Chkrootkit Sourcecode Learning

目录

1. Chkrootkit Introduce
2. Source Code Frame
3. chklastlog.c
4. chkwtmp.c
5. ifpromisc.c
6. chkproc.c
7. chkdirs.c
8. check_wtmpx.c
9. strings.c
10. chkrootkit的使用场景及其局限

 

1. Chkrootkit Introduce

chkrootkit是一个Linux系统下的查找检测rootkit后门的工具,需要明白的是,chkrootkit是一款ring3级别的rootkit检测工具,所以从某种程序上来说,chkrootkit能做的事也很有限,但是我们也必须明白,攻防对抗中并不是一味的追求底层kernel的hacking技术,往往多种技术结合(ring3、ring0)能够获得更好的效果

关于ring3、ring0下的rootkit攻防的平衡取舍,请参阅另一篇文章

http://www.cnblogs.com/LittleHann/p/3910696.html

Relevant Link:

http://www.centospub.com/make/chkrootkit.html
http://www.bootf.com/556.html
http://www.chkrootkit.org/

 

2. Source Code Frame

chkrootkit的总体代码功能框架如下

1. 系统日志审计检查
    1.1 chklastlog.c
        1) 根据"/var/log/wtmp""/var/log/lastlog"进行交叉比较,检查当前系统是否存在新增帐号异常登录
        2) 检测本次登录的用户是否有在/etc/passwd中出现 
        3) 检查/etc/passwd中是否有白名单之外的"超级用户(uid)",这是一种异常现象 

    1.2 chkwtmp.c
        1) 对登录日志进行清除,造成日志文件中存在一段的"登录日志空档期",chkwtmp.c的目的就是发现这个"空档期",从而发现可疑的入侵现象

2. 网络状态审计检测
    2.1 ifpromisc.c
        1) 检测当前系统的网卡接口是否正在进行"raw packet"的处理(sniffer的特征)
        检测当前系统中是否有sniffer程序在进行嗅探操作,"/proc/net/packet"这个虚拟目录保存了那些需要处理"raw network packets"的进程、及相关网络信息,正常情况下,一般的进程是不需要收发、处理"raw network packets"的,如果发现这类进程,则说明这是一个可疑sniffer进程(有可能是rootkit在进行嗅探操作)
        2) 检测当前系统的网卡是否处于"PROMISC(混杂模式)"

3. 进程隐藏状态检测 
    3.1 chkproc.c
        1) 针对readdir句柄劫持的检测
    很多rootkit常常会对"/proc/的readdir句柄"句柄(而内部还是调用的Sys_getdents64)进行劫持从而进行进程隐藏,针对这个现象,chkrootkit采取了2种策略
        1.1) 采用read原生系统调用来对/proc进行读写(绕过rootkit对Sys_getdents64系统调用的劫持)
        1.2) 将/proc/number/(进程列表的枚举结果和"ps -edf、ps auxw、ps mauxw 2>&1、ps auxw -T | tr -s ' '| cut -d' ' -f2-"的结果进行对比,因为ps这类进程枚举命令内部调用的系统调用是/proc/的readdir句柄(),可以发现进程隐藏的迹象 
        2) 针对进程枚举指令劫持的检测
    进程隐藏是LKM Rootkit常用的功能,rootkit常常会通过替换ps等指令程序为恶意程序(会自动过滤掉对rootkit自身的枚举)

 

3. chklastlog.c

1) 根据"/var/log/wtmp""/var/log/lastlog"进行交叉比较,检查当前系统是否存在新增帐号异常登录
2) 检测本次登录的用户是否有在/etc/passwd中出现 
3) 检查/etc/passwd中是否有白名单之外的"超级用户(uid)",这是一种异常现象 

code

#if defined(SOLARIS2) || defined(__linux__)
  #define HAVE_LASTLOG_H 1
#else
  #undef HAVE_LASTLOG_H
#endif

#if __FreeBSD__ > 9
  int main () { return 0; }
#else
  #include <stdio.h>

#ifdef __linux__
  #include <stdlib.h>
#endif

#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <pwd.h>
#include <sys/types.h>
#include <utmp.h>

#if (HAVE_LASTLOG_H)
  #include <lastlog.h>
#endif

#include <sys/file.h>

#ifdef SOLARIS2
  #include <fcntl.h>
#endif

#ifdef __FreeBSD__ 
  #define WTMP_FILENAME "/var/log/wtmp"
  #define LASTLOG_FILENAME "/var/log/lastlog"
#endif

#ifdef __OpenBSD__
  #include <stdlib.h> 
  #define WTMP_FILENAME "/var/log/wtmp"
  #define LASTLOG_FILENAME "/var/log/lastlog"
#endif

#ifndef WTMP_FILENAME
  #define WTMP_FILENAME "/var/adm/wtmp"
#endif

#ifndef LASTLOG_FILENAME
  #define LASTLOG_FILENAME "/var/adm/lastlog"
#endif

#define TRUE 1L
#define FALSE 0L

long total_wtmp_bytes_read = 0;
size_t wtmp_file_size;
uid_t *uid;
void read_status();

struct s_localpwd 
{
     int numentries;
     uid_t *uid;
     char  **uname;
};

#ifndef SOLARIS2
  int nonuser(struct utmp utmp_ent);
#endif
struct s_localpwd *read_pwd();
void free_results(struct s_localpwd *);
uid_t *localgetpwnam(struct s_localpwd *, char *);
int getslot(struct s_localpwd *, uid_t);

#define MAX_ID 99999

int main(int argc, char*argv[]) 
{
    int        fh_wtmp;
    int        fh_lastlog;
  /*
  struct lastlog 
  {
        int32_t ll_time;                // When user logged in 
        char    ll_line[UT_LINESIZE];   // Terminal line name 
        char    ll_host[UT_HOSTSIZE];   // Host user came from 
  };
  用于查看那所用账号的最后登录时间
  */
    struct lastlog    lastlog_ent;

  /*
  struct utmp {
        char    ut_line[UT_LINESIZE];   // Terminal line name  
        char    ut_name[UT_NAMESIZE];   // User’s login name  
        char    ut_host[UT_HOSTSIZE];   // Host user came from 
        int32_t ut_time;                // When user logged in  
  }; 
  /var/log/wtmp 
  记录当前和历史上登录到系统的用户的登录tty、登录用户名、来源和时间等信息。和/var/log/lastlog一样,这个文件是一个二进制文件,需要用last命令查看
  last -f /var/log/wtmp
  */
    struct utmp    utmp_ent;
    long        userid[MAX_ID];
    long        i, slot;
    int        status = 0;
    long        wtmp_bytes_read;

  /*
  struct stat  
  {   
      dev_t       st_dev;     // ID of device containing file -文件所在设备的ID  
      ino_t       st_ino;     // inode number -inode节点号  
      mode_t      st_mode;    // protection -保护模式
      nlink_t     st_nlink;   // number of hard links -链向此文件的连接数(硬连接)   
      uid_t       st_uid;     // user ID of owner -user id 
      gid_t       st_gid;     // group ID of owner - group id 
      dev_t       st_rdev;    // device ID (if special file) -设备号,针对设备文件  
      off_t       st_size;    // total size, in bytes -文件大小,字节为单位  
      blksize_t   st_blksize; // blocksize for filesystem I/O -系统块的大小   
      blkcnt_t    st_blocks;  // number of blocks allocated -文件所占块数
      
      time_t      st_atime;   // time of last access - 最近存取时间  
      time_t      st_mtime;   // time of last modification - 最近修改时间  
      time_t      st_ctime;   // time of last status change - 最近创建时间 
  };  
  */
    struct stat    wtmp_stat;
    struct s_localpwd    *localpwd;
  struct passwd *user;
    uid_t        *uid;
  char wtmpfile[128], lastlogfile[128];

  memcpy(wtmpfile, WTMP_FILENAME, 127);
  memcpy(lastlogfile, LASTLOG_FILENAME, 127);

  while (--argc && ++argv) /* poor man getopt */
  {
     if (!memcmp("-f", *argv, 2))
     {
        if (!--argc)
        {
          break;
        } 
        ++argv;
        memcpy(wtmpfile, *argv, 127);
     }
     else if (!memcmp("-l", *argv, 2))
     {
        if (!--argc)
        {
          break;
        } 
        ++argv;
        memcpy(lastlogfile, *argv, 127);
     }
  }

  //信号的安装(确定要接收和处理的信号),指定read_status()作为信号处理函数
    signal(SIGALRM, read_status);
  //信号的发送,专门为SIGALRM信号而设,在指定的时间seconds秒后,将向进程本身发送SIGALRM信号,又称为闹钟时间
    alarm(5);
    for (i=0; i < MAX_ID; i++)
  {
    userid[i]=FALSE;
  } 
  //打开"/var/log/lastlog"文件
    if ((fh_lastlog = open(lastlogfile, O_RDONLY)) < 0) 
  {
        fprintf(stderr, "unable to open lastlog-file %s\n", lastlogfile);
        return(1);
    }
  //打开"/var/log/wtmp"文件
    if ((fh_wtmp = open(wtmpfile, O_RDONLY)) < 0) 
  {
        fprintf(stderr, "unable to open wtmp-file %s\n", wtmpfile);
        close(fh_lastlog);
        return(2);
    }
  //获取/var/log/wtmp的文件属性: struct stat,保存在wtmp_stat结构体中
    if (fstat(fh_wtmp, &wtmp_stat)) 
  {
        perror("chklastlog::main: ");
        close(fh_lastlog);
        close(fh_wtmp);
        return(3);
    }
    wtmp_file_size = wtmp_stat.st_size;
  //获取"/etc/passwd"文件结构化内容
    localpwd = read_pwd();
  /*
  3. 检查/etc/passwd中是否有白名单之外的"超级用户(uid)",这是一种异常现象
  */ 
  while((user = getpwent())!=0)
  { 
    //默认白名单只有root用户
    if ((user->pw_uid == 0 || user->pw_gid == 0) && user->pw_name != "root")
    {
      printf("dedect Suspicious Account\n");
      printf("\n%s:%d:%d:%s:%s:%s\n",user->pw_name, user->pw_uid, user->pw_gid, user->pw_gecos,user->pw_dir,user->pw_shell);
    }
  }
  endpwent();


  /*
  "/var/log/wtmp"是一个记录用户登录信息的列表,每一行都记录了一次用户的登录信息,接下来的代码对其进行逐行遍历
  */
    while ((wtmp_bytes_read = read(fh_wtmp, &utmp_ent, sizeof (struct utmp))) >0) 
  {
    if (wtmp_bytes_read < sizeof(struct utmp))
    {
      fprintf(stderr, "wtmp entry may be corrupted");
      break;
    }
    total_wtmp_bytes_read += wtmp_bytes_read;
    /*
    对当前遍历中的"struct utmp"进行过滤检查
    1. 是否是"shutdonw"用户
    2. 当前登录用户账户命是否在"/etc/passwd"中存在
    */
    if ( !nonuser(utmp_ent) && /*strncmp(utmp_ent.ut_line, "ftp", 3)*/ && (uid = localgetpwnam(localpwd, utmp_ent.ut_name)) != NULL )
    {
      if (*uid > MAX_ID)
      {
        fprintf(stderr, "MAX_ID is %ld and current uid is %ld, please check\n\r", MAX_ID, *uid );
        exit (1); 
      }
      if (!userid[*uid])
      {
        lseek(fh_lastlog, (long)*uid * sizeof (struct lastlog), 0);
        if ((wtmp_bytes_read = read(fh_lastlog, &lastlog_ent, sizeof (struct lastlog))) > 0)
        {
          if (wtmp_bytes_read < sizeof(struct lastlog))
          {
            fprintf(stderr, "lastlog entry may be corrupted");
            break;
          }
          if (lastlog_ent.ll_time == 0)
          {
            if (-1 != (slot = getslot(localpwd, *uid)))
            {
              //1. 如果本次登录的用户在lastlog中的没有对应的登录记录(即这是一个突然新增的新用户登录),则表明是一个可疑用户登录行为
              printf("user %s deleted or never logged from lastlog!\n", NULL != localpwd->uname[slot] ? (char*)localpwd->uname[slot] : "(null)");
            } 
            else
            {
              //2. 检测本次登录的用户是否有在/etc/passwd中出现
              printf("deleted user uid(%d) not in passwd\n", *uid);
            } 
            ++status;
          }
          userid[*uid]=TRUE;
        }
      }
    }
    }
#if 0
    printf("\n");
#endif
    free_results(localpwd);
    close(fh_wtmp);
    close(fh_lastlog);
    return(status);
}

#ifndef SOLARIS2
/* minimal funcionality of nonuser() */
int nonuser(struct utmp utmp_ent)
{
   return (!memcmp(utmp_ent.ut_name, "shutdown", sizeof ("shutdown")));
}
#endif

void read_status() 
{
   double remaining_time;
   static long last_total_bytes_read=0;
   int diff;

   diff = total_wtmp_bytes_read-last_total_bytes_read;
   if (diff == 0) diff = 1;
   remaining_time=(wtmp_file_size-total_wtmp_bytes_read)*5/(diff);
   last_total_bytes_read=total_wtmp_bytes_read;

   printf("Remaining time: %6.2f seconds\n", remaining_time);
  /*
     signal(SIGALRM,read_status); 
     alarm(5);
  */
}

struct s_localpwd *read_pwd() 
{
  /*
  struct passwd  
  {  
      char * pw_name; // Username, POSIX.1  
      char * pw_passwd; //Password  
      __uid_t pw_uid; // User ID, POSIX.1   
      __gid_t pw_gid; // Group ID, POSIX.1  
      char * pw_gecos; // Real Name or Comment field 
      char * pw_dir; // Home directory, POSIX.1 
      char * pw_shell; // Shell Program, POSIX.1  
  };  
  */
  struct passwd *pwdent;
  int numentries=0,i=0;
  struct s_localpwd *localpwd;

  //setpwent()用来将getpwent()的读写地址指回密码文件开头
  setpwent();
  /*
  获取"/etc/passw"文件的信息,getpwent()用来从密码文件(/etc/passwd)中读取一项用户数据,该用户的数据以passwd 结构返回。第一次调用时会取得第一位
  用户数据,之后每调用一次就会返回下一项数据,直到已无任何数据时返回NULL
  */
  while ((pwdent = getpwent())) 
  {
    numentries++;
  }
  endpwent();
  localpwd = (struct s_localpwd *)malloc((size_t)sizeof(struct s_localpwd));
  localpwd->numentries=numentries;
  localpwd->uid = (uid_t *)malloc((size_t)numentries*sizeof(uid_t));
  localpwd->uname = (char **)malloc((size_t)numentries*sizeof(char *));
  for (i=0;i<numentries;i++) 
  {
    localpwd->uname[i] = (char *)malloc((size_t)30*sizeof(char));
  }
  i=0;
  setpwent();
  while ((pwdent = getpwent()) && (i<numentries)) 
  {
    localpwd->uid[i] = pwdent->pw_uid;
    memcpy(localpwd->uname[i], pwdent->pw_name, (strlen(pwdent->pw_name)>29)?29:strlen(pwdent->pw_name)+1);
    i++;
  }
  endpwent();
  return(localpwd);
}

void free_results(struct s_localpwd *localpwd) 
{
   int i;
   free(localpwd->uid);
   for (i=0;i<(localpwd->numentries);i++)
   {
      free(localpwd->uname[i]);
   }
   free(localpwd->uname);
   free(localpwd);
}

uid_t *localgetpwnam(struct s_localpwd *localpwd, char *username) 
{
   int i;
   size_t len;

   for (i=0; i<(localpwd->numentries);i++) 
   {
      len = (strlen(username) > 9) ? 30 : strlen(username) + 1;
      if (!memcmp(username, localpwd->uname[i],len)) 
      {
        return &(localpwd->uid[i]);
      }
   }
   return NULL;
}

int getslot(struct s_localpwd *localpwd, uid_t uid)
{
  int i; 
  for (i=0; i<(localpwd->numentries);i++)
  {
    if (localpwd->uid[i] == uid)
    {
      return i;
    }  
  }
  return -1;
}
#endif

Relevant Link:

https://www.mirbsd.org/htman/i386/man5/lastlog.htm

 

4. chkwtmp.c

"/var/log/wtmp"记录了当前和历史上登录到系统的用户的登录tty、登录用户名、来源和时间等信息,黑客在入侵了主机后,会对登录日志进行清除,造成日志文件中存在一段的"登录日志空档期",chkwtmp.c的目的就是发现这个"空档期",从而发现可疑的入侵现象

#if __FreeBSD__ > 9 
int main () { return 0; } 
#else
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <utmp.h>
#include <time.h>
#include <sys/time.h>
#include <sys/file.h>
#ifdef SOLARIS2
#include <fcntl.h>
#endif

#ifdef __FreeBSD__
#define WTMP_FILENAME "/var/log/wtmp"
#else
#ifndef WTMP_FILENAME
#define WTMP_FILENAME "/var/adm/wtmp"
#endif
#endif

void printit(counter, start, end)
int counter;
long start,end;
{
    char        buffer[30]; 
    printf("%d deletion(s) between ", counter);
    strncpy(buffer, ctime( (time_t *) &start), 30);
    buffer[24]='\0';
    printf("%s and %s", buffer, ctime( (time_t *) &end));
}


int main(int argc, char*argv[]) 
{
    int        filehandle;
    struct     utmp    utmp_ent;
    struct     timeval    mytime;
    struct     timezone    dummy;
    long    start_time, act_time;
    int        del_counter, t_del;
    char     wtmpfile[128];

    del_counter=t_del=0;
    start_time=0;

    gettimeofday(&mytime, &dummy);
    act_time=mytime.tv_sec;
    wtmpfile[127]='\0';
    memcpy(wtmpfile, WTMP_FILENAME, 127);
    if ( argc == 3 && !memcmp("-f", argv[1], 2) && *argv[2])
    {
        memcpy(wtmpfile, argv[2], 127);
    } 
    if ((filehandle = open(wtmpfile,O_RDONLY)) < 0) 
    {
        fprintf(stderr, "unable to open wtmp-file %s\n", wtmpfile);
        return(2);
    }

    while (read (filehandle, (char *) &utmp_ent, sizeof (struct utmp)) > 0) 
    {
        if (utmp_ent.ut_time == 0)
        {
            del_counter++;
        } 
        else 
        {
            if (del_counter) 
            {
                printit(del_counter, start_time, utmp_ent.ut_time);
                t_del++;
                del_counter=0;
            }
            start_time=utmp_ent.ut_time;
        }
    }
    close(filehandle);
    if (del_counter)
    {
        printit(del_counter, start_time, act_time);
    } 
    exit((int) t_del+del_counter);
}
#endif

 

5. ifpromisc.c

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>

#ifdef __linux__
  #include <linux/if.h>
  #include <linux/if_arp.h>
  #include <linux/if_ether.h>
  #include <dirent.h>
  #include <sys/stat.h>
#else
  #include <net/if.h> 
  #ifndef __OpenBSD__
    #include <net/if_arp.h>
  #endif
#endif

#ifdef SOLARIS2
  #include <sys/sockio.h>
#endif

#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

struct interface
{
  char            name[IFNAMSIZ];        // interface name 
  short            type;             // if type         
  short            flags;            // various flags     
#ifdef __linux__
  int            index;                    //interface index     
#endif
};

char *Release = "chkrootkit package", *Version = "@(#) ifpromisc)"; 

int skfd = -1;                /* AF_INET or AF_PACKET raw socket desc.    */
int q = 0;            /* Quiet mode on or off                */

struct packet_info
{
    int index;
    int type;
    int proto;
    int inode;
    char *cmd;
    struct packet_info *next;
};

#ifdef __linux__
/*
 * the contents of /proc/net/packet
 */
static struct packet_info *proc_net_packet = 0;


/*
 * read the entries from /proc/net/packet
 */
static void read_proc_net_packet()
{
    FILE                *proc;
    char                buf[80];

    proc = fopen("/proc/net/packet", "r");
    if (!proc)
    {
        if (errno != ENOENT)
        {
            perror("opening /proc/net/packet");
        }
        return;
    }

    /* skip the header */
    fgets(buf, 80, proc);
    while (fgets(buf, 80, proc))
    {
        int             type = 0;
        unsigned int    proto = 0;
        int             index = 0;
        unsigned int    inode = 0;

        if (sscanf(buf, "%*p %*d %d %x   %d %*d %*u %*u %u", &type, &proto, &index, &inode) == 4)
        {
            struct packet_info *pi;

            pi = (struct packet_info *)malloc(sizeof(struct packet_info));
            pi->type = type;
            pi->proto = proto;
            pi->index = index;
            pi->inode = inode;
            pi->cmd = 0;

            pi->next = proc_net_packet;
            proc_net_packet = pi;
        }
        else
        {
            fprintf(stderr, "cannot grok /proc/net/packet: %s", buf);
        }
    }

    fclose(proc);
}

/* look up an entry from /proc/net/packet by inode */
static struct packet_info *find_packet_info(int inode)
{
    struct packet_info *p;
    for (p = proc_net_packet; p; p = p->next)
    {
        if (p->inode == inode)
        {
            return p;
        }
    }
    return NULL;
}

/* 
walk a processes fd dir looking for sockets with inodes that match the
inodes from /proc/net/packet, when a match is found, the processes exe
is stored 
获取正在进行处理"raw network packets"的进程(疑似sniffer进程)的进程列表
*/
static void walk_process(char *process)
{
    DIR                 *dir;
    struct dirent       *ent;
    char                path[1024];

    if (snprintf(path, sizeof(path), "/proc/%s/fd", process) == -1)
    {
        fprintf(stderr, "giant process name! %s\n", process);
        return;
    }

    if ((dir = opendir(path)) == NULL)
    {
        if (errno != ENOENT)
        {
          perror(path);
        } 
        return;
    }

    while ((ent = readdir(dir)))
    {
        struct stat             statbuf;
        struct packet_info     *info;

        if (snprintf(path, sizeof(path), "/proc/%s/fd/%s", process, ent->d_name) == -1)
        {
            fprintf(stderr, "giant fd name /proc/%s/fd/%s\n", process, ent->d_name);
            continue;
        }

        if (stat(path, &statbuf) == -1)
        {
            perror(path);
            continue;
        }

        if (S_ISSOCK(statbuf.st_mode) && (info = find_packet_info(statbuf.st_ino)))
        {
            char link[1024]; 
            memset(link, 0, sizeof(link));
            /* no need to check rv since it has to be long enough,
             * otherwise, one of the ones above will have failed */
            snprintf(path, sizeof(path), "/proc/%s/exe", process);
            readlink(path, link, sizeof(link) - 1);
            info->cmd = strdup(link);
        }
    }

    closedir(dir);
}

/* walk the proc file system looking for processes, call walk_proc on each
 * process */
static void walk_processes()
{
    DIR                 *dir;
    struct dirent       *ent;

    if ((dir = opendir("/proc")) == NULL)
    {
        perror("/proc");
        return;
    }

    while ((ent = readdir(dir)))
    {
        /* we only care about dirs that look like processes */
        if (strspn(ent->d_name, "0123456789") == strlen(ent->d_name))
        {
            walk_process(ent->d_name);
        }
    }

    closedir(dir);

}

/* return 1 if index is a member of pcap_session_list, 0 otherwise. */
static int has_packet_socket(int index)
{
    struct packet_info *p;
    for (p = proc_net_packet; p; p = p->next)
    {
        if (p->index == index)
        {
            return 1;
        }
    }
    return 0;
}
#endif /* __linux__ */

static void ife_print(struct interface *ptr)
{
#ifdef __linux__
    //检测当前网卡接口是否处于"PROMISC(混杂模式)"
    int promisc = ptr->flags & IFF_PROMISC;
    //检测当前网卡接口是否正在进行"raw packet"的处理(同样也是sniffer的特征)
    int has_packet = has_packet_socket(ptr->index);

    if (promisc || has_packet)
    {
        printf("%s:", ptr->name);
        if (promisc)
            printf(" PROMISC");
        if (has_packet)
        {
            struct packet_info *p;
            printf(" PF_PACKET(");
            p = proc_net_packet;
            if (p)
            {
                printf("%s", p->cmd);

                for (p = p->next; p; p = p->next)
                {
                    if (p->index == ptr->index)
                    {
                        printf(", %s", p->cmd);
                    }
                }
            }
            printf(")");
        }
        printf("\n");
    }
    else
    {
        if (!q)
            printf("%s: not promisc and no PF_PACKET sockets\n", ptr->name);
    }
#else
   if (ptr->flags & IFF_PROMISC)
      printf("%s is %s", ptr->name, "PROMISC");
   else
   {
      if (!q)
         printf("%s is %s", ptr->name, "not promisc");
   }
   putchar('\n');
#endif
}


/* Fetch the inteface configuration from the kernel. */
static int if_fetch(char *ifname, struct interface *ife)
{
  struct ifreq ifr;

  memset((char *) ife, 0, sizeof(struct interface));
  strncpy(ife->name, ifname, sizeof(ife->name));

  strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
  //获得接口标志
  if (ioctl(skfd, SIOCGIFFLAGS, &ifr) < 0)
      return(-1);
  ife->flags = ifr.ifr_flags;

#ifdef __linux__
  /* store the device index */
  if (ioctl(skfd, SIOCGIFINDEX, &ifr) < 0)
      return(-1);
  ife->index = ifr.ifr_ifindex;
#endif

  return(0);
}

static void if_print()
{
   char buff[1024];
   /*
    struct interface
    {
      char      name[IFNAMSIZ];   // interface name 
      short     type;             // if type     
      short     flags;            // various flags   
    #ifdef __linux__
      int     index;              //interface index  
    #endif
    };
   */
   struct interface ife;
   struct ifconf ifc;
   struct ifreq *ifr;
   int i;

   ifc.ifc_len = sizeof(buff);
   ifc.ifc_buf = buff;
   //获取所有网卡接口的信息
   if (ioctl(skfd, SIOCGIFCONF, &ifc) < 0)
   {
      fprintf(stderr, "SIOCGIFCONF: %s\n", strerror(errno));
      return;
   }

   ifr = ifc.ifc_req;
   for (i = ifc.ifc_len / sizeof(struct ifreq); --i >= 0; ifr++)
   {
      if (if_fetch(ifr->ifr_name, &ife) < 0)
      {
#ifdef __linux__
         fprintf(stderr, "%s: unknown interface.\n", ifr->ifr_name);
#endif
     continue;
      }
      if (!memcmp(ifr->ifr_name, "lo", 2))
         continue;
      ife_print(&ife);
   }
}

int main(int argc, char **argv)
{
  if (argc == 2 && !memcmp(argv[1], "-q", 2))
  {
    q++;
  } 

  /* Create a channel to the NET kernel. */
  if ((skfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) 
  {
    perror("socket");
    exit(-1);
  }
#ifdef __linux__
  read_proc_net_packet();
  walk_processes();
#endif

  if_print();
  (void) close(skfd);
  exit(0);
}

Relevant Link:

http://blog.cloudpassage.com/2012/09/05/warn-packet-sniffer-running/

 

6. chkproc.c

#if !defined(__linux__) && !defined(__FreeBSD__) && !defined(__sun)
int main (){ return 0; }
#else
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <dirent.h>
#include <ctype.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <sys/stat.h>
#if defined(__sun)
#include <procfs.h>
#include <fcntl.h>
#endif
#include <sys/resource.h>

#define PS_SUN 0
#define PS_LOL 1
#define PS_COM 2
#define PS_LNX 3
#define PS_MAX 3
#define ENYELKM "/proc/12345"
// #define ENYELKM "/tmp/12345"

#if defined(__sun)
#define FIRST_PROCESS 0
#else
#define FIRST_PROCESS 1
#endif
#define MAX_PROCESSES 99999
#define MAX_BUF 1024

#if !defined (SIGXFSZ)
#define SIGXFSZ 25
#endif

static char *ps_cmds[] = {
        "ps -edf",
        "ps auxw",
        "ps mauxw 2>&1 ",
      "ps auxw -T | tr -s ' '| cut -d' ' -f2-",
    };

int psproc [MAX_PROCESSES+1];
int dirproc[MAX_PROCESSES+1];
#if defined(__linux__)
  int isathread[MAX_PROCESSES+1];
#endif

/*
 * read at most the first (size-1) chars into s and terminate with a '\0'.
 * stops reading after a newline or EOF.  if a newline is read, it will be
 * the last char in the string.  if no newline is found in the first
 * (size-1) chars, then keep reading and discarding chars until a newline
 * is found or EOF.
 */
char *readline(char *s, int size, FILE *stream)
{
  char *rv = fgets(s, size, stream);

  if (strlen(s) == (size-1) && s[size-1] != '\n')
  {
    char buf[MAX_BUF];
    fgets(buf, MAX_BUF, stream);
    while (strlen(buf) == (MAX_BUF-1) && buf[MAX_BUF-1] != '\n')
    {
      fgets(buf, MAX_BUF, stream);
    }
  }

  return rv;
}

int main(int argc, char **argv)
{
   char buf[MAX_BUF], *p, path[MAX_BUF];
   char *pscmd = (char *)0;
   FILE *ps;
   //打开/proc虚拟目录
   DIR *proc = opendir("/proc");
   struct dirent *dir;
   struct stat sb;
   int i, j, retps, retdir, pv, verbose;
   long ret = 0L;
   char * tmp_d_name;
#if defined(__linux__)
   int maybeathread;
#endif
#if defined(__sun)
   psinfo_t psbuf;
#endif

   pv = verbose = 0;

   if (!proc)
   {
      perror("proc");
      exit (1);
   }
   for (i = 1; i < argc; i++)
   {
      if (!memcmp(argv[i], "-v", 2))
      {
        verbose++;
      } 
      else if (!memcmp(argv[i], "-?", 2))
      {
          printf("Usage: %s [-v] [-v] -p <num>\n", argv[0]);
          return 0;
      }
#if defined(__linux__)
      else if (!memcmp(argv[i], "-p", 2))
      {
         if (i+1 < argc)
         {
            pv = atoi(argv[++i]);
        } 
         else
         {
              printf("Usage: %s [-v] [-v] [-p procps version]\n", argv[0]);
              return 0;
         }
      }
#endif
   }
#if defined(__sun)
   pscmd = ps_cmds[PS_SUN];
#elif !defined (__linux__)
   pscmd = ps_cmds[PS_COM];
#endif
#if defined(__linux__)
   if (pv < 1 || pv > PS_MAX)
      pv = 1;
   pscmd = ps_cmds[pv];
/*  printf("pv = %d\n\r", pv); /* -- DEBUG */
#endif

/* printf("pscmd = %s\n\r", pscmd); /* -- DEBUG */
   if (!(ps = popen(pscmd, "r")))
   {
       perror("ps");
       exit(errno);
   }

   *buf = 0;
   readline(buf, MAX_BUF, ps); /* Skip header */
#if defined(__sun)
   if (!isspace(*buf))
#else
   if (!isalpha(*buf))
#endif
   {
     readline(buf, MAX_BUF, ps); /* Skip header */
     if (!isalpha(*buf) && pv != PS_LNX)
     {
    if (pv != PS_LOL)
       execlp(argv[0], argv[0], "-p 1", NULL);
        fprintf(stderr, "OooPS!\n");
        exit(2);
     }
   }
   if (!memcmp(buf, "ps:", 3) && (pv != PS_LOL))
      execlp(argv[0], argv[0], "-p 1", NULL);

   for (i = FIRST_PROCESS; i <= MAX_PROCESSES; i++) 
   { /* Init matrix */
     psproc[i] = dirproc[i] = 0;
#if defined(__linux__)
     isathread[i] = 0;
#endif
   }

   while (readline(buf, MAX_BUF, ps))
   {
      p = buf;
#if defined(__sun)
      while (isspace(*p)) /* Skip spaces */
          p++;
#endif
      while (!isspace(*p)) /* Skip User */
          p++;
      while (isspace(*p)) /* Skip spaces */
          p++;
/*  printf(">>%s<<\n", p);  /* -- DEBUG */
      ret = atol(p);
      if ( ret < 0 || ret > MAX_PROCESSES )
      {
         fprintf (stderr, " OooPS, not expected %ld value\n", ret);
         exit (2);
      }
      psproc[ret] = 1;
   }
   pclose(ps);

   while ((dir = readdir(proc)))
   {
#if defined(__linux__)
      maybeathread = 0;
#endif
      tmp_d_name = dir->d_name;
      if (!strcmp(tmp_d_name, ".") || !strcmp(tmp_d_name, ".."))
         continue;
#if defined(__linux__)
      if (*tmp_d_name == '.') { /* here we catch the new NTPL threads in linux.  They are listed in /proc as PIDs with a period prepended */
         tmp_d_name++;
         maybeathread = 1;
      }
#endif
      if(!isdigit(*tmp_d_name))
         continue;
#if defined(__linux__)
      else if (maybeathread) {
         isathread[atol(tmp_d_name)] = 1; /* mark it as a linux NTPL thread if it's in the form of "\.[0-9]*" */
         if (verbose)
            printf("%ld is a Linux Thread, marking as such...\n", atol(tmp_d_name));
      }
#endif

/*      printf("%s\n", tmp_d_name); /* -- DEBUG */
      dirproc[atol(tmp_d_name)] = 1;
   }
   closedir(proc);

   /* Brute force */
   strcpy(buf, "/proc/");
   retps = retdir = 0;
   for (i = FIRST_PROCESS; i <= MAX_PROCESSES; i++)
   {
      snprintf(&buf[6], 6, "%d", i);
      if (!chdir(buf))
      {
         if (!dirproc[i] && !psproc[i])
         {
#if defined(__linux__)
            if (!isathread[i]) {
#endif
            retdir++;
            if (verbose)
           printf ("PID %5d(%s): not in readdir output\n", i, buf);
#if defined(__linux__)
            }
#endif
         }
         if (!psproc[i] ) /* && !kill(i, 0)) */
         {
#if defined(__linux__)
            if(!isathread[i]) {
#endif
            retps++;
            if (verbose)
           printf ("PID %5d: not in ps output\n", i);
#if defined(__linux__)
            }
#endif
     }
#if defined(__linux__)
         if(!isathread[i]) {
#endif
/*     if ((!dirproc[i] || !psproc[i]) && !kill(i, 0) && (verbose > 1)) */
     if ((!dirproc[i] || !psproc[i]) && (verbose > 1))
     {
#if defined(__linux__)
        j = readlink ("./cwd", path, sizeof(path));
        path[(j < sizeof(path)) ? j : sizeof(path) - 1] = 0;
        printf ("CWD %5d: %s\n", i, path);
        j = readlink ("./exe", path, sizeof(path));
        path[(j < sizeof(path)) ? j : sizeof(path) - 1] = 0;
        printf ("EXE %5d: %s\n", i, path);
#elif defined(__FreeBSD__)
        j = readlink ("./file", path, sizeof(path));
        path[(j < sizeof(path)) ? j : sizeof(path) - 1] = 0;
        printf ("FILE %5d: %s\n", i, path);
#elif defined(__sun)
        if ((j = open("./psinfo", O_RDONLY)) != -1)
            {
               if (read(j, &psbuf, sizeof(psbuf)) == sizeof(psbuf))
                  printf ("PSINFO %5d: %s\n", i, psbuf.pr_psargs);
               else
                  printf ("PSINFO %5d: unknown\n", i);
               close(j);
            }
            else
               printf ("PSINFO %5d: unknown\n", i);
#endif
         }
#if defined(__linux__)
         }
#endif
      }
#ifndef __FreeBSD__
      else
      {
         errno = 0;
         getpriority(PRIO_PROCESS, i);
         if (!errno)
         {
            retdir++;
            if (verbose)
           printf ("PID %5d(%s): not in getpriority readdir output\n", i, buf);
     }
      }
#endif
   }
   if (retdir)
      printf("You have % 5d process hidden for readdir command\n", retdir);
   if (retps)
      printf("You have % 5d process hidden for ps command\n", retps);
#if defined(__linux__)
   kill(1, 100); /*  Check for SIGINVISIBLE Adore signal */
   if (kill (1, SIGXFSZ) < 0  && errno == 3)
   {
      printf("SIGINVISIBLE Adore found\n");
      retdir+= errno;
   }
   /* Check for Enye LKM */
   if (stat(ENYELKM, &sb) && kill (12345, 58) >= 0)
   {
      printf("Enye LKM found\n");
      retdir+= errno;
   }
#endif
   return (retdir+retps);
}
#endif

 

7. chkdirs.c

#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__sun) || defined (hpux) || defined (__bsdi__) || defined (bsdi) || defined (__APPLE__)
#include <limits.h>
#elif defined(__APPLE__) && defined(__MACH__)
#include <sys/syslimits.h>
#endif

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dirent.h>
#include <string.h>
#include <errno.h>

#ifndef NAME_MAX
#define NAME_MAX        PATH_MAX
#endif

struct dirinfolist 
{
  char                   dil_name[NAME_MAX+1];
  int                    dil_lc;
  struct dirinfolist     *dil_next;
};


void usage ()
{
  fprintf(stderr, "chkdirs [-n] dir ...\n");
  exit(255);
}

char *make_pathname (char *path, char *dir, char **buffer)
{
  int plen, pathname_len, bufsize, offs;
  
  bufsize = 0; 

  plen = strlen(path);
  pathname_len = plen + strlen(dir) + 2;

  if (!(*buffer) || (sizeof(*buffer) < pathname_len)) {
    if (buffer) free((void *)*buffer);
    bufsize = (pathname_len > PATH_MAX) ? pathname_len : PATH_MAX;
    if (!(*buffer = (char *)malloc(bufsize))) {
      return((char *)NULL);
    }
  }

  if (dir[0] == '/') {   /* "dir" is absolute pathname, don't prepend "path" */
    offs = 0;
  }
  else {
    strncpy(*buffer, path, bufsize);
    if ((*buffer)[plen-1] == '/') {   /* "path" ends in "/", don't add extra */
      offs = plen;
    }
    else {
      (*buffer)[plen] = '/';
      offs = plen + 1;
    }
  }
  strncpy((*buffer)+offs, dir, bufsize - offs);
  return((*buffer));
}

int check_dir (char *dir, char *path, int linkcount, int norecurse)
{
  int diff = -1;
  int plen, buflen, numdirs;
  char *curpath, *fullpath;
  DIR *dirhandle;
  struct dirent *finfo;
  struct dirinfolist *dl, *dptr;
  struct stat statinfo;

  /* When called recursively, "path" will be the full path of the cwd,
     but when called from main() "path" is empty.  We need the cwd path
     so we can chdir() back at the end of this routine, as well as when
     printing errors and other output.
  */
  if (!path || !(plen = strlen(path))) 
  {
    buflen = PATH_MAX;
  retry:
    if (!(curpath = (char *)malloc(buflen))) {
      fprintf(stderr, "malloc() failed: %s\n", strerror(errno));
      return(-1);
    }
    if (!getcwd(curpath, buflen)) 
    {
      if (errno == ERANGE) 
      {
          free((void *)curpath);
          buflen = buflen * 2;
          goto retry;
      }
      else 
      {
           fprintf(stderr, "getcwd() failed: %s\n", strerror(errno));
           return(-1);
      }
    }
  }
  else {             /* "path" is set, so just copy it into "curpath" */
    if (!(curpath = (char *)malloc(plen+1))) {
      fprintf(stderr, "malloc() failed: %s\n", strerror(errno));
      return(-1);
    }
    strncpy(curpath, path, plen+1);
  }

  /* Now set "fullpath" to be the absolute path name of the directory
     we will be checking (prepend "curpath" if "dir" is not already an
     absolute pathname).
  */
  fullpath = (char *)NULL;
  if (!make_pathname(curpath, dir, &fullpath)) {
    fprintf(stderr, "make_pathname() failed: %s\n", strerror(errno));
    free((void *)curpath);
    return(-1);
  }

  if (chdir(dir)) {
    fprintf(stderr, "chdir(%s): %s\n", fullpath, strerror(errno));
    free((void *)curpath);
    free((void *)fullpath);
    return(-1);
  }

  /* Again, "linkcount" (the link count of the current directory) is set
     only if check_dir() is called recursively.  Otherwise, we need to
     stat the directory ourselves.
  */
  if (!linkcount) {
    if (lstat(".", &statinfo)) {
      fprintf(stderr, "lstat(%s): %s\n", fullpath, strerror(errno));
      goto abort;
    }
    linkcount = statinfo.st_nlink;
  }

  if (!(dirhandle = opendir("."))) {
    fprintf(stderr, "opendir(%s): %s\n", fullpath, strerror(errno));
    goto abort;
  }

  numdirs = 0;
  dl = (struct dirinfolist *)NULL;
  while ((finfo = readdir(dirhandle))) {
    if (!strcmp(finfo->d_name, ".") || !strcmp(finfo->d_name, ".."))
      continue;

    if (lstat(finfo->d_name, &statinfo)) {
      fprintf(stderr, "lstat(%s/%s): %s\n",
          fullpath, finfo->d_name, strerror(errno));
      closedir(dirhandle);
      goto abort;
    }

    if (S_ISDIR(statinfo.st_mode)) {
      numdirs++;

      if (norecurse) continue;               /* just count subdirs if "-n" */

      /* Otherwise, keep a list of all directories found that have link
     count > 2 (indicating directory contains subdirectories).  We'll
     call check_dir() on each of these subdirectories in a moment...
      */
      if (statinfo.st_nlink > 2) {
    dptr = dl;
    if (!(dl = (struct dirinfolist *)malloc(sizeof(struct dirinfolist)))) {
      fprintf(stderr, "malloc() failed: %s\n", strerror(errno));
      norecurse = 1;
      while (dptr) {
        dl = dptr->dil_next;
        free((void *)dptr);
        dptr = dl;
      }
      continue;
    }

    strncpy(dl->dil_name, finfo->d_name, sizeof(dl->dil_name));
    dl->dil_lc = statinfo.st_nlink;
    dl->dil_next = dptr;
      }
    }
  }
  closedir(dirhandle);

  /* Parent directory link count had better equal #subdirs+2... */
  diff = linkcount - numdirs - 2;
  if (diff) printf("%d\t%s\n", diff, fullpath);

  /* Now check all subdirectories in turn... */
  while (dl) {
    check_dir(dl->dil_name, fullpath, dl->dil_lc, norecurse);
    dptr = dl->dil_next;
    free((void *)dl);
    dl = dptr;
  }

 abort:
  if (chdir(curpath)) {
    fprintf(stderr, "Final chdir(%s) failed (%s) -- EXIT!\n",
        curpath, strerror(errno));
    exit(255);
  }
  free((void *)fullpath);
  free((void *)curpath);
  return(diff);
}


int main (int argc, char **argv)
{
  int norecurse = 0;
  int i, retval;
  int c;

  opterr = 0;
  while ((c = getopt(argc, argv, "n")) > 0) 
  {
    switch (c) 
    {
      case 'n':
        norecurse = 1;
        break;
      default:
        usage();
    }
  }
  if (argc <= optind) usage();
  {
    for (i = optind; i < argc; i++) 
    {
      retval = check_dir(argv[i], (char *)NULL, 0, norecurse);
    }
  }
 
  exit(retval);
}

 

8. check_wtmpx.c

#if !defined(__SunOS__) && !defined(SOLARIS2)
int main () { return 0; }
#else
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/file.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <pwd.h>
#include <time.h>
#include <utmp.h>
#include <utmpx.h>
#include <lastlog.h>
#include <fcntl.h>
#include <unistd.h>

#define WTMP_FILENAME  "/var/adm/wtmp"
#define WTMPX_FILENAME "/var/adm/wtmpx"


struct file_utmp_entry
{
    char        ut_user[8];     /* User login name              */
    char        ut_id[4];       /* /etc/inittab id              */
    char        ut_line[12];    /* device name (console, lnxx)  */
    int16_t     ut_pid;         /* process id                   */
    int16_t     ut_type;        /* type of entry                */
    struct
    {
        int16_t e_termination;  /* Process termination status   */
        int16_t e_exit;         /* Process exit status          */
    } ut_exit;                  /* The exit status of a process */
    uint32_t    ut_time;        /* time entry was made          */
};

struct timeval_32
{
    uint32_t tv_sec;   /* seconds          */
    int32_t  tv_usec;  /* and microseconds */
};

/*
 * This data structure describes the utmp *file* contents using
 * fixed-width data types.  It should only be used by the implementation.
 *
 * Applications should use the getutxent(3c) family of routines to interact
 * with this database.
 */
struct file_utmpx_entry
{
    char              ut_user[32];   /* user login name                */
    char              ut_id[4];      /* inittab id                     */
    char              ut_line[32];   /* device name (console, lnxx)    */
    uint32_t          ut_pid;        /* process id                     */
    int16_t           ut_type;       /* type of entry                  */
    struct
    {
        int16_t e_termination;       /* process termination status     */
        int16_t e_exit;              /* process exit status            */
    } ut_exit;                       /* exit status of a process       */
    struct timeval_32 ut_tv;         /* time entry was made            */
    int32_t           ut_session;    /* session ID, user for windowing */
    int32_t           pad[5];        /* reserved for future use        */
    int16_t           ut_syslen;     /* significant length of ut_host  */
    char              ut_host[257];  /* remote host name               */
};

static void usage ( char * arg )
{
    fprintf( stderr, " Usage: %s [-h] [-w wtmp] [-x wtmpx]\n", arg );
    exit( EXIT_FAILURE );
}  /* end of usage */

int main ( int argc, char * argv[] )
{
    int                     fd_wtmp, fd_wtmpx;
    char                    filename_wtmp[128]  = WTMP_FILENAME;
    char                    filename_wtmpx[128] = WTMPX_FILENAME;
    ssize_t                 wtmp_bytes_read;
    ssize_t                 wtmpx_bytes_read;
    uint32_t                wtmp_read_counter   = 0; 
    uint32_t                wtmpx_read_counter  = 0;
    int                     c;
    struct file_utmp_entry  utmp_entry;
    struct file_utmpx_entry utmpx_entry;

    opterr = 0;  /* Don't want getopt() writing to stderr */
    while ( ( c = getopt( argc, argv, "hw:x:" ) ) != EOF )
    {
        switch ( c )
        {
        case 'w':
            strncpy( filename_wtmp, optarg, 128 );
            filename_wtmp[127]  = '\0';
            break;
        case 'x':
            strncpy( filename_wtmpx, optarg, 128 );
            filename_wtmpx[127] = '\0';
            break;
        case 'h':
        case '?':
            usage( argv[0] );
            break;
        }  /* end of switch */
    }  /* end of while */

    fd_wtmp = open( filename_wtmp, O_RDONLY );
    if ( fd_wtmp < 0 )
    {
        fprintf( stderr, "Unable to open %s\n", filename_wtmp );
        return( EXIT_FAILURE );
    }
    fd_wtmpx = open( filename_wtmpx, O_RDONLY );
    if ( fd_wtmpx < 0 )
    {
        fprintf( stderr, "Unable to open %s\n", filename_wtmpx );
        close( fd_wtmp );
        return( EXIT_FAILURE );
    }
    while ( 1 )
    {
        wtmpx_bytes_read = read( fd_wtmpx, &utmpx_entry, sizeof( struct file_utmpx_entry ) );
        if ( wtmpx_bytes_read > 0 )
        {
            if ( wtmpx_bytes_read < sizeof( struct file_utmpx_entry ) )
            {
                fprintf( stderr, "wtmpx entry may be corrupted\n" );
                break;
            }
            wtmpx_read_counter++;
        }
        wtmp_bytes_read = read( fd_wtmp, &utmp_entry, sizeof( struct file_utmp_entry ) );
        if ( wtmp_bytes_read > 0 )
        {
            if ( wtmp_bytes_read < sizeof( struct file_utmp_entry ) )
            {
                fprintf( stderr, "wtmp entry may be corrupted\n" );
                break;
            }
            wtmp_read_counter++;
        }
        if ( ( wtmpx_bytes_read <= 0 ) || ( wtmp_bytes_read <= 0 ) )
        {
            break;
        }
        if ( strncmp( utmp_entry.ut_user, utmpx_entry.ut_user, 8 ) != 0 )
        {
            fprintf( stderr, "[ %u ] ut_user %s <-> %s\n", wtmp_read_counter, 
                     utmp_entry.ut_user, utmpx_entry.ut_user );
            break;
        }
        if ( memcmp( utmp_entry.ut_id, utmpx_entry.ut_id, 4 ) != 0 )
        {
            fprintf( stderr, "[ %u ] utmp_entry.ut_id != utmpx_entry.ut_id\n", wtmp_read_counter );
            break;
        }
        if ( strcmp( utmp_entry.ut_line, utmpx_entry.ut_line ) != 0 )
        {
            fprintf( stderr, "[ %u ] ut_line %s <-> %s\n", wtmp_read_counter, 
                     utmp_entry.ut_line, utmpx_entry.ut_line );
            break;
        }
        if ( utmp_entry.ut_pid != utmpx_entry.ut_pid )
        {
            fprintf( stderr, "[ %u ] ut_pid %d <-> %d\n", wtmp_read_counter, 
                     utmp_entry.ut_pid, utmpx_entry.ut_pid );
            break;
        }
        if ( utmp_entry.ut_type != utmpx_entry.ut_type )
        {
            fprintf( stderr, "[ %u ] ut_type %d <-> %d\n", wtmp_read_counter, 
                     utmp_entry.ut_type, utmpx_entry.ut_type );
            break;
        }
        if ( utmp_entry.ut_time != utmpx_entry.ut_tv.tv_sec )
        {
            fprintf( stderr, "[ %u ] ut_time %08X <-> %08X\n", wtmp_read_counter, 
                     utmp_entry.ut_time, utmpx_entry.ut_tv.tv_sec );
            break;
        }
    }  /* end of while */
    if ( wtmpx_read_counter != wtmp_read_counter )
    {
        fprintf( stderr, "wtmpx or wtmp entry may be deleted\n" );
    }
    close( fd_wtmpx );
    close( fd_wtmp );
    return( EXIT_SUCCESS );
}  /* end of main */
#endif

 

9. strings.c

#include <stdio.h>
#include <strings.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <ctype.h>
#include <stdlib.h>
#ifdef __FreeBSD__
#include <string.h> 
#endif

#define MAXFILESIZE (4 * 1024 * 1024)

/*
 * Many options here. The current choice produces a little more output
 * than gnu strings
 */

/*
 * Try to get the filesize via stat, and get a buffer to match
 * Naievely allocate a 4MB buffer if we can't
 * Fails badly if it allocate a buffer big enough to load a file
 */
unsigned char *filebuf(FILE *pf, int *sz) {
  struct stat buf;
  unsigned char *cdata;

  if (fstat(fileno(pf), &buf) < 0) {
    perror("fstat");
    exit (1);
  }

  *sz = buf.st_size;
  if(*sz == 0) *sz = MAXFILESIZE;

  if ((cdata = malloc(*sz+1)) == NULL) {
    perror("malloc");
    exit (1);
  }
  return cdata;
}

/*
 * Find printable strings of 4 or more characters
 * Always scans entire file (-a option of gnu strings)
 */
void strings(FILE *pf) {
  static char printme[1024];
  int sz;
  unsigned char *cdata;
  int nread;
  int printmeindex;
  cdata = filebuf(pf,&sz);
  nread = fread(cdata, 1, sz, pf);
  printmeindex = 0;
  if (nread > 0) {
    int i;
    unsigned char c;
    int isprintable;
    int iseol;
    for (i = 0; i < nread; i++) {
      c = cdata[i];
      isprintable = isprint(c);
      iseol = 0;
      if (c == 0 || c == '\n' || printmeindex >= sizeof(printme)-1) iseol = 1;
      if (iseol || !isprintable) {
    if (printmeindex > 3 && iseol) {
      printme[printmeindex++] = 0;
      printf("%s\n", printme);
      printmeindex = 0;
    }
      }
      else if (isprintable) {
    printme[printmeindex++] = c;
      }
    }
  }
  if (printmeindex > 3) {
    printme[printmeindex++] = 0;
    printf("%s\n", printme);
    printmeindex = 0;
  }
  free(cdata);
}

/*
 * Silently accepts the -a option
 */
int main(int argc, char **argv)
{
  if (argc > 1) {
    int i;
    for (i = 1; i < argc; i++) {
      FILE *pf;
      if (strcmp(argv[i], "-a") == 0) continue;

      if ((pf = fopen(argv[i],"rb")) == NULL) {
        perror("fopen");
        return(1);
      }
      strings(pf);
    }
  }
  else {
    strings(stdin);
  }
  return(0);
}

 

10. chkrootkit的使用场景及其局限

Relevant Link:

http://xteam.baidu.com/?p=237&qq-pf-to=pcqq.group

 

Copyright (c) 2014 LittleHann All rights reserved

 

posted @ 2014-08-18 14:48 郑瀚Andrew.Hann 阅读(...) 评论(...) 编辑 收藏