Zeppoo 0.0.3d review
Download
|
|
Zeppoo makes it possible to detect if a rootkit is installed on your system.
Zeppoo also makes it possible to detect hidden tasks, syscalls, some corrupted symbols, modules, and also hidden connections.
For that, it mainly uses /dev/kmem to directly inspect the memory of the kernel, and when possible, /dev/mem.
Installation:
Zeppoo uses a micro lib(pico ?) in order to obtain the interrupt descriptor table with an assembler instruction, but we provide a version directly compiled, called ulibzeppo.so
If you wish to compile your own version, you need to have the package python-devel installed, then compile with :
python setup.py build
Visualization:
** Tasks :
./zeppoo.py -v tasks
** Syscalls :
./zeppoo.py -v syscalls
** Networks :
./zeppoo.py -v networks
Checking:
** Tasks :
./zeppoo.py -c tasks
** Networks :
./zeppoo.py -c networks
Fingerprint:
** Create :
./zeppoo.py -f FICHIER create
** Checking :
./zeppoo.py -f FICHIER check
Others:
** To change device by default(/dev/kmem) :
-d PERIPH
** To use mmap to seek symbols(faster) :
-m
Examples:
** Visualization of tasks by /dev/mem using mmap :
./zeppoo.py -v tasks -d /dev/mem -m
** Make fingerprint using /dev/mem :
./zeppoo.py -f FILE create -d /dev/mem
** Check fingerprint using /dev/mem :
./zeppoo.py -f FILE check -d /dev/mem
What's New in This Release:
check execution of a binary(execve, binfmt)
add symbols verification(only execve)
Zeppoo 0.0.3d keywords