Skip to content

Experimental program that detects files & directories hidden by Linux trojan/rootkits

License

Notifications You must be signed in to change notification settings

0xF41/inodeyou-c

Repository files navigation

inodeyou-c

inodeyou-c is a userspace C program adapted from inodeyou that uses a simple cross-based check to detect inodes that are hidden by Linux rootkit(s) or malware(s).

inodeyou-c uses The Sleuth Kit (TSK) C library to compare the view of the filesystem inodes by two methods:

  1. Finding inodes visible to the disk's view of the file system (with read()) via TSK library
  2. Finding inodes visible from the user's view of the mounted file system (with getdent(), stat(), etc.).

With the results from both methods, we can cross-check to see if there are any inodes that are seen by the disk view of the file system (with TSK) and not from the user's view of the mounted file system (with the ls command). If so, those inodes might be hidden by a rootkit/malware.

Adapted from inodeyou:

⚠️Note: This program is made for experiemental and learning purposes and thus produces a large number of false positives. Results given by this program may NOT be 100% accurate or representative⚠️

Features

Limitations

  • A rootkit/malware may evade the scan if inodes are already hidden from TSK to begin with
  • Buggy on some directories like /run and /lib64 which creates false positives
  • Runtime of program is O(n^2), where n is the number of anomalies found
  • Some TSK functions have memory leaks which may create unexpected results
  • Does not detect special files such as file sockets, symbolic links, etc.
  • Only works on ext2/3/4 file system types, not compatible with xfs and other types.

Installation

For debian-based distros:

sudo apt update
sudo apt install gcc
sudo apt install libtsk-dev
sudo git clone https://github.com/0xf41/inodeyou-c.git
cd ./inodeyou-c/
sudo make

Usage

The example command scans for hidden inodes from /home/user1 recursively, whereby /home/user1 is on the root directory mountpoint on the /dev/sda1 volume

Usage: sudo ./inodeyou-c volume mountpoint [directory] 
Example: ./inodeyou-c /dev/sda1 / /home/user1

In the example below, inodeyou-c has successfully detected a inode /home/user1/lilyofthevalley2.txt hidden by the LilyOfTheValley rootkit.

demo

About

Experimental program that detects files & directories hidden by Linux trojan/rootkits

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published