Finally commit May 2024 version. Fix #11

Author: patrick-g2

LEEME.txt

@@ -116,11 +116,14 @@ Y las siguientes dependencias:
 unhide-linux, unhide-posix, unhide_rb :
    procps
 
+IMPORTANTE : Tenga en cuenta que, como herramienta forense, unhide se construye estáticamente ya que las librerías del sistema anfitrión pueden estar 
+               comprometidas y para evitar ser engañado por una configuración PRELINKing. 
+
 Si estás usando un kernel de Linux > = 2.6
-   gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
-   gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
-   gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp
-   ln -s unhide unhide-linux
+      gcc -Wall -Wextra -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
+      gcc -Wall -Wextra -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
+      gcc -Wall -Wextra -O2 --static unhide_rb.c -o unhide_rb
+      ln -s unhide unhide-linux
 
 Si no,(Linux < 2.6, *BSD, Solaris and other Unix)
     gcc --static unhide-posix.c -o unhide-posix

LISEZ-MOI.TXT

@@ -130,12 +130,14 @@ unhide-linux, unhide-posix, unhide_rb :
    procps
 
 
+IMPORTANT : Il convient de noter qu'en tant qu'outil de police scientifique, unhide est construit de manière statique, car les bibliothèques du système hôte 
+            peuvent être compromises ainsi que pour éviter d'être trompé par un paramètre PRELINKing. 
 
 Si vous utilisez un noyau Linux >= 2.6
-   gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
-   gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
-   gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp
-   ln -s unhide unhide-linux
+      gcc -Wall -Wextra -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
+      gcc -Wall -Wextra -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
+      gcc -Wall -Wextra -O2 --static unhide_rb.c -o unhide_rb
+      ln -s unhide unhide-linux
 
 Sinon (Linux < 2.6, *BSD, Solaris, etc.)
    gcc --static unhide-posix.c -o unhide-posix

NEWS

@@ -3,8 +3,45 @@ Changes since v20220611 :
 
 BUG FIXES
   - Add missing missing double quotes in __credit__ list of unhideGui.py (reported by Afzal sulaiman)
+  - Fix parsing of the outpout of "ps --no-header -eL o lwp,cmd" (REVERSE test) which might cause false positives
+    in some very rare cases if line length is greater than 1023. (reported by @basak from Ubuntu). Replace fgets() with getline()
+  - Fix the same type of error in reading "/proc/PID/cmdline" in hidden process reporting where the displayed cmd line was truncated if longer than 1000.
+  - Fix return checking of atol() function. (reported by @basak from Ubuntu).
+  - Fix lenght of LWP string to accept 32 bit PID. This bug is triggered for PID > 999999 only and has no visible effect before replacing fgets() by getline().
+
+Wextra WARNINGS REMOVAL
+  - Add option -Wextra to build instruction.
+  - Remove "unused parameter" warning in unhide-linux-bruteforce.c:void *functionThread()
+  - Make table pointers global to remove "variable ‘xxx’ might be clobbered by ‘longjmp’ or ‘vfork’" warning.
+  - Use precision specifier in sprintf to avoid useless format-overflow warning
+  - Also build with clang without warnings
 
+ENHANCEMENTS
+  - Add the invalid argument text to "Unknown Argument" message.
+  - Add some tests for last fixes.
+  - Add a few clarifications to the test descriptions 
+  - Clarify some output messsages.
+
+TEST/STATIC ANALYSIS
+  - use of scanbuild with gcc and clang gives 22 warnings:
+      - 2 warnings concerning the use of vfork() : unsafe, possible DDOS --> can't fix: using vfork is the aim of the test :)
+      - 20 warnings about unused initialization value of variables -> won't fix: in my rules all variables are explicitly initialized :)
 
+GUI
+  - Fix a search error in management of group of test commands (threw an exception in a Tkinter event routine, but finally worked as expected by following a convoluted path). 
+  - Search for unhide and unhide-tcp paths instead of use '.' (cwd) : prefered path ./, default path /usr/sbin/ 
+  - Add comment under shebang with alternative path as not all distrib softlink /bin to /usr/bin.
+  - Remove some debug print statement.
+
+HELP FILES
+  - Add "missing" \ (escape) to option dashes. It makes no difference when groff version < 1.23 but it does after (it seems Debian has reverted this change in its version of 
+    groff as it breaks thousands of Linux man pages).
+ 
+MISCELLANEOUS
+  - Add in its displayed header that unhide_rb is unmaintained.
+  - Update version and copyright dates.
+
+  
 Changes since 20210124 :
 **********************
 
@@ -23,7 +60,7 @@ GUI
 
 MISCELLANOUS
   - Update README.txt (build instructions and some document layout)
-  - Clearly indicate in its display header of unhide_rb that it SHOULD NOT be used for serious work.
+  - Clearly indicate in its display header that unhide_rb MUST NOT be used for serious work.
   - Change links in man pages from SourceForge to GitHub, update e-mails addresses, correct some formatting errors
   - Complete contributors list in README/LEEME/LISEZ-MOI
 

README.txt

@@ -118,7 +118,7 @@ man/fr/unhide-tcp.8 -- French man page of unhide-tcp
       procps
 
 
-IMPORTANT : Notes that, as a forensic tool, unhide is built statically as the host system libraries may be compromised.
+IMPORTANT : Notes that, as a forensic tool, unhide is built statically as the host system libraries may be compromised and to avoid being fooled by a PRELINKing. 
 
 If you ARE using a Linux kernel >= 2.6
       gcc -Wall -Wextra -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux

TODO

@@ -1,4 +1,8 @@
 [TODO]
+- For Brute force test: add an option to choose the number of checks to do. With the increase of the max process number, duration of brute test becomes very long.
+  So (very) short live processes, appearing and disappearing during the brute test, start to give some false positives even with double check.
+  At least make double check the default.
+  The more the number of runs the less the number of false positives.
 - Integrate -m in other test,
 - Try to factorize the code,
 - More optimizations,

changelog

@@ -1,3 +1,57 @@
+2024-05
+  
+  README.txt, LISEZMOI.txt and LEEME.txt
+  - Add option -Wextra to build instruction.
+
+  unhide.8, unhide-tcp.8, fr/unhide.8, fr/unhide-tcp.8, es/unhide.8, es/unhide-tcp.8 
+  - add mising escpe of dash char. They're needed for recent version of Groff-man macros as they are no more automacically escaped.
+  - update reference date of man pages.
+
+  sanity.sh
+  - Add new tests for testing new fixes.
+  - minors typo corrections of output texts and comments
+  - update © date.
+  
+  unhide-linux-bruteforce.c
+  - Add "__attribute__ ((unused))" to functionThread (void *parametro) in order to suppress -Wextra warning.
+  - Transform allpids and allpids2 variables from brute() function to globals to suppress -Wextra warning (using volatile doesn't work in this case).
+  
+  unhide-linux-compound.c
+  - Replace use of fgets() by call to getline() in order to be able to parse process cmdline of more than 1024 char with digit at 1024th position. (reported by @basak from Ubuntu packaging team).
+  - Fix a buffer overflow detected thanks to the above modification. Previously, the overflow only overwrites stack data which are no more used. It happened only when a process has a PID > 999999. 
+  - Fix error checking of atol().
+  - Add a check to see if the PID is a numerical value, else display a warning (if verbose mode)
+  - Clarify some warning messages.
+  - Increase LWP string in checkallreverse() to accept 32bits PID (20 bits previously)
+  
+  unhide-linux-procfs.c
+  - Add precision (max legth) to %s in format strings to suppress -Wextra warning.
+  - Remove "pragma GCC diagnostic ignored "-Wformat-overflow"
+  
+  unhide-linux.c
+  - Update Copyright notice and version header.
+  - Replace use of fgets() by call to getline() in printbadpid(): display of cmdline could be truncated if their length was > 1023.
+  - Double the size of the buffer used with readlink(): 2000 char, hoping it's enough for all paths :). if not readlink truncates the path to 2000 char.
+  - Clarify some messages.
+  - In case of unknown arg on command line, indicate which one it is in error message.
+
+  unhide-posix.c
+  - Update Copyright notice and version header.
+
+  unhide-tcp.c
+  - Update Copyright notice and version header.
+
+  unhideGui.py
+  - Add a comment with alternative shebang as some distrib don't soft link /bin to /usr/bin. 
+  - Fix search of single test in test group (generate a tkinter exeption, but work anyway).
+  - Search path of unhide-linux / unhide-tcp executables instead of forcing "./" as path.
+  
+  unhide_rb.c
+  - Update Copyright notice and version header.
+  - Fix some typo in displayed header.
+  - Indicate unhibe_rb is no more maintained and must not be used for serious work.
+
+  
 2021-01
   unhide-linux-procfs.c
   - Suppress -Wformat-overflow warning by GCC >= 8.0 in function checkreaddir().

man/es/unhide-tcp.8

@@ -1,4 +1,4 @@
-.TH "UNHIDE-TCP" "8" "Junio 2022" "Administration commands" ""
+.TH "UNHIDE-TCP" "8" "Maio 2022" "Administration commands" ""
 .SH "NOMBRE"
 unhide\-tcp \(em Herramienta forense para localizar puertos TCP/UDP ocultos
 .SH "SYNOPSIS"

man/es/unhide.8

@@ -1,4 +1,4 @@
-.TH "UNHIDE" "8" "Junio 2022" "Comandos de administración" ""
+.TH "UNHIDE" "8" "Maio 2024" "Comandos de administración" ""
 .SH "NOMBRE"
 unhide \(em Herramienta forense para descubrir procesos ocultos
 .SH "SINOPSIS"

man/fr/unhide-tcp.8

@@ -1,4 +1,4 @@
-.TH "UNHIDE-TCP" "8" "Juin 2022" "Commandes d'administration"
+.TH "UNHIDE-TCP" "8" "Mai 2024" "Commandes d'administration"
 .SH "NOM"
 unhide-tcp \(em outil d'investigation post-mortem pour trouver des ports TCP/UDP cachés
 .SH "SYNOPSIS"
@@ -13,40 +13,40 @@ tous les ports TCP/UDP existants.
 .br
 Note1 : sur FreeBSD et OPENBSD, netstat est systématiquement utilisé iproute2 n'existant pas
 sur ces systèmes. De plus sur FreeBSD, sockstat est utilisé à la place de fuser.
-Note2 : si iproute2 n'est pas installé sur le système, une des option -n ou - s
+Note2 : si iproute2 n'est pas installé sur le système, une des option \-n ou \-s
 DOIT être utilisée sur la ligne de commande.
 .PP
 .SH "OPTIONS"
 .TP
 \fB\-h\fR
 Affiche l'aide.
 .TP
-\fB\--brief\fR
+\fB\\-\-brief\fR
 N'affiche pas les messages d'avertissement, c'est le comportement par défaut.
 .TP
-\fB\-f --fuser\fR
+\fB\-f \-\-fuser\fR
 Affiche la sortie de fuser (si elle est disponible) pour les ports cachés.
 Sur FreeBSD, affiche, à la place, la sortie de sockstat pour les ports cachés.
 .TP
-\fB\-l --lsof\fR
+\fB\-l \-\-lsof\fR
 Affiche la sortie de lsof (si elle est disponible) pour les ports cachés.
 .TP
-\fB\-n --netstat\fR
+\fB\-n \-\-netstat\fR
 Utilise /bin/netstat au lieu de /sbin/ss. Sur les systèmes où un grand nombre de ports sont ouverts,
 cela peut ralentir le test de façon dramatique.
 .TP
-\fB\-o --log\fR
+\fB\-o \-\-log\fR
 Enregistre les sorties dans un fichier de log (unhide-tcp-AAAA-MM-JJ.log) situé dans le répertoire courant.
 .TP
-\fB\-s --server\fR
+\fB\-s \-\-server\fR
 Utilise une stratégie d'analyse très rapide. Sur un système avec un très grand nombre de ports ouverts,
 c'est des centaines de fois plus rapide que la méthode ss et des dizaines de milliers de fois plus rapide que
 la méthode netstat.
 .TP
-\fB\-V --version\fR
+\fB\-V \-\-version\fR
 Affiche la version et sort
 .TP
-\fB\-v --verbose\fR
+\fB\-v \-\-verbose\fR
 Affichage prolixe, affiche les message d'avertissement (par défaut : ne pas afficher).
 .PP
 .SS "Exit status:"

man/fr/unhide.8

@@ -1,4 +1,4 @@
-.TH "unhide" "8" "Juin 2022" "Commandes d'administration"
+.TH "unhide" "8" "Mai 2024" "Commandes d'administration"
 .SH "NOM"
 unhide \(em outil d'investigation post\-mortem pour trouver des processus cachés
 .SH "SYNOPSIS"
@@ -16,28 +16,28 @@ détecte les processus cachés en utilisant six techniques principales.
 .PP
 Les options sont uniquement disponibles pour \fBunhide-linux\fR pas pour \fBunhide-posix\fR.
 .TP
-\fB \-d\fR
+\fB\-d\fR
 Effectue un double contrôle dans le test 'brute' pour diminuer l'occurence des faux positifs.
 .TP
-\fB \-f\fR
+\fB\-f\fR
 Enregistre les sorties dans un fichier de log (unhide-linux.log) situé dans le répertoire courant.
 .TP
-\fB \-h\fR
+\fB\-h\fR
 Affichage de l'aide.
 .TP
-\fB \-m\fR
+\fB\-m\fR
 Exécute des contrôles supplémentaires. Pour la version 2012\-03\-17, cette option n'a
 d''effet pour les tests procfs, procall, checkopendir et checkchdir.
 .br
 Elle implique l'option \-v.
 .TP
-\fB \-r\fR
+\fB\-r\fR
 Utilise une version alternative du test sysinfo lors du lancement d'un test standard.
 .TP
-\fB \-V\fR
+\fB\-V\fR
 Affiche la version et sort.
 .TP
-\fB \-v\fR
+\fB\-v\fR
 Affichage prolixe, affiche les message d'avertissement (par défaut : ne pas afficher).
 Cette option peut être répétée plus d'une fois.
 .TP
@@ -86,7 +86,7 @@ Cette technique n'est disponible qu'avec la version unhide\-linux.
 .PP
 La technique \fIreverse\fR consiste à vérifier que tous les threads vus par /bin/ps
 sont également vus dans le procfs et par les appels système. C'est une recherche
-inversée. Elle est destiné à vérifier qu'un rootkit n'a pas tué un outil de sécurité
+inversée. Elle est destiné à vérifier qu'un rootkit n'a pas tué un outil de sécurité 
 (IDS ou autre) et modifié /bin/ps pour lui faire afficher un faux processus à la place.
 .br
 Cette technique n'est disponible qu'avec la version unhide\-linux.
@@ -222,7 +222,7 @@ Test standard :
 unhide sys proc
 .TP
 Test le plus complet :
-unhide -m -d sys procall brute reverse
+unhide \-m \-d sys procall brute reverse
 .SH "BUGS"
 .PP
 Rapportez les bugs de \fBunhide\fR sur le bug tracker de GitHub (https://github.com/YJesus/Unhide/issues)

man/unhide-tcp.8

@@ -1,4 +1,4 @@
-.TH "UNHIDE-TCP" "8" "June 2022" "Administration commands"
+.TH "UNHIDE-TCP" "8" "May 2024" "Administration commands"
 .SH "NAME"
 unhide-tcp \(em forensic tool to find hidden TCP/UDP ports
 .SH "SYNOPSIS"
@@ -13,40 +13,40 @@ TCP/UDP ports available.
 .br
 Note1 : On FreeBSD ans OpenBSD, netstat is always used as iproute2 doesn't exist
 on these OS. In addition, on FreeBSD, sockstat is used instead of fuser.
-Note2 : If iproute2 is not available on the system, option -n or -s SHOULD be
+Note2 : If iproute2 is not available on the system, option \-n or \-s SHOULD be
 given on the command line.
 .PP
 .SH "OPTIONS"
 .TP
-\fB\-h --help\fR
+\fB\-h \-\-help\fR
 Display help
 .TP
-\fB\--brief\fR
+\fB\-\-brief\fR
 Don't display warning messages, that's the default behavior.
 .TP
-\fB\-f --fuser\fR
+\fB\-f \-\-fuser\fR
 Display fuser output (if available) for the hidden port
 On FreeBSD, instead of fuser command, displays the output of the sockstat command for the hidden port.
 .TP
-\fB\-l --lsof\fR
+\fB\-l \-\-lsof\fR
 Display lsof output (if available) for the hidden port
 .TP
-\fB\-n --netstat\fR
+\fB\-n \-\-netstat\fR
 Use /bin/netstat instead of /sbin/ss. On system with many opened ports, this can
 slow down the test dramatically.
 .TP
-\fB\-s --server\fR
+\fB\-s \-\-server\fR
 Use a very quick strategy of scanning. On system with a lot of opened ports,
 it is hundreds times faster than ss method and ten thousands times faster than
 netstat method.
 .TP
-\fB\-o --log\fR
+\fB\-o \-\-log\fR
 Write a log file (unhide-tcp-AAAA-MM-DD.log) in the current directory.
 .TP
-\fB\-V --version\fR
+\fB\-V \-\-version\fR
 Show version and exit
 .TP
-\fB\-v --verbose\fR
+\fB\-v \-\-verbose\fR
 Be verbose, display warning message (default : don't display).
 This option may be repeated more than once.
 .PP

man/unhide.8

@@ -1,4 +1,4 @@
-.TH "UNHIDE" "8" "June 2022" "Administration commands"
+.TH "UNHIDE" "8" "May 2024" "Administration commands"
 .SH "NAME"
 unhide \(em forensic tool to find hidden processes
 .SH "SYNOPSIS"
@@ -29,7 +29,7 @@ Display help
 Do more checks. As of 2012\-03\-17 version, this option has only
 effect for the procfs, procall, checkopendir and checkchdir tests.
 .br
-Implies -v
+Implies \-v
 .TP
 \fB\-r\fR
 Use alternate version of sysinfo check in standard tests
@@ -73,7 +73,7 @@ This technique is only available with version unhide\-linux.
 The \fIprocfs\fR technique consists of comparing information
 gathered from /bin/ps with information gathered by walking in the procfs.
 .br
-With \fB-m\fR option, this test makes more checks, see \fIcheckchdir\fR test.
+With \fB\-m\fR option, this test makes more checks, see \fIcheckchdir\fR test.
 .br
 This technique is only available with version unhide\-linux.
 .PP
@@ -103,7 +103,7 @@ This technique is only available with version unhide\-linux.
 The \fIcheckchdir\fR technique consists of comparing information
 gathered from /bin/ps with information gathered by making chdir() in the procfs.
 .br
-With the \fB-m\fR option, it also verify that the thread appears in its
+With the \fB\-m\fR option, it also verify that the thread appears in its
 "leader process" threads list.
 .br
 This technique is only available with version unhide\-linux.
@@ -224,7 +224,7 @@ Standard test:
 unhide sys proc
 .TP
 Deeper test:
-unhide -m -d sys procall brute reverse
+unhide \-m \-d sys procall brute reverse
 .SH "BUGS"
 .PP
 Report \fBunhide\fR bugs on the bug tracker on GitHub (https://github.com/YJesus/Unhide/issues)