ShadowDetect/ShadowDetect.py at main · FrankZhu888/ShadowDetect · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/env python3
# Script Name: Shadow Detect
# Description: A lightweight tool to detect hidden processes on Linux
# by comparing kernel syscalls against the /proc filesystem.
# Written by Frank Zhu <zhuzhenquan@bytedance.com>	2025.12.08

import os
import sys
import errno
import time

def check_privileges():
    if os.geteuid() != 0:
        print("[-] Error: Please run as root (sudo) to probe all system processes.")
        sys.exit(1)

def get_pid_max():
    try:
        with open("/proc/sys/kernel/pid_max", "r") as f:
            return int(f.read().strip())
    except Exception:
        return 32768

def scan_hidden_processes():
    print("[*] Initializing Shadow Detect...")

    max_pid = get_pid_max()
    print(f"[*] System Max PID: {max_pid}")
    print("[*] Starting Brute-Force PID Enumeration... Please wait.")

    hidden_count = 0

    step = max_pid // 10 if max_pid > 10 else 1

    for pid in range(1, max_pid + 1):
        if pid % step == 0:
            percentage = int((pid / max_pid) * 100)
            sys.stdout.write(f"\r[*] Scanning progress: {percentage}%")
            sys.stdout.flush()

        pid_exists_in_kernel = False
        try:
            os.kill(pid, 0)
            pid_exists_in_kernel = True
        except OSError as err:
            if err.errno == errno.ESRCH:
                pid_exists_in_kernel = False
            elif err.errno == errno.EPERM:
                pid_exists_in_kernel = True
            else:
                pid_exists_in_kernel = False

        if pid_exists_in_kernel:
            if not os.path.exists(f"/proc/{pid}"):
                sys.stdout.write("\n")
                print(f"[!] SUSPICIOUS: Hidden Process Found! PID: {pid}")
                print(f"    -> Syscall kill({pid}, 0) confirms existence.")
                print(f"    -> Directory /proc/{pid} is missing.")
                hidden_count += 1

    sys.stdout.write("\n")
    print("=" * 50)
    if hidden_count == 0:
        print("[+] System Clean: No hidden processes detected.")
    else:
        print(f"[-] WARNING: Found {hidden_count} hidden process(es).")
    print("=" * 50)

if __name__ == "__main__":
    check_privileges()
    try:
        scan_hidden_processes()
    except KeyboardInterrupt:
        print("\n[!] Scan interrupted by user.")