sunlight/rootkit-signal-handler.sh at main · tstromberg/sunlight · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/bin/bash
#
# Detect rootkits, such as Diamorphine, that respond to exotic signals
set -u

# Currently Linux only because we don't look up kernel modules in the correct place
[[ $(uname) != "Linux" ]] && exit 0

for sig in $(seq 0 64); do
    trap "" "${sig}"
done


# rotate through all signals twice
pattern="$(seq 0 64) $(seq 0 64)"

for sig in $pattern; do
    old_proc=$(ls -1 /proc/ | grep -E "^$$\$")
    old_id=$(id)

    old_mods="$(mktemp)"
    awk '{print $1 }' < /proc/modules | sort > "${old_mods}"
    # allow writes to continue if EUID changes
    chmod 666 "${old_mods}"

    # skip the following untrappable signals
    case $sig in
        9|19|32|33)
            continue
        ;;
    esac

    # echo "Sending $sig to $$"
    kill "-${sig}" $$ || true

    new_proc=$(ls -1 /proc/ | grep -E "^$$\$")
    if [[ "${new_proc}" == "" && "${old_proc}" != "" ]]; then
       echo "- SIGNAL $sig made /proc/$$ (this process) invisible!"
    fi

    if [[ "${new_proc}" != "" && "${old_proc}" == "" ]]; then
       echo "- SIGNAL $sig made /proc/$$ (this process) visible again!"
    fi

    new_id=$(id)
    if [[ "${new_id}" != "${old_id}" ]]; then
        echo "- SIGNAL $sig changed my id from \"${old_id}\" to \"${new_id}\""
    fi

    new_mods="$(mktemp)"
    awk '{print $1 }' < /proc/modules | sort > "${new_mods}"
    chmod 666 "${new_mods}"

    diff=$(diff -ubB "${old_mods}" "${new_mods}")
    if [[ "${diff}" != "" ]]; then
        echo "- SIGNAL $sig caused /proc/modules to change:"
        echo "${diff}"
    fi

    rm -f "${old_mods}"
    rm -f "${new_mods}"
done