False Positive in Debian

Anonymous
2012-05-30
2013-05-26
  • Anonymous - 2012-05-30

    Hello,
    I have just executed the tool in debian, and I think that it is generating a false positive (I have checked the tool in several machines). The kernel that I am using is 3.2.0-2-amd64. I have used the debian version of unhide (the one downloaded with apt), and I have also tried the last version published in sourceforge.

    The execution is as follows:

    >>unhide checksysinfo2 (it happens also with checksysinfo)

    Unhide 20110113
    http://www.unhide-forensics.info
    Searching for Hidden processes through sysinfo() scanning

    HIDDEN Processes Found: 1       sysinfo.procs = 384   ps_count = 385

    If you need any other information please contact me (carlossegurag@gmail.com)

    P.D. Very nice tool

     
  • Patrick G.

    Patrick G. - 2012-06-03

    Hi,

    That's a known problem with checksysinfo(2) test.
    It used to happen with modified kernel (BFS scheduler, RT_PREEMPT patch for exemple).
    I suppose Debian doesn't modify kernel, so in your case, it's probably due to the time needed to count
    the processes reported by the ps command via the pipe.
    A short time process has certainly run during the test.
    There's no real solution to this problem, but there is a workaround.
    Using verbose mode will show if the number of processes change during the test (but may report even more false positives).

    # ./unhide-linux -v checksysinfo
    Unhide 20120318
    Copyright © 2012 Yago Jesus & Patrick Gouin
    License GPLv3+ : GNU GPL version 3 or later
    http://www.unhide-forensics.info
    NOTE : This version of unhide is for systems using Linux >= 2.6 
    [*]Searching for Hidden processes through sysinfo() scanning
                    WARNING : info.procs changed during test : 270 (was 269)
                    WARNING : info.procs changed during test : 269 (was 270)
    

    This option permits you to differentiate false positives from true ones.
    Note: As you can see in the above example, ps command may see or not this short process, depending when it happens during the ps work.

    Cheers,

    Patrick

     
  • Chris

    Chris - 2013-05-10

    Hi,

    i had the same problem with unhide 20110113-4 on debian wheezy and can confirm that this is fixed with unhide 20121229-1 from debian testing.

     
    • Patrick G.

      Patrick G. - 2013-05-26

      Hi,

      I'm sorry to say that but it is not fixed in any version of unhide. There's nothing that can be done, except maybe include 'ps' source code in unhide and stop scheduling :).

      Starting with 20121229 version we suppress sysinfo test from quick and sys compound tests to avoid false positives, but if sysinfo or sysinfo2 is given on the command line, the FP can occurs (that's quite random, it never appears on my machine with kernels from 2.6.14 to 3.4.45).

      BTW version 20130526 has just been released. nothing fancy thought, just minor bug fix and predisposition for packaging under *BSD.

      Regards.

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks