A lightweight, dependency-free Python script for detecting hidden Linux processes or rootkits.
Shadow Detect is a simple security tool designed for production environments where installing binary tools like unhide or rkhunter is difficult or restricted. It implements the "brute-force" detection technique to identify processes that exist in the kernel but are hidden from the system.
-
Zero Dependencies: Uses only the Python 3 standard library. No pip install required.
-
Production Safe: Does not modify system files; it only performs read operations and benign system calls.
-
Lightweight: Single script file, easy to audit and deploy.
-
Cross-Referencing: Detects discrepancies between the Kernel scheduler and the /proc filesystem.
Linux Rootkits often hide processes by hooking system calls (like getdents) to filter specific PIDs from directory listings. This makes the malicious process invisible to standard tools like ls, ps, and top. Shadow Detect bypasses these hooks using the following logic:
- Brute Force PIDs: It iterates through every possible PID (from 1 to pid_max).
- Kernel Probe: It sends a null signal kill(pid, 0) to checking if the PID is active in the kernel scheduler.
- Diffing: If the kernel confirms the PID exists, but the corresponding directory /proc/[PID] is missing, the process is flagged as hidden.
Prerequisites
- Python 3.x
- Root privileges (required to probe processes belonging to other users).
Running the tool
- Download the script
- Run with sudo access
Example Output
For issues or questions, contact:
Frank Zhu flankeroot@gmail.com