Contents

  1. listps
  2. About
  3. Download
  4. License
  5. Links
  6. Example output

License

CC-GNU GPL
This software is licensed under the CC-GNU GPL.
Valid XHTML 1.0 Strict

listps

About

listps is a small linux program to show all running processes, including hidden ones. It only works with /proc filesystems.

On systems compromised with various rootkits, like e.g. suckit 1.3e, listps will be able to explicitly list hidden processes that are running.

It does this by explicitly querying the /proc filesystem for process IDs in the range 1 to 33000.

Swapped out processes are printed in paranthesis.

Download

Version Date Description Filename Notes
0.9.0 20070208 source listps-0.9.0.tar.gz (newest) Added configure package, rewritten in plain C code, added params for PID-ranges
n/a 20041221 source listps-src.tar.gz  
n/a 20041221 static binary listps.static.linux_2.2.5_i386  
n/a 20041220 source listps-src-20041220.tar.gz  

You can also browse the source (156 lines; ANSI C) or browse the distribution package.

License

Copyright © 2004, 2007 Christian Stigen Larsen. Distributed under the GNU General Public License v2 or later.

Example output

In the session below I install suckit 1.3e on a linux box, hide two processes (crond and smbd) use listps to list them.

First, let's install suckit 1.3e on the host:

$ uname -a
Linux ares.sublevel3.org 2.4.20-20.7custom #1 SMP Tue Sep 23 14:30:50 CEST
2003 i686 unknown
$ ./sksu
I love you baby
Show begins Test mode 0 
RK_Init: idt=0xc0328000, sct[]=0xc02c68e0
kma_hint=0x00000000
kmalloc()=0xc012fcb0, gfp=0x1f0
Z_Init: Allocating kernel-code memory...KINIT(0xd04d9c64) sct 0xc02c68e0
sctp 0xbfffcde0 oldsys 0xc010cf40
Done, 11635 bytes, base=0xd04d8000

Now let's hide crond and smbd (pids 577 and 613):

$ ./sksu 
I love you baby
Detected version: 1.3e
use:
./sksu <uivfp> [args]
t       - test instalation objective
f       - force instalation
u       - uninstall
i       - make pid invisible
v       - make pid visible
f [0/1] - toggle file hiding
p [0/1] - toggle pid hiding
$ ./sksu i 577
I love you baby
Detected version: 1.3e
Pid 577 is hidden now!
$ ./sksu i 613
I love you baby
Detected version: 1.3e
Pid 613 is hidden now!

Let's see if ps(1) finds them:

$ ps auxwww | egrep 'crond|smbd'
root   2160  0.0  0.1  1516  552 pts/1    S    15:24   0:00 egrep crond|smbd

Try running listps:

$ listps -d
  PID COMMAND
  577 crond (hidden)
  613 smbd (hidden)

Finally, let's uninstall suckit:

$ ./sksu v 577
I love you baby
Detected version: 1.3e
Pid 577 is visible now!
$ ./sksu v 613
I love you baby
Detected version: 1.3e
Pid 613 is visible now!
$ ./sksu u
I love you baby
Detected version: 1.3e
Suckit uninstalled sucesfully!
$ listps -d
  PID COMMAND

blog comments powered by Disqus