/*
 *  0x333-hpl.c hidden pid list
 *
 *  check pids in /proc and compare with output given ps aux.
 *
 *  there are many technique that make a stealth proc invisible /proc too.
 *
 *  this is a simple tool, can be used for get hidden pid, of rootkits software level and not LKM.
 *
 *  coded by nsn
 *
 *  ~ www.0x333.org ~
 *
 */

#include <stdio.h>

#define MAXPID 0x8000
     
 /* return -1, if don't get size */

long 
FileSize (char *path, FILE *stream)
{
   long length = -1;
   
    if ((stream = fopen(path, "r"))) {
       fseek (stream, 0L, SEEK_END);
       length = ftell(stream);
       fseek (stream, 0L, SEEK_SET);
       fclose(stream);
    }   

 return length;
}
 
int
main ()
{
  FILE *stream;
  char proc[50], cmdline[50], c;
  int i;
  long size;

  system("ps aux | awk '{print $2}' > proc");

  printf("\n[*] Listing hidden process\n");
  printf("\n[*] PID\t\t\tCMDLINE\n\n");
  
  for (i=1; i < MAXPID; ++i) {
  
      sprintf(proc,"/proc/%d/cmdline",i);

      if ((stream = fopen(proc, "r"))) {

         memset(cmdline,0,sizeof(cmdline));
         fread(cmdline,sizeof(cmdline),1,stream);
         fclose(stream);
         
         if ((size = FileSize("proc",stream)) >= 0) {

             sprintf(proc,"cat proc | grep -vw \"%d\" > proc",i);
             system(proc);

             if ((FileSize("proc",stream) >= 0) && (FileSize("proc",stream) == size)) 
                 printf("[*] %d\t\t\t%s\n",i,cmdline);
         }
      }
  }
  
  system("rm -f proc");

  printf("\n[*] End list hidden process\n\n");  

  return 0;
}

/* EOF */