Zeppoo is software that detects rootkit presence on your system.
To install Zeppoo, it needs a micro lib(pico ?) to obtain the interrupt descriptor table using an assembler instruction. However, a version directly compiled is readily available and called ulibzeppo.so. In case you want to compile your version, you need to have the package python-devel installed, then compile with this code: python setup.py build.
Zeppoo provides several visualization tools, and you can use them by running commands such as ./zeppoo.py -v tasks for tasks, ./zeppoo.py -v syscalls for syscalls, and ./zeppoo.py -v networks for networks. If you want to check tasks or networks, simply run ./zeppoo.py -c tasks or ./zeppoo.py -c networks.
Zeppoo also provides fingerprinting, and you can create a fingerprint by running ./zeppoo.py -f FICHIER create, or if you want to check a fingerprint, run ./zeppoo.py -f FICHIER check.
Other options available to you are changing the default device (/dev/kmem) by running -d PERIPH and using mmap to seek symbols (faster) by using -m. Some examples of commands you can use include visualization of tasks by /dev/mem using mmap with ./zeppoo.py -v tasks -d /dev/mem -m, making a fingerprint using /dev/mem with ./zeppoo.py -f FILE create -d /dev/mem, and checking fingerprint using /dev/mem with ./zeppoo.py -f FILE check -d /dev/mem.
This release of Zeppoo comes with some new features such as the verification of execution of a binary (execve, binfmt) and symbols verification (only execve). Overall, Zeppoo is an excellent tool for detecting rootkits and hidden tasks that may compromise your system's security.
Version 0.0.3d: N/A