From b428ce4f935a6965e47e1e2d39b01fde63bc9b7b Mon Sep 17 00:00:00 2001
From: patrick-g2 <patrickg.github@free.fr>
Date: Wed, 11 Dec 2024 15:10:01 +0100
Subject: [PATCH] Finally commit May 2024 version. Fix #11

---
 LEEME.txt                 |  11 ++--
 LISEZ-MOI.TXT             |  10 ++--
 NEWS                      |  39 ++++++++++++-
 README.txt                |   2 +-
 TODO                      |   4 ++
 changelog                 |  54 +++++++++++++++++
 man/es/unhide-tcp.8       |   2 +-
 man/es/unhide.8           |   2 +-
 man/fr/unhide-tcp.8       |  20 +++----
 man/fr/unhide.8           |  20 +++----
 man/unhide-tcp.8          |  22 +++----
 man/unhide.8              |  10 ++--
 sanity-tcp.sh             |   2 +-
 sanity.sh                 | 118 +++++++++++++++++++++++++++-----------
 ss                        |   2 +-
 ss-ref                    |   2 +-
 unhide-linux-bruteforce.c |  15 +++--
 unhide-linux-compound.c   |  47 +++++++++------
 unhide-linux-procfs.c     |  22 +++----
 unhide-linux-syscall.c    |   2 +-
 unhide-linux.c            |  70 +++++++++++++++-------
 unhide-linux.h            |   2 +-
 unhide-output.c           |   2 +-
 unhide-output.h           |   2 +-
 unhide-posix.c            |   6 +-
 unhide-tcp-fast.c         |   2 +-
 unhide-tcp.c              |   6 +-
 unhide-tcp.h              |   2 +-
 unhideGui.py              |  34 ++++++++---
 unhide_rb.c               |  17 +++---
 30 files changed, 382 insertions(+), 167 deletions(-)

diff --git a/LEEME.txt b/LEEME.txt
index e5a7d80..06a058b 100644
--- a/LEEME.txt
+++ b/LEEME.txt
@@ -116,11 +116,14 @@ Y las siguientes dependencias:
 unhide-linux, unhide-posix, unhide_rb :
    procps
 
+IMPORTANTE : Tenga en cuenta que, como herramienta forense, unhide se construye estáticamente ya que las librerías del sistema anfitrión pueden estar 
+               comprometidas y para evitar ser engañado por una configuración PRELINKing. 
+
 Si estás usando un kernel de Linux > = 2.6
-   gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
-   gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
-   gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp
-   ln -s unhide unhide-linux
+      gcc -Wall -Wextra -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
+      gcc -Wall -Wextra -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
+      gcc -Wall -Wextra -O2 --static unhide_rb.c -o unhide_rb
+      ln -s unhide unhide-linux
 
 Si no,(Linux < 2.6, *BSD, Solaris and other Unix)
     gcc --static unhide-posix.c -o unhide-posix
diff --git a/LISEZ-MOI.TXT b/LISEZ-MOI.TXT
index c0914f1..c79ef3c 100644
--- a/LISEZ-MOI.TXT
+++ b/LISEZ-MOI.TXT
@@ -130,12 +130,14 @@ unhide-linux, unhide-posix, unhide_rb :
    procps
 
 
+IMPORTANT : Il convient de noter qu'en tant qu'outil de police scientifique, unhide est construit de manière statique, car les bibliothèques du système hôte 
+            peuvent être compromises ainsi que pour éviter d'être trompé par un paramètre PRELINKing. 
 
 Si vous utilisez un noyau Linux >= 2.6
-   gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
-   gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
-   gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c  -o unhide-tcp
-   ln -s unhide unhide-linux
+      gcc -Wall -Wextra -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
+      gcc -Wall -Wextra -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
+      gcc -Wall -Wextra -O2 --static unhide_rb.c -o unhide_rb
+      ln -s unhide unhide-linux
 
 Sinon (Linux < 2.6, *BSD, Solaris, etc.)
    gcc --static unhide-posix.c -o unhide-posix
diff --git a/NEWS b/NEWS
index 2b10f64..3e7308c 100644
--- a/NEWS
+++ b/NEWS
@@ -3,8 +3,45 @@ Changes since v20220611 :
 
 BUG FIXES
   - Add missing missing double quotes in __credit__ list of unhideGui.py (reported by Afzal sulaiman)
+  - Fix parsing of the outpout of "ps --no-header -eL o lwp,cmd" (REVERSE test) which might cause false positives
+    in some very rare cases if line length is greater than 1023. (reported by @basak from Ubuntu). Replace fgets() with getline()
+  - Fix the same type of error in reading "/proc/PID/cmdline" in hidden process reporting where the displayed cmd line was truncated if longer than 1000.
+  - Fix return checking of atol() function. (reported by @basak from Ubuntu).
+  - Fix lenght of LWP string to accept 32 bit PID. This bug is triggered for PID > 999999 only and has no visible effect before replacing fgets() by getline().
+
+Wextra WARNINGS REMOVAL
+  - Add option -Wextra to build instruction.
+  - Remove "unused parameter" warning in unhide-linux-bruteforce.c:void *functionThread()
+  - Make table pointers global to remove "variable ‘xxx’ might be clobbered by ‘longjmp’ or ‘vfork’" warning.
+  - Use precision specifier in sprintf to avoid useless format-overflow warning
+  - Also build with clang without warnings
 
+ENHANCEMENTS
+  - Add the invalid argument text to "Unknown Argument" message.
+  - Add some tests for last fixes.
+  - Add a few clarifications to the test descriptions 
+  - Clarify some output messsages.
+
+TEST/STATIC ANALYSIS
+  - use of scanbuild with gcc and clang gives 22 warnings:
+      - 2 warnings concerning the use of vfork() : unsafe, possible DDOS --> can't fix: using vfork is the aim of the test :)
+      - 20 warnings about unused initialization value of variables -> won't fix: in my rules all variables are explicitly initialized :)
 
+GUI
+  - Fix a search error in management of group of test commands (threw an exception in a Tkinter event routine, but finally worked as expected by following a convoluted path). 
+  - Search for unhide and unhide-tcp paths instead of use '.' (cwd) : prefered path ./, default path /usr/sbin/ 
+  - Add comment under shebang with alternative path as not all distrib softlink /bin to /usr/bin.
+  - Remove some debug print statement.
+
+HELP FILES
+  - Add "missing" \ (escape) to option dashes. It makes no difference when groff version < 1.23 but it does after (it seems Debian has reverted this change in its version of 
+    groff as it breaks thousands of Linux man pages).
+ 
+MISCELLANEOUS
+  - Add in its displayed header that unhide_rb is unmaintained.
+  - Update version and copyright dates.
+
+  
 Changes since 20210124 :
 **********************
 
@@ -23,7 +60,7 @@ GUI
 
 MISCELLANOUS
   - Update README.txt (build instructions and some document layout)
-  - Clearly indicate in its display header of unhide_rb that it SHOULD NOT be used for serious work.
+  - Clearly indicate in its display header that unhide_rb MUST NOT be used for serious work.
   - Change links in man pages from SourceForge to GitHub, update e-mails addresses, correct some formatting errors
   - Complete contributors list in README/LEEME/LISEZ-MOI
 
diff --git a/README.txt b/README.txt
index 56fab1a..a05b5b4 100644
--- a/README.txt
+++ b/README.txt
@@ -118,7 +118,7 @@ man/fr/unhide-tcp.8 -- French man page of unhide-tcp
       procps
 
 
-IMPORTANT : Notes that, as a forensic tool, unhide is built statically as the host system libraries may be compromised.
+IMPORTANT : Notes that, as a forensic tool, unhide is built statically as the host system libraries may be compromised and to avoid being fooled by a PRELINKing. 
 
 If you ARE using a Linux kernel >= 2.6
       gcc -Wall -Wextra -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
diff --git a/TODO b/TODO
index e4a1ed8..9a76e2a 100644
--- a/TODO
+++ b/TODO
@@ -1,4 +1,8 @@
 [TODO]
+- For Brute force test: add an option to choose the number of checks to do. With the increase of the max process number, duration of brute test becomes very long.
+  So (very) short live processes, appearing and disappearing during the brute test, start to give some false positives even with double check.
+  At least make double check the default.
+  The more the number of runs the less the number of false positives.
 - Integrate -m in other test,
 - Try to factorize the code,
 - More optimizations,
diff --git a/changelog b/changelog
index 2fbc986..c4f1e5c 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,57 @@
+2024-05
+  
+  README.txt, LISEZMOI.txt and LEEME.txt
+  - Add option -Wextra to build instruction.
+
+  unhide.8, unhide-tcp.8, fr/unhide.8, fr/unhide-tcp.8, es/unhide.8, es/unhide-tcp.8 
+  - add mising escpe of dash char. They're needed for recent version of Groff-man macros as they are no more automacically escaped.
+  - update reference date of man pages.
+
+  sanity.sh
+  - Add new tests for testing new fixes.
+  - minors typo corrections of output texts and comments
+  - update © date.
+  
+  unhide-linux-bruteforce.c
+  - Add "__attribute__ ((unused))" to functionThread (void *parametro) in order to suppress -Wextra warning.
+  - Transform allpids and allpids2 variables from brute() function to globals to suppress -Wextra warning (using volatile doesn't work in this case).
+  
+  unhide-linux-compound.c
+  - Replace use of fgets() by call to getline() in order to be able to parse process cmdline of more than 1024 char with digit at 1024th position. (reported by @basak from Ubuntu packaging team).
+  - Fix a buffer overflow detected thanks to the above modification. Previously, the overflow only overwrites stack data which are no more used. It happened only when a process has a PID > 999999. 
+  - Fix error checking of atol().
+  - Add a check to see if the PID is a numerical value, else display a warning (if verbose mode)
+  - Clarify some warning messages.
+  - Increase LWP string in checkallreverse() to accept 32bits PID (20 bits previously)
+  
+  unhide-linux-procfs.c
+  - Add precision (max legth) to %s in format strings to suppress -Wextra warning.
+  - Remove "pragma GCC diagnostic ignored "-Wformat-overflow"
+  
+  unhide-linux.c
+  - Update Copyright notice and version header.
+  - Replace use of fgets() by call to getline() in printbadpid(): display of cmdline could be truncated if their length was > 1023.
+  - Double the size of the buffer used with readlink(): 2000 char, hoping it's enough for all paths :). if not readlink truncates the path to 2000 char.
+  - Clarify some messages.
+  - In case of unknown arg on command line, indicate which one it is in error message.
+
+  unhide-posix.c
+  - Update Copyright notice and version header.
+
+  unhide-tcp.c
+  - Update Copyright notice and version header.
+
+  unhideGui.py
+  - Add a comment with alternative shebang as some distrib don't soft link /bin to /usr/bin. 
+  - Fix search of single test in test group (generate a tkinter exeption, but work anyway).
+  - Search path of unhide-linux / unhide-tcp executables instead of forcing "./" as path.
+  
+  unhide_rb.c
+  - Update Copyright notice and version header.
+  - Fix some typo in displayed header.
+  - Indicate unhibe_rb is no more maintained and must not be used for serious work.
+
+  
 2021-01
   unhide-linux-procfs.c
   - Suppress -Wformat-overflow warning by GCC >= 8.0 in function checkreaddir().
diff --git a/man/es/unhide-tcp.8 b/man/es/unhide-tcp.8
index 8b2575f..7a358fd 100644
--- a/man/es/unhide-tcp.8
+++ b/man/es/unhide-tcp.8
@@ -1,4 +1,4 @@
-.TH "UNHIDE-TCP" "8" "Junio 2022" "Administration commands" ""
+.TH "UNHIDE-TCP" "8" "Maio 2022" "Administration commands" ""
 .SH "NOMBRE"
 unhide\-tcp \(em Herramienta forense para localizar puertos TCP/UDP ocultos
 .SH "SYNOPSIS"
diff --git a/man/es/unhide.8 b/man/es/unhide.8
index 5ea26a3..039fc28 100644
--- a/man/es/unhide.8
+++ b/man/es/unhide.8
@@ -1,4 +1,4 @@
-.TH "UNHIDE" "8" "Junio 2022" "Comandos de administración" ""
+.TH "UNHIDE" "8" "Maio 2024" "Comandos de administración" ""
 .SH "NOMBRE"
 unhide \(em Herramienta forense para descubrir procesos ocultos
 .SH "SINOPSIS"
diff --git a/man/fr/unhide-tcp.8 b/man/fr/unhide-tcp.8
index ba5cf1d..45f71e9 100644
--- a/man/fr/unhide-tcp.8
+++ b/man/fr/unhide-tcp.8
@@ -1,4 +1,4 @@
-.TH "UNHIDE-TCP" "8" "Juin 2022" "Commandes d'administration"
+.TH "UNHIDE-TCP" "8" "Mai 2024" "Commandes d'administration"
 .SH "NOM"
 unhide-tcp \(em outil d'investigation post-mortem pour trouver des ports TCP/UDP cachés
 .SH "SYNOPSIS"
@@ -13,7 +13,7 @@ tous les ports TCP/UDP existants.
 .br
 Note1 : sur FreeBSD et OPENBSD, netstat est systématiquement utilisé iproute2 n'existant pas
 sur ces systèmes. De plus sur FreeBSD, sockstat est utilisé à la place de fuser.
-Note2 : si iproute2 n'est pas installé sur le système, une des option -n ou - s
+Note2 : si iproute2 n'est pas installé sur le système, une des option \-n ou \-s
 DOIT être utilisée sur la ligne de commande.
 .PP
 .SH "OPTIONS"
@@ -21,32 +21,32 @@ DOIT être utilisée sur la ligne de commande.
 \fB\-h\fR
 Affiche l'aide.
 .TP
-\fB\--brief\fR
+\fB\\-\-brief\fR
 N'affiche pas les messages d'avertissement, c'est le comportement par défaut.
 .TP
-\fB\-f --fuser\fR
+\fB\-f \-\-fuser\fR
 Affiche la sortie de fuser (si elle est disponible) pour les ports cachés.
 Sur FreeBSD, affiche, à la place, la sortie de sockstat pour les ports cachés.
 .TP
-\fB\-l --lsof\fR
+\fB\-l \-\-lsof\fR
 Affiche la sortie de lsof (si elle est disponible) pour les ports cachés.
 .TP
-\fB\-n --netstat\fR
+\fB\-n \-\-netstat\fR
 Utilise /bin/netstat au lieu de /sbin/ss. Sur les systèmes où un grand nombre de ports sont ouverts,
 cela peut ralentir le test de façon dramatique.
 .TP
-\fB\-o --log\fR
+\fB\-o \-\-log\fR
 Enregistre les sorties dans un fichier de log (unhide-tcp-AAAA-MM-JJ.log) situé dans le répertoire courant.
 .TP
-\fB\-s --server\fR
+\fB\-s \-\-server\fR
 Utilise une stratégie d'analyse très rapide. Sur un système avec un très grand nombre de ports ouverts,
 c'est des centaines de fois plus rapide que la méthode ss et des dizaines de milliers de fois plus rapide que
 la méthode netstat.
 .TP
-\fB\-V --version\fR
+\fB\-V \-\-version\fR
 Affiche la version et sort
 .TP
-\fB\-v --verbose\fR
+\fB\-v \-\-verbose\fR
 Affichage prolixe, affiche les message d'avertissement (par défaut : ne pas afficher).
 .PP
 .SS "Exit status:"
diff --git a/man/fr/unhide.8 b/man/fr/unhide.8
index 5c06ffa..d22e496 100644
--- a/man/fr/unhide.8
+++ b/man/fr/unhide.8
@@ -1,4 +1,4 @@
-.TH "unhide" "8" "Juin 2022" "Commandes d'administration"
+.TH "unhide" "8" "Mai 2024" "Commandes d'administration"
 .SH "NOM"
 unhide \(em outil d'investigation post\-mortem pour trouver des processus cachés
 .SH "SYNOPSIS"
@@ -16,28 +16,28 @@ détecte les processus cachés en utilisant six techniques principales.
 .PP
 Les options sont uniquement disponibles pour \fBunhide-linux\fR pas pour \fBunhide-posix\fR.
 .TP
-\fB \-d\fR
+\fB\-d\fR
 Effectue un double contrôle dans le test 'brute' pour diminuer l'occurence des faux positifs.
 .TP
-\fB \-f\fR
+\fB\-f\fR
 Enregistre les sorties dans un fichier de log (unhide-linux.log) situé dans le répertoire courant.
 .TP
-\fB \-h\fR
+\fB\-h\fR
 Affichage de l'aide.
 .TP
-\fB \-m\fR
+\fB\-m\fR
 Exécute des contrôles supplémentaires. Pour la version 2012\-03\-17, cette option n'a
 d''effet pour les tests procfs, procall, checkopendir et checkchdir.
 .br
 Elle implique l'option \-v.
 .TP
-\fB \-r\fR
+\fB\-r\fR
 Utilise une version alternative du test sysinfo lors du lancement d'un test standard.
 .TP
-\fB \-V\fR
+\fB\-V\fR
 Affiche la version et sort.
 .TP
-\fB \-v\fR
+\fB\-v\fR
 Affichage prolixe, affiche les message d'avertissement (par défaut : ne pas afficher).
 Cette option peut être répétée plus d'une fois.
 .TP
@@ -86,7 +86,7 @@ Cette technique n'est disponible qu'avec la version unhide\-linux.
 .PP
 La technique \fIreverse\fR consiste à vérifier que tous les threads vus par /bin/ps
 sont également vus dans le procfs et par les appels système. C'est une recherche
-inversée. Elle est destiné à vérifier qu'un rootkit n'a pas tué un outil de sécurité
+inversée. Elle est destiné à vérifier qu'un rootkit n'a pas tué un outil de sécurité 
 (IDS ou autre) et modifié /bin/ps pour lui faire afficher un faux processus à la place.
 .br
 Cette technique n'est disponible qu'avec la version unhide\-linux.
@@ -222,7 +222,7 @@ Test standard :
 unhide sys proc
 .TP
 Test le plus complet :
-unhide -m -d sys procall brute reverse
+unhide \-m \-d sys procall brute reverse
 .SH "BUGS"
 .PP
 Rapportez les bugs de \fBunhide\fR sur le bug tracker de GitHub (https://github.com/YJesus/Unhide/issues)
diff --git a/man/unhide-tcp.8 b/man/unhide-tcp.8
index 46ae799..2e6eb36 100644
--- a/man/unhide-tcp.8
+++ b/man/unhide-tcp.8
@@ -1,4 +1,4 @@
-.TH "UNHIDE-TCP" "8" "June 2022" "Administration commands"
+.TH "UNHIDE-TCP" "8" "May 2024" "Administration commands"
 .SH "NAME"
 unhide-tcp \(em forensic tool to find hidden TCP/UDP ports
 .SH "SYNOPSIS"
@@ -13,40 +13,40 @@ TCP/UDP ports available.
 .br
 Note1 : On FreeBSD ans OpenBSD, netstat is always used as iproute2 doesn't exist
 on these OS. In addition, on FreeBSD, sockstat is used instead of fuser.
-Note2 : If iproute2 is not available on the system, option -n or -s SHOULD be
+Note2 : If iproute2 is not available on the system, option \-n or \-s SHOULD be
 given on the command line.
 .PP
 .SH "OPTIONS"
 .TP
-\fB\-h --help\fR
+\fB\-h \-\-help\fR
 Display help
 .TP
-\fB\--brief\fR
+\fB\-\-brief\fR
 Don't display warning messages, that's the default behavior.
 .TP
-\fB\-f --fuser\fR
+\fB\-f \-\-fuser\fR
 Display fuser output (if available) for the hidden port
 On FreeBSD, instead of fuser command, displays the output of the sockstat command for the hidden port.
 .TP
-\fB\-l --lsof\fR
+\fB\-l \-\-lsof\fR
 Display lsof output (if available) for the hidden port
 .TP
-\fB\-n --netstat\fR
+\fB\-n \-\-netstat\fR
 Use /bin/netstat instead of /sbin/ss. On system with many opened ports, this can
 slow down the test dramatically.
 .TP
-\fB\-s --server\fR
+\fB\-s \-\-server\fR
 Use a very quick strategy of scanning. On system with a lot of opened ports,
 it is hundreds times faster than ss method and ten thousands times faster than
 netstat method.
 .TP
-\fB\-o --log\fR
+\fB\-o \-\-log\fR
 Write a log file (unhide-tcp-AAAA-MM-DD.log) in the current directory.
 .TP
-\fB\-V --version\fR
+\fB\-V \-\-version\fR
 Show version and exit
 .TP
-\fB\-v --verbose\fR
+\fB\-v \-\-verbose\fR
 Be verbose, display warning message (default : don't display).
 This option may be repeated more than once.
 .PP
diff --git a/man/unhide.8 b/man/unhide.8
index c4d8c1f..639c50b 100644
--- a/man/unhide.8
+++ b/man/unhide.8
@@ -1,4 +1,4 @@
-.TH "UNHIDE" "8" "June 2022" "Administration commands"
+.TH "UNHIDE" "8" "May 2024" "Administration commands"
 .SH "NAME"
 unhide \(em forensic tool to find hidden processes
 .SH "SYNOPSIS"
@@ -29,7 +29,7 @@ Display help
 Do more checks. As of 2012\-03\-17 version, this option has only
 effect for the procfs, procall, checkopendir and checkchdir tests.
 .br
-Implies -v
+Implies \-v
 .TP
 \fB\-r\fR
 Use alternate version of sysinfo check in standard tests
@@ -73,7 +73,7 @@ This technique is only available with version unhide\-linux.
 The \fIprocfs\fR technique consists of comparing information
 gathered from /bin/ps with information gathered by walking in the procfs.
 .br
-With \fB-m\fR option, this test makes more checks, see \fIcheckchdir\fR test.
+With \fB\-m\fR option, this test makes more checks, see \fIcheckchdir\fR test.
 .br
 This technique is only available with version unhide\-linux.
 .PP
@@ -103,7 +103,7 @@ This technique is only available with version unhide\-linux.
 The \fIcheckchdir\fR technique consists of comparing information
 gathered from /bin/ps with information gathered by making chdir() in the procfs.
 .br
-With the \fB-m\fR option, it also verify that the thread appears in its
+With the \fB\-m\fR option, it also verify that the thread appears in its
 "leader process" threads list.
 .br
 This technique is only available with version unhide\-linux.
@@ -224,7 +224,7 @@ Standard test:
 unhide sys proc
 .TP
 Deeper test:
-unhide -m -d sys procall brute reverse
+unhide \-m \-d sys procall brute reverse
 .SH "BUGS"
 .PP
 Report \fBunhide\fR bugs on the bug tracker on GitHub (https://github.com/YJesus/Unhide/issues)
diff --git a/sanity-tcp.sh b/sanity-tcp.sh
index 3bae5a0..d7f1e8a 100755
--- a/sanity-tcp.sh
+++ b/sanity-tcp.sh
@@ -2,7 +2,7 @@
 
 #	sanity.sh -- a growing testsuite for unhide-tcp.
 #
-# Copyright (C) 2010-2021 Patrick Gouin.
+# Copyright (C) 2010-2024 Patrick Gouin.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
diff --git a/sanity.sh b/sanity.sh
index 936368a..1044790 100755
--- a/sanity.sh
+++ b/sanity.sh
@@ -2,7 +2,7 @@
 
 #	sanity.sh -- a growing testsuite for unhide.
 #
-# Copyright (C) 2010-2021 Patrick Gouin.
+# Copyright (C) 2010-2024 Patrick Gouin.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -22,26 +22,31 @@
 # remove pre-existing local ps
 rm -f ./ps
 
-#test 0
-# Call ps, but add a faked process.
+
+# test 1
+# Call ps, but hide the last line of output
 cat <<EOF
-   Test #0
-   Call ps, but add a faked process.
-   This should show "my_false_proc" as faked process
+   
+   Test #1
+   Call ps, but hide the last line of its output.
+   Usually, this should find no hidden process, as the last
+   process is very often the ps command launched by unhide.
+   This ps is not check by unhide (C version).
 
 EOF
 cat <<EOF >./ps
 #! /bin/bash
 
-/bin/ps "\$@"
-echo 65535  my_false_proc
+/bin/ps "\$@" | head -n-1
 EOF
 chmod 754 ./ps
-PATH=.:$PATH ./unhide-linux -v checksysinfo checksysinfo2
+PATH=.:$PATH ./unhide-linux sys
+
 
 # remove pre-existing local ps
 rm -f ./ps
-# test2
+
+# test 2
 # Don't call ps : let all processes appear hidden
 cat <<EOF
    
@@ -61,62 +66,109 @@ PATH=.:$PATH ./unhide-linux procall
 # remove pre-existing local ps
 rm -f ./ps
 
-# test 1
-# Call ps, but hide the last line of output
+# test 3
+# Call ps, but add a faked process.
 cat <<EOF
-   
-   Test #1
-   Call ps, but hide the last line of its output.
-   Usually, this should find no hidden process, as the last
-   process is very often the ps command launched by unhide.
-   This ps is not check by unhide (C version).
+   Test #3
+   Call ps, but add a faked process.
+   This should show something like:
+   "1 HIDDEN Process Found        sysinfo.procs reports xxx processes and ps sees xxx-1 processes"
+   But due to the large increase in the number of processes in recent years checksysinfo tests take a very long time.
+   Processes therefore have time to appear and disappear making the tests unreliable.
 
 EOF
 cat <<EOF >./ps
 #! /bin/bash
 
-/bin/ps "\$@" | head -n-1
+/bin/ps "\$@"
+echo 65535  my_false_proc
 EOF
 chmod 754 ./ps
-PATH=.:$PATH ./unhide-linux sys
+PATH=.:$PATH ./unhide-linux -v checksysinfo checksysinfo2
 
 
-# remove pre-existing local ps
-rm -f ./ps
-# test2
-# Don't call ps : let all processes appear hidden
+# test 4
+# Call ps, but add a faked process.
 cat <<EOF
    
-   Test #2
-   Don't call ps : let all processes appear hidden.
-   This should find all processes as hidden..
+   Test #4
+   Call ps, but add a faked process.
+   This should show "my_false_proc" as faked process
 
 EOF
 cat <<EOF >./ps
 #! /bin/bash
 
-false
+/bin/ps "\$@"
+echo 65535  my_false_proc
 EOF
 chmod 754 ./ps
-PATH=.:$PATH ./unhide-linux procall
+PATH=.:$PATH ./unhide-linux reverse
 
 # remove pre-existing local ps
 rm -f ./ps
-#test 3
+
+# test 5
 # Call ps, but add a faked process.
 cat <<EOF
    
-   Test #3
+   Test #5
    Call ps, but add a faked process.
-   This should show "my_false_proc" as faked process
+   This should show "my_false_proc" repeated enough times for a length > 1023 as faked process
 
 EOF
 cat <<EOF >./ps
 #! /bin/bash
 
 /bin/ps "\$@"
-echo 65535  my_false_proc
+echo 65535  my_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_00procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_procmy_false_proc
 EOF
 chmod 754 ./ps
 PATH=.:$PATH ./unhide-linux reverse
 
+# remove pre-existing local ps
+rm -f ./ps
+
+
+# test 6
+# Call ps, but add a faked process.
+cat <<EOF
+   
+   Test #6
+   Call ps, but add a faked process with a non numeric PID
+   This should show: "Warning : No numeric pid found on ps output line, skip line"
+
+EOF
+cat <<EOF >./ps
+#! /bin/bash
+
+/bin/ps "\$@"
+echo abcde bad_proc_number
+EOF
+chmod 754 ./ps
+PATH=.:$PATH ./unhide-linux  -v reverse
+
+
+# test 7
+# Call ps, but add a temporary process.
+# not working
+cat <<EOF
+   
+   Test #7
+   Call ps, but add a temporary process 
+   This should show: "Warning : No numeric pid found on ps output line, skip line"
+   This test does not work.
+
+EOF
+unset UNH_PASSAGE
+cat <<'EOF' >./ps
+#! /bin/bash
+/bin/ps "$@"
+if [[ -z "${UNH_PASSAGE}" ]]; then
+   export UNH_PASSAGE=1
+   echo abcde bad_proc_number
+fi
+
+EOF
+chmod 754 ./ps
+PATH=.:$PATH ./unhide-linux  -v quick
diff --git a/ss b/ss
index 4cdbd48..8f124aa 100755
--- a/ss
+++ b/ss
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (C) 2010-2021 Patrick Gouin.
+# Copyright (C) 2010-2024 Patrick Gouin.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
diff --git a/ss-ref b/ss-ref
index 1725787..e658a5a 100644
--- a/ss-ref
+++ b/ss-ref
@@ -2,7 +2,7 @@
 
 #	sanity.sh -- a growing testsuite for unhide.
 #
-# Copyright (C) 2010-2021 Patrick Gouin.
+# Copyright (C) 2010-2024 Patrick Gouin.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
diff --git a/unhide-linux-bruteforce.c b/unhide-linux-bruteforce.c
index 3ee297e..6e1b703 100644
--- a/unhide-linux-bruteforce.c
+++ b/unhide-linux-bruteforce.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -51,7 +51,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
  *  Minimalist thread function for brute test.
  *  Set tid with the pid of the created thread. 
  */
-void *functionThread (void *parametro) 
+void *functionThread (__attribute__ ((unused)) void *parametro) 
 {
 
    tid = (pid_t) syscall (SYS_gettid);
@@ -63,11 +63,14 @@ void *functionThread (void *parametro)
  *  pthread_create/pthread_join. All pid which
  *  can't be obtained are check against ps output
  */
+int* allpids ;
+int* allpids2 ;
+
 void brute(void) 
 {
-   int i=0;
-   int* allpids;
-   int* allpids2;
+   volatile int i = 0;
+//   volatile int* allpids = NULL ;
+//   volatile int* allpids2 = NULL ;
    int x;
    int y;
    int z;
@@ -126,7 +129,7 @@ void brute(void)
       // printf("Tested pid : %06d\r", i);
       errno= 0 ;
 
-      if ((vpid = vfork()) == 0) 
+      if ( ( vpid =  vfork() ) == 0) 
       {
          _exit(0);
       }
diff --git a/unhide-linux-compound.c b/unhide-linux-compound.c
index 31f0ee6..55c7434 100644
--- a/unhide-linux-compound.c
+++ b/unhide-linux-compound.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -88,7 +88,6 @@ void checkallquick(void)
       {
          continue;
       }
-      // printf("syspid = %d\n", syspids); //DEBUG
 
       found=0;
       found_killbefore=0;
@@ -218,7 +217,7 @@ void checkallreverse(void)
 {
 
    int ret;
-   int syspids;
+   long int syspids = 0;
    struct timespec tp;
    struct sched_param param;
    cpu_set_t mask;
@@ -228,8 +227,11 @@ void checkallreverse(void)
    int found_killafter = 0;
    FILE *fich_tmp;
    char command[50];
-   char read_line[1024];
-   char lwp[7];
+   // char read_line[1024];
+   char *read_line = NULL;
+   size_t length = 0 ;
+   ssize_t rlen ;
+   char lwp[11];  // extended to 11 char for 32 bit PID
    int  index;
    char directory[100];
    struct stat buffer;
@@ -257,31 +259,36 @@ void checkallreverse(void)
 
    strcpy(directory,"/proc/");
 
-   while (NULL != fgets(read_line, 1024, fich_tmp)) 
+   // while (NULL != fgets(read_line, 1024, fich_tmp)) 
+   while ((rlen = getline(&read_line, &length, fich_tmp)) != -1)
    {
       char* curline = read_line;
 
-      read_line[1023] = 0;
-      read_line[strlen(read_line)-1] = 0;
 
-//    printf("read_line = %s\n", read_line);   // DEBUG
-      while( *curline == ' ' && curline <= read_line+1023) 
+      read_line[rlen] = 0;
+
+      while( *curline == ' ' && curline <= read_line+rlen) 
       {
          curline++;
       }
 
       // get LWP
       index=0;
-      while( isdigit(*curline) && curline <= read_line+1023) 
+      while( isdigit(*curline) && curline <= read_line+rlen) 
       {
          lwp[index++] = *curline;
          curline++;
-      }
+     }
       lwp[index] = 0; // terminate string
 
-      syspids = -1;
       syspids = atol(lwp);
-      if (-1 == syspids) continue ; // something went wrong
+
+      if (0 == syspids) 
+      {
+          errno = 0 ; // this warning should not display previous old error.
+          warnln(verbose, unlog, "No numeric pid found on ps output line, skip line") ;
+          continue ; // something went wrong
+      }
 
       // avoid ourselves
       if (syspids == mypid) 
@@ -361,7 +368,7 @@ void checkallreverse(void)
       ret = kill(syspids, 0);
       if (errno == 0) found_killafter=1;
 
-//    printf("FK_bef = %d FK_aft = %d not_seen = %d\n",found_killbefore, found_killafter, not_seen);  //DEBUG
+      // printf("FK_bef = %d FK_aft = %d not_seen = %d\n",found_killbefore, found_killafter, not_seen);  //DEBUG
       /* these should all agree, except if a process went or came in the middle */
       if (found_killbefore == found_killafter) 
       {
@@ -372,7 +379,7 @@ void checkallreverse(void)
                if (NULL == strstr(curline, REVERSE)) // avoid our spawn ps
                {  
                   // printbadpid should NOT be used here : we are looking for faked process
-                  msgln(unlog, 0, "Found FAKE PID: %i\tCommand = %s not seen by %d sys fonc", syspids, curline, not_seen) ;
+                  msgln(unlog, 0, "Found FAKE PID: %i\tCommand = %s not seen by %d system function(s)", syspids, curline, not_seen) ;
                   found_HP = 1;
                   hidenflag = 1 ;
                }
@@ -383,7 +390,7 @@ void checkallreverse(void)
             if (NULL == strstr(curline, REVERSE))  // avoid our spawned ps
             {  
                // printbadpid should NOT be used here : we are looking for faked process
-               msgln(unlog, 0, "Found FAKE PID: %i\tCommand = %s not seen by %d sys fonc", syspids, curline, not_seen + 2) ;
+               msgln(unlog, 0, "Found FAKE PID: %i\tCommand = %s not seen by %d system function(s)", syspids, curline, not_seen + 2) ;
                found_HP = 1;
                hidenflag = 1 ;
             }
@@ -395,6 +402,12 @@ void checkallreverse(void)
          warnln(verbose, unlog, "reverse test skipped for PID %d", syspids) ;
       }
    }
+
+      free(read_line) ;
+
+   if (rlen == -1)
+      warnln(verbose, unlog, "Something went wrong with getline reading pipe, reverse test stopped at PID %ld\n", syspids) ;
+   
    if (humanfriendly == TRUE)
    {
       if (hidenflag == 0)
diff --git a/unhide-linux-procfs.c b/unhide-linux-procfs.c
index 65d3949..c235d05 100644
--- a/unhide-linux-procfs.c
+++ b/unhide-linux-procfs.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -183,7 +183,7 @@ void checkchdir(void)
             {   // if the thread isn't the master thread (process)
                char  new_directory[100];
 
-               sprintf(new_directory,"/proc/%s/task/%d", tmp_pids, procpids) ;
+               sprintf(new_directory,"/proc/%.10s/task/%d", tmp_pids, procpids) ;
                // count++;    // DEBUG
                // printf("new_dir = %s\n", new_directory);   // DEBUG
                statusdir = chdir(new_directory) ;
@@ -316,7 +316,7 @@ void checkopendir(void)
                char  new_directory[100] ;
                DIR*  statdir;
                
-               sprintf(new_directory,"/proc/%s/task/%d", tmp_pids, procpids) ;
+               sprintf(new_directory,"/proc/%.10s/task/%d", tmp_pids, procpids) ;
                // count++;    // DEBUG
                // printf("new_dir = %s\n", new_directory);   // DEBUG
                // errno = 0;
@@ -401,14 +401,14 @@ void checkreaddir(void)
 
       // Warning here as gcc can't know that directory (task number) contains far less than 94 char.
       // max PID = 2³32 - 1 has  11 digits max
-#ifdef __GNUC__
-   #pragma GCC diagnostic push
-   #pragma GCC diagnostic ignored "-Wformat-overflow="
-#endif
-      sprintf(&task[6], "%s/task", directory) ;
-#ifdef __GNUC__
-   #pragma GCC diagnostic pop
-#endif
+// #ifdef __GNUC__
+//    #pragma GCC diagnostic push
+//    #pragma GCC diagnostic ignored "-Wformat-overflow="
+// #endif
+      sprintf(&task[6], "%.10s/task", directory) ;
+// #ifdef __GNUC__
+//    #pragma GCC diagnostic pop
+// #endif
 //    printf("task : %s", task) ; // DEBUG
       taskdir = opendir(task);
       if (NULL == taskdir) 
diff --git a/unhide-linux-syscall.c b/unhide-linux-syscall.c
index 61ce7eb..1bb06b0 100644
--- a/unhide-linux-syscall.c
+++ b/unhide-linux-syscall.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
diff --git a/unhide-linux.c b/unhide-linux.c
index 3d78805..139e2a1 100644
--- a/unhide-linux.c
+++ b/unhide-linux.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -51,8 +51,8 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 // header
 const char header[] =
-   "Unhide 20211016\n"
-   "Copyright © 2010-2021 Yago Jesus & Patrick Gouin\n"
+   "Unhide 20240509\n"
+   "Copyright © 2010-2024 Yago Jesus & Patrick Gouin\n"
    "License GPLv3+ : GNU GPL version 3 or later\n"
    "http://www.unhide-forensics.info\n\n"
    "NOTE : This version of unhide is for systems using Linux >= 2.6 \n\n";
@@ -279,7 +279,11 @@ void printbadpid (int tmppid)
    char cmd[100] ;
    struct stat buffer;
    FILE *cmdfile ;
-   char cmdcont[1000], fmtstart[128];
+   // char cmdcont[1000], fmtstart[128];
+   char *cmdcont = NULL, fmtstart[128];
+   size_t cmdlen = 0 ;
+   ssize_t readl ;
+   char linkcont[2000];
    int cmdok = 0 ;
 
    found_HP = 1;
@@ -287,7 +291,7 @@ void printbadpid (int tmppid)
    msgln(unlog, 0, "%s", fmtstart) ;
 
    sprintf(cmd,"/proc/%i/cmdline",tmppid);
-
+   
    statuscmd = stat(cmd, &buffer);
 // statuscmd = 0 ;  // DEBUG
 
@@ -296,11 +300,20 @@ void printbadpid (int tmppid)
       cmdfile=fopen (cmd, "r") ;
       if (cmdfile != NULL) 
       {
-         while ((NULL != fgets (cmdcont, 1000, cmdfile)) && 0 == cmdok)
+         ssize_t ret ;
+         while ((-1 != (ret = getline (&cmdcont, &cmdlen, cmdfile))) && 0 == cmdok)
          {
             cmdok++ ;
             msgln(unlog, 0, "\tCmdline: \"%s\"", cmdcont) ;
          }
+
+         free(cmdcont) ;
+         cmdcont = NULL;
+         cmdlen = 0 ;
+
+         if (ret == -1)
+            warnln(verbose, unlog, "Something went wrong with getline reading pipe") ;
+
          fclose(cmdfile);
       }
    }
@@ -319,13 +332,13 @@ void printbadpid (int tmppid)
       {
          ssize_t length ;
 
-         length = readlink(cmd, cmdcont, 1000) ;
+         length = readlink(cmd, linkcont, 2000) ;
          // printf("\tLength : %0d\n",(int)length) ; //DEBUG
          if (-1 != length) 
          {
-            cmdcont[length] = 0;   // terminate the string
+            linkcont[length] = 0;   // terminate the string
             cmdok++;
-            msgln(unlog, 0, "\tExecutable: \"%s\"", cmdcont) ;
+            msgln(unlog, 0, "\tExecutable: \"%s\"", linkcont) ;
          }
          else
          {
@@ -349,17 +362,17 @@ void printbadpid (int tmppid)
             int cmdok2 = 0 ;
 
             // printf("\tCmdFile : %s\n",cmd) ; //DEBUG
-            while ((NULL != fgets (cmdcont, 1000, cmdfile)) && 0 == cmdok2) 
+            while ((-1 != (readl = getline (&cmdcont, &cmdlen, cmdfile))) && 0 == cmdok2) 
             {
                // EXPLAIN-ME : why do we use a while and then read only one line ?
                cmdok2++; 
                
                // printf("\tLastChar : %x\n",cmdcont[strlen(cmdcont)]) ; //DEBUG
-               if (cmdcont[strlen(cmdcont)-1] == '\n')
+               if (cmdcont[readl-1] == '\n')
                {
-                  cmdcont[strlen(cmdcont)-1] = 0 ;  // get rid of newline
+                  cmdcont[readl-1] = 0 ;  // get rid of newline
                }
-               if (0 == cmdok) // it is a kthreed : add brackets
+               if (0 == cmdok) // it is a kthread (no cmdline, no link): add brackets
                {
                   msgln(unlog, 0, "\tCommand: \"[%s]\"", cmdcont) ;
                }
@@ -369,6 +382,11 @@ void printbadpid (int tmppid)
                }
               
             }
+
+            free(cmdcont) ;
+            cmdcont = NULL;
+            cmdlen = 0 ;
+
             fclose(cmdfile);
          }
          else
@@ -378,7 +396,7 @@ void printbadpid (int tmppid)
       }
       else 
       {
-         msgln(unlog, 0, "\t\"<none>  ... maybe a transitory process\"") ;
+         msgln(unlog, 0, "\t\"<No comm file>\"  ... maybe a transitory process\"") ;
       }
    }
    // try to print some useful info about the hidden process
@@ -399,16 +417,20 @@ void printbadpid (int tmppid)
             warnln(verbose, unlog, "\tCouldn't read USER for pid %d", tmppid) ;
          }
 
-         if (NULL != fgets(cmdcont, 30, fich_tmp)) 
+         if (-1 != (readl = getline (&cmdcont, &cmdlen, fich_tmp)))
          {
-            cmdcont[strlen(cmdcont)-1] = 0 ;  // get rid of newline
+            cmdcont[readl-1] = 0 ;  // get rid of newline
             msgln(unlog, 0, "\t$%s", cmdcont) ;
          }
          else
          {
-            msgln(unlog, 0, "\t$USER=<undefined>", cmdcont) ;
+            // msgln(unlog, 0, "\t$USER=<undefined>", cmdcont) ;
+            msgln(unlog, 0, "\t$USER=<undefined>") ;
          }
-         pclose(fich_tmp);
+         free(cmdcont) ;
+         cmdcont = NULL ;
+         cmdlen = 0 ;
+         pclose(fich_tmp) ;
 
          sprintf(cmd,"cat /proc/%i/environ | tr \"\\0\" \"\\n\" | grep -w 'PWD'",tmppid) ;
          // printf(cmd) ;
@@ -418,15 +440,19 @@ void printbadpid (int tmppid)
             warnln(verbose, unlog, "\tCouldn't read PWD for pid %d", tmppid) ;
          }
 
-         if (NULL != fgets(cmdcont, 30, fich_tmp)) 
+         if (-1 != (readl = getline (&cmdcont, &cmdlen, fich_tmp))) 
          {
-            cmdcont[strlen(cmdcont)-1] = 0 ;  // get rid of newline
+            cmdcont[readl-1] = 0 ;  // get rid of newline
             msgln(unlog, 0, "\t$%s", cmdcont) ;
          }
          else
          {
-            msgln(unlog, 0, "\t$PWD=<undefined>", cmdcont) ;
+            // msgln(unlog, 0, "\t$PWD=<undefined>", cmdcont) ;
+            msgln(unlog, 0, "\t$PWD=<undefined>") ;
          }
+         free(cmdcont) ;
+         cmdcont = NULL;
+         cmdlen = 0 ;
          pclose(fich_tmp);
 
    //      printf("Done !\n");
@@ -731,7 +757,7 @@ void parse_args(int argc, char **argv)
       }
       else 
       { 
-         printf("Unknown argument\n") ; usage(argv[0]); exit(0);
+         printf("Unknown argument: %s\n", argv[index]) ; usage(argv[0]); exit(0);
          fflush(stdout) ;
       }
    }
diff --git a/unhide-linux.h b/unhide-linux.h
index e78577f..31a80fd 100644
--- a/unhide-linux.h
+++ b/unhide-linux.h
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
diff --git a/unhide-output.c b/unhide-output.c
index 2d5a834..ef0dff0 100644
--- a/unhide-output.c
+++ b/unhide-output.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
diff --git a/unhide-output.h b/unhide-output.h
index a96d377..3582d99 100644
--- a/unhide-output.h
+++ b/unhide-output.h
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
diff --git a/unhide-posix.c b/unhide-posix.c
index 6f1d191..18cbba6 100644
--- a/unhide-posix.c
+++ b/unhide-posix.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -220,8 +220,8 @@ void checkgetsid() {
 
 int main (int argc, char *argv[]) {
 
-	strncpy(scratch,"Unhide-posix 20211016\n", sizeof(scratch)-1) ;
-	strncat(scratch, "Copyright © 2013-2021 Yago Jesus & Patrick Gouin\n", sizeof(scratch)-strlen(scratch)-1);
+	strncpy(scratch,"Unhide-posix 20240509\n", sizeof(scratch)-1) ;
+	strncat(scratch, "Copyright © 2013-2024 Yago Jesus & Patrick Gouin\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "License GPLv3+ : GNU GPL version 3 or later\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "http://www.unhide-forensics.info\n\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "NOTE : This is legacy version of unhide, it is intended\n\
diff --git a/unhide-tcp-fast.c b/unhide-tcp-fast.c
index a98f1d9..aa22e5d 100644
--- a/unhide-tcp-fast.c
+++ b/unhide-tcp-fast.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
diff --git a/unhide-tcp.c b/unhide-tcp.c
index 7f193ac..688c5cd 100644
--- a/unhide-tcp.c
+++ b/unhide-tcp.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -38,8 +38,8 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 // header
 const char header[] =
-       "Unhide-tcp 20211016\n"
-       "Copyright © 2013-2021 Yago Jesus & Patrick Gouin\n"
+       "Unhide-tcp 20240509\n"
+       "Copyright © 2010-2024 Yago Jesus & Patrick Gouin\n"
        "License GPLv3+ : GNU GPL version 3 or later\n"
        "http://www.unhide-forensics.info\n";
 
diff --git a/unhide-tcp.h b/unhide-tcp.h
index c75359f..e1ba824 100644
--- a/unhide-tcp.h
+++ b/unhide-tcp.h
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
diff --git a/unhideGui.py b/unhideGui.py
index 6965e91..13f986b 100755
--- a/unhideGui.py
+++ b/unhideGui.py
@@ -1,7 +1,8 @@
 #!/bin/python3
+# #!/usr/bin/python3
 
 """
-Copyright © 2020-2022 Patrick Gouin
+Copyright © 2020-2024 Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -18,10 +19,10 @@
 
 """
 __author__ = "Patrick Gouin"
-__copyright__ = "Copyright 2020-2022, Patrick Gouin"
+__copyright__ = "Copyright 2020-2024, Patrick Gouin"
 __credits__ = ["daichifukui", "Afzal sulaiman"]
 __license__ = "GPL V3"
-__version__ = "1.2"
+__version__ = "1.3"
 __maintainer__ = "Patrick Gouin"
 __email__ = "patrickg.github@free.fr"
 __status__ = "Production"
@@ -129,7 +130,6 @@ def CheckCtest(idx) :
     ctest_state = CTestBut[idx][VARB].get()
     if ctest_state == '1':
         if ctest in TestGroupList :
-            print('Ctest in TestGroupList')
             for etest in TestGroupList[ctest] :
                 for count, l in enumerate(ElementaryTestsList) :
                     if etest in l :
@@ -170,7 +170,11 @@ def CheckEtest(idx) :
                     if ETestBut[idx_e][VARB].get() == '1' :
                         nb += 1
                 if nb == len(TestGroupList[key]) :
-                    idx_c = StandardTestsList.index(key)
+#                    idx_c = StandardTestsList.index(key)
+                    for count, l in enumerate(StandardTestsList) :
+                        if key in l :
+                            idx_c = count
+                            break
                     CTestBut[idx_c][VARB].set(1)
     GenCmd()
 
@@ -187,7 +191,7 @@ def TabEvent(event) :
     
 
 def GenCmd() :
-    Cmd = './unhide-linux '
+    Cmd = unhPath
     idx = 0
     for opt in OptionBut :
         if opt[VARB].get() == '1' :
@@ -209,7 +213,7 @@ def GenCmd() :
     CmdText.config(width = len(Cmd))
         
 def GenTcpCmd() :
-    Cmd = './unhide-tcp '
+    Cmd = unhtcpPath
     idx = 0
     for opt in TcpOptionBut :
         if opt[VARB].get() == '1' :
@@ -456,6 +460,22 @@ def RunCmd_2() :
 screen_height = root.winfo_screenheight()
 root.geometry('+%d+%d' % (screen_width/3, screen_height/3))
 
+# look for unhide path
+# we prefer the local version
+if os.path.exists("./unhide-linux") :
+    unhPath = "./unhide-linux "
+elif os.path.exists("./sbin/unhide-linux") :
+    unhPath = "./sbin/unhide-linux "
+else :
+    unhPath = "./usr/sbin/unhide-linux "
+
+if os.path.exists("./unhide-tcp") :
+    unhtcpPath = "./unhide-tcp "
+elif os.path.exists("./sbin/unhide-tcp") :
+    unhtcpPath = "./sbin/unhide-tcp "
+else :
+    unhtcpPath = "./usr/sbin/unhide-tcp "
+
 
 root.update()
 
diff --git a/unhide_rb.c b/unhide_rb.c
index 369948c..b331da6 100644
--- a/unhide_rb.c
+++ b/unhide_rb.c
@@ -3,7 +3,7 @@
 */
 
 /*
-Copyright © 2010-2021 Yago Jesus & Patrick Gouin
+Copyright © 2010-2024 Yago Jesus & Patrick Gouin
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -526,31 +526,32 @@ int main (int argc, char *argv[])
    int found_something = FALSE ;
    int phase1_ko = FALSE ;
 
-	strncpy(scratch,"Unhide_rb 20211016\n", sizeof(scratch)-1) ;
+	strncpy(scratch,"Unhide_rb 20240509\n", sizeof(scratch)-1) ;
 
-	strncat(scratch, "Copyright © 2013-2021 Yago Jesus & Patrick Gouin\n", sizeof(scratch)-strlen(scratch)-1);
+	strncat(scratch, "Copyright © 2013-2024 Yago Jesus & Patrick Gouin\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "License GPLv3+ : GNU GPL version 3 or later\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "http://www.unhide-forensics.info\n\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "NOTE : This version of unhide_rb is for systems using Linux >= 2.6 \n\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "WARNING : \n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "TL;DR : This tool is a P.O.F. (proof of fake).\n", sizeof(scratch)-strlen(scratch)-1);
+	strncat(scratch, "        It's not maintained any more.\n\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, "        DON'T USE IT for serious work.\n\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " Back in time, the Dev of unhide.rb pretends that his tool, written in ruby\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " do the same checks that unhide-linux, which is written in C, but is 10 times faster.\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " This was evidently false:\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " - unhide.rb makes less tests,\n", sizeof(scratch)-strlen(scratch)-1);   
 	strncat(scratch, " - unhide.rb tests are less accurate,\n", sizeof(scratch)-strlen(scratch)-1);
-	strncat(scratch, " - unhide.rb displays only displays minimal information about hidden processes,\n", sizeof(scratch)-strlen(scratch)-1);
-	strncat(scratch, " - unhide.rb find lot of false positives when processes number is high,\n", sizeof(scratch)-strlen(scratch)-1);
-	strncat(scratch, " - unhide.rb find lot of false positives when there are short live processes,\n", sizeof(scratch)-strlen(scratch)-1);
-	strncat(scratch, " - unhide.rb don't log results of tests,\n", sizeof(scratch)-strlen(scratch)-1);
+	strncat(scratch, " - unhide.rb  only outputs minimal information about hidden processes,\n", sizeof(scratch)-strlen(scratch)-1);
+	strncat(scratch, " - unhide.rb finds lot of false positives when processes number is high,\n", sizeof(scratch)-strlen(scratch)-1);
+	strncat(scratch, " - unhide.rb finds lot of false positives when there are short live processes,\n", sizeof(scratch)-strlen(scratch)-1);
+	strncat(scratch, " - unhide.rb doesn't log results of tests,\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " - and so on.\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " In order to verify assertion about speed, I backported unhide.rb to C language,\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " in the more straight/dummy way:\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " No optimisation, translation from line to line, exactly the same tests and treatments.\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " The result is native unhide_rb.\n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " It is ONE THOUSAND times faster that the original ruby unhide.rb\n\n", sizeof(scratch)-strlen(scratch)-1);
-	strncat(scratch, " So, don't rely neither on unhide.rb nor on unhide_rb, they are just toys ! \n", sizeof(scratch)-strlen(scratch)-1);
+	strncat(scratch, " SO, DON'T RELY NEITHER ON UNHIDE.RB NOR ON UNHIDE_RB, THEY ARE JUST TOYS ! \n", sizeof(scratch)-strlen(scratch)-1);
 	strncat(scratch, " For a quick but quite accurate test, use the command 'unhide-linux quick reverse'\n\n", sizeof(scratch)-strlen(scratch)-1);