisible
v       - make pid visible
f [0/1] - toggle file hiding
p [0/1] - toggle pid hiding
$ ./sksu i 577
I love you baby
Detected version: 1.3e
Pid 577 is hidden now!
$ ./sksu i 613
I love you baby
Detected version: 1.3e
Pid 613 is hidden now!

Let's see if ps(1) finds them:

$ ps auxwww | egrep 'crond|smbd'
root   2160  0.0  0.1  1516  552 pts/1    S    15:24   0:00 egrep crond|smbd

Try running listps:

$ listps -d
  PID COMMAND
  577 crond (hidden)
  613 smbd (hidden)

Finally, let's uninstall suckit:

$ ./sksu v 577
I love you baby
Detected version: 1.3e
Pid 577 is visible now!
$ ./sksu v 613
I love you baby
Detected version: 1.3e
Pid 613 is visible now!
$ ./sksu u
I love you baby
Detected version: 1.3e
Suckit uninstalled sucesfully!
$ listps -d
  PID COMMAND