vagelim/fuckumbreon.c

## fuckumbreon.c
/*
GID inconsistency bruteforcer
This can be used to detect LD_PRELOAD rootkit that hide fds, procs and files based on GID
Since GID is an unsigned int, it is finite and thus bruteforceable, however it might take a while.
This took less than 20mins on my system, this may vary based on your setup.

NOTE: the rkit could detect it is under GID bruteforce attack and switch GIDs, however this is not easy to perform.

This will detect Umbreon and other GID based rkits

Have fun!

gcc fuckumbreon.c -o fuckumbreon
*/

#include <fcntl.h>
#include <sys/stat.h>
#include <stdio.h>
#include <limits.h>
#include <stdlib.h>
#include <errno.h>
#include <time.h>

int main()
{
  if(getuid() != 0) //maybe not getuid?
  {
    printf("You must run this program as root.");
    return 0;
  }

  unsigned int i, overflow_value = (UINT_MAX + 1);
  int fd;
  double time_diff;
  double percent_done;
  char tmp_template[] = "/dev/shm/tmp.XXXXXXXX";
  time_t start_time = time(0);
  time_t last_time = time(0);

  fd = mkstemp(tmp_template);
  for (i = 1; i != overflow_value; i++)
  {
    if((i % 100000) == 0)
    {
      time_t now = time(0);
      time_diff = (double) difftime(now, last_time);
      if (time_diff > 0)
      {
        time_diff = (double) difftime(now, start_time);
        percent_done = (double)((double)i / (double)UINT_MAX) * (double)100;
        printf("Elapsed seconds: %g, current gid %u, %f percent complete\n", time_diff, i, percent_done);
        last_time = time(0);
      }
    }

    int resp = fchown(fd, geteuid(), i);

    if (resp == -1 || errno == ENOENT)
    {
      printf("GID-based fd hiding detected (GID: %u)\n", i);
      return 1;
    }
  }

  int resp = fchown(fd, geteuid(), 0);

  if(resp == -1) // this is repetitive
  {
    printf("GID-based fd hiding detected (probably GID %u)\n", UINT_MAX);
    return 1;
  }

  printf("No inconsistencies detected\n");
  return 0;
}
	/*
	GID inconsistency bruteforcer
	This can be used to detect LD_PRELOAD rootkit that hide fds, procs and files based on GID
	Since GID is an unsigned int, it is finite and thus bruteforceable, however it might take a while.
	This took less than 20mins on my system, this may vary based on your setup.

	NOTE: the rkit could detect it is under GID bruteforce attack and switch GIDs, however this is not easy to perform.

	This will detect Umbreon and other GID based rkits

	Have fun!

	gcc fuckumbreon.c -o fuckumbreon
	*/

	#include <fcntl.h>
	#include <sys/stat.h>
	#include <stdio.h>
	#include <limits.h>
	#include <stdlib.h>
	#include <errno.h>
	#include <time.h>

	int main()
	{
	if(getuid() != 0) //maybe not getuid?
	{
	printf("You must run this program as root.");
	return 0;
	}

	unsigned int i, overflow_value = (UINT_MAX + 1);
	int fd;
	double time_diff;
	double percent_done;
	char tmp_template[] = "/dev/shm/tmp.XXXXXXXX";
	time_t start_time = time(0);
	time_t last_time = time(0);

	fd = mkstemp(tmp_template);
	for (i = 1; i != overflow_value; i++)
	{
	if((i % 100000) == 0)
	{
	time_t now = time(0);
	time_diff = (double) difftime(now, last_time);
	if (time_diff > 0)
	{
	time_diff = (double) difftime(now, start_time);
	percent_done = (double)((double)i / (double)UINT_MAX) * (double)100;
	printf("Elapsed seconds: %g, current gid %u, %f percent complete\n", time_diff, i, percent_done);
	last_time = time(0);
	}
	}

	int resp = fchown(fd, geteuid(), i);

	if (resp == -1 \|\| errno == ENOENT)
	{
	printf("GID-based fd hiding detected (GID: %u)\n", i);
	return 1;
	}
	}

	int resp = fchown(fd, geteuid(), 0);

	if(resp == -1) // this is repetitive
	{
	printf("GID-based fd hiding detected (probably GID %u)\n", UINT_MAX);
	return 1;
	}

	printf("No inconsistencies detected\n");
	return 0;
	}