vsm-rootkit-detector 0.1.0__py3-none-any.whl

rootkit_detector/cli.py

@@ -0,0 +1,36 @@
+import argparse
+import os
+import sys
+
+from .main import run_scan
+
+def require_root():
+    if os.geteuid() != 0:
+        print("[!] Must be run as root")
+        sys.exit(1)
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Educational Linux Rootkit Detection Tool"
+    )
+    parser.add_argument("--repeats", type=int, default=3)
+    parser.add_argument("--delay", type=int, default=1)
+
+    args = parser.parse_args()
+
+    require_root()
+    results = run_scan(args.repeats, args.delay)
+
+    print("\n========== ROOTKIT DETECTION REPORT ==========")
+
+    if results:
+        print("■ Consistently hidden processes detected:")
+        for pid in results:
+            print(f" - PID {pid}")
+    else:
+        print("✓ No hidden processes detected")
+
+    print("============== SCAN COMPLETE ==============\n")
+
+if __name__ == "__main__":
+    main()

rootkit_detector/comparator/compare.py

@@ -0,0 +1,10 @@
+def compare_pids(user_pids, system_pids, library_pids):
+    """
+    Cross-view PID comparison
+    """
+    user_set = set(user_pids)
+    system_set = set(system_pids)
+    library_set = set(library_pids)
+
+    hidden = system_set - user_set - library_set
+    return sorted(hidden)

rootkit_detector/main.py

@@ -0,0 +1,32 @@
+from .views.user_view import get_user_pids
+from .views.system_view import get_system_pids
+from .views.library_view import get_library_pids
+from .comparator.compare import compare_pids
+import time
+
+def run_scan(repeats=3, delay=1, whitelist=None):
+    """
+    Run multiple scans to reduce race-condition false positives
+    """
+    whitelist = whitelist or []
+    seen = {}
+
+    for _ in range(repeats):
+        user = get_user_pids()
+        system = get_system_pids()
+        library = get_library_pids()
+
+        hidden = compare_pids(user, system, library)
+
+        for pid in hidden:
+            seen[pid] = seen.get(pid, 0) + 1
+
+        time.sleep(delay)
+
+    # Only flag consistently hidden PIDs
+    stable = [
+        pid for pid, count in seen.items()
+        if count == repeats and pid not in whitelist
+    ]
+
+    return stable

rootkit_detector/views/library_view.py

@@ -0,0 +1,7 @@
+import psutil
+
+def get_library_pids():
+    """
+    Collect process IDs using a system library (psutil)
+    """
+    return sorted(p.pid for p in psutil.process_iter())

rootkit_detector/views/system_view.py

@@ -0,0 +1,19 @@
+import subprocess
+
+def get_system_pids():
+    """
+    Collect process IDs using ps
+    """
+    pids = []
+    try:
+        output = subprocess.check_output(
+            ["ps", "-e", "-o", "pid="],
+            text=True
+        )
+        for line in output.splitlines():
+            if line.strip().isdigit():
+                pids.append(int(line.strip()))
+    except Exception as e:
+        raise RuntimeError(f"ps execution failed: {e}")
+
+    return sorted(pids)

rootkit_detector/views/user_view.py

@@ -0,0 +1,9 @@
+import os
+
+def get_user_pids():
+    """
+    Collect process IDs visible via /proc
+    """
+    return sorted(
+        int(pid) for pid in os.listdir("/proc") if pid.isdigit()
+    )

vsm_rootkit_detector-0.1.0.dist-info/METADATA

@@ -0,0 +1,25 @@
+Metadata-Version: 2.4
+Name: vsm-rootkit-detector
+Version: 0.1.0
+Summary: VSM Rootkit Detection Tool (Educational Linux Security Project)
+Author-email: Vaishnavi S <vaishanvi@example.com>, Spoorthi <spoorthi@example.com>, Midarsha S <midarsha@example.com>
+License: MIT
+Project-URL: Homepage, https://github.com/Trinity-2006/vsm-rootkit-detector
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Requires-Dist: psutil
+
+# VSM Rootkit Detector
+
+VSM Rootkit Detector is an educational Linux security tool that demonstrates
+basic rootkit detection techniques using cross-view process analysis.
+
+## Features
+- Cross-view process detection (/proc, ps, psutil)
+- Repeated scans to reduce race-condition false positives
+- Root privilege enforcement
+- Command-line interface
+
+## Installation
+```bash
+pip install vsm-rootkit-detector

vsm_rootkit_detector-0.1.0.dist-info/RECORD

@@ -0,0 +1,14 @@
+rootkit_detector/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+rootkit_detector/cli.py,sha256=iQmIjJ2CXk-bpP1EQp6axjpRkfdCxv5NhB9O4yC1A_E,871
+rootkit_detector/main.py,sha256=JSK3T3rpZY0xhknmGbrywJ57HUKx2mii3QXvRujHDJA,838
+rootkit_detector/comparator/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+rootkit_detector/comparator/compare.py,sha256=Jw-70v8rlcELjkDDE_PItwKAquZ6gJ_SAYMEoICvcq4,278
+rootkit_detector/views/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+rootkit_detector/views/library_view.py,sha256=RIz5BtRt9clfYJZHIlVU0PcvgaWK1sc1Y9o9Dr2Z2qE,167
+rootkit_detector/views/system_view.py,sha256=x0t-OrQ3C6vrydK6M5kT0sd48QyWLH20q6_xbMz3gIY,463
+rootkit_detector/views/user_view.py,sha256=HrqE3OQwBnqwuSMCQeUr0GWIl-L-zP-8zSWglJ95wVM,180
+vsm_rootkit_detector-0.1.0.dist-info/METADATA,sha256=6kgW27AZ2NT2j3seKisQKkou4fdUTRaa12dJMuF7g_c,835
+vsm_rootkit_detector-0.1.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+vsm_rootkit_detector-0.1.0.dist-info/entry_points.txt,sha256=egZLuj_Xlj52sy8GEsXw56i0MMuRqo7RY9o9jG59viQ,58
+vsm_rootkit_detector-0.1.0.dist-info/top_level.txt,sha256=EGzpGvS8GV4xauuRNEgqADoP9lZVJaNt-D6J9jaNUDc,17
+vsm_rootkit_detector-0.1.0.dist-info/RECORD,,

vsm_rootkit_detector-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.10.2)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

vsm_rootkit_detector-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+vsm-rootkit = rootkit_detector.cli:main

vsm_rootkit_detector-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+rootkit_detector