1 /* @(#) $Id: check_rc_files.c,v 1.12 2009/06/24 18:53:07 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
14 #include "rootcheck.h"
19 * Read the file pointer specified (rootkit_files)
20 * and check if the configured file is there
22 void check_rc_files(char *basedir, FILE *fp)
24 char buf[OS_SIZE_1024 +1];
25 char file_path[OS_SIZE_1024 +1];
35 debug1("%s: DEBUG: Starting on check_rc_files", ARGV0);
37 while(fgets(buf, OS_SIZE_1024, fp) != NULL)
41 /* Removing end of line */
42 nbuf = strchr(buf, '\n');
48 /* Assigning buf to be used */
51 /* Excluding commented lines or blanked ones */
54 if(*nbuf == ' ' || *nbuf == '\t')
68 /* File now may be valid */
73 /* Getting the file and the rootkit name */
76 if(*nbuf == ' ' || *nbuf == '\t')
78 /* Setting the limit for the file */
93 /* Some ugly code to remove spaces and \t */
99 if(*nbuf == ' ' || *nbuf == '\t')
107 else if(*nbuf == ' ' || *nbuf == '\t')
119 /* Getting the link (if present) */
120 link = strchr(nbuf, ':');
133 /* Cleaning any space of \t at the end */
134 nbuf = strchr(nbuf, ' ');
140 nbuf = strchr(nbuf, '\t');
149 /* Checking if it is a file to search everywhere */
152 if(rk_sys_count >= MAX_RK_SYS)
154 merror(MAX_RK_MSG, ARGV0, MAX_RK_SYS);
159 /* Removing * / from the file */
164 /* Memory assignment */
165 rk_sys_file[rk_sys_count] = strdup(file);
166 rk_sys_name[rk_sys_count] = strdup(name);
168 if(!rk_sys_name[rk_sys_count] ||
169 !rk_sys_file[rk_sys_count] )
171 merror(MEM_ERROR, ARGV0);
173 if(rk_sys_file[rk_sys_count])
174 free(rk_sys_file[rk_sys_count]);
175 if(rk_sys_name[rk_sys_count])
176 free(rk_sys_name[rk_sys_count]);
178 rk_sys_file[rk_sys_count] = NULL;
179 rk_sys_name[rk_sys_count] = NULL;
184 /* Always assigning the last as NULL */
185 rk_sys_file[rk_sys_count] = NULL;
186 rk_sys_name[rk_sys_count] = NULL;
191 snprintf(file_path, OS_SIZE_1024, "%s/%s",basedir, file);
193 /* Checking if file exists */
194 if(is_file(file_path))
196 char op_msg[OS_SIZE_1024 +1];
199 snprintf(op_msg, OS_SIZE_1024, "Rootkit '%s' detected "
200 "by the presence of file '%s'.",name, file_path);
202 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
211 char op_msg[OS_SIZE_1024 +1];
212 snprintf(op_msg,OS_SIZE_1024,"No presence of public rootkits detected."
213 " Analyzed %d files.", _total);
214 notify_rk(ALERT_OK, op_msg);