wok-6.x diff unhide/description.txt @ rev 25380
updated unhide (20130526 -> 20210124)
| author | Hans-G?nter Theisgen |
|---|---|
| date | Sat Jul 30 16:42:50 2022 +0100 (2022-07-30) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/unhide/description.txt Sat Jul 30 16:42:50 2022 +0100 1.3 @@ -0,0 +1,17 @@ 1.4 +Unhide is a forensic tool to find hidden processes and TCP/UDP ports 1.5 +by rootkits, LKMs or by another hiding technique. 1.6 + 1.7 +Detecting hidden processes. Implements six main techniques 1.8 + 1.9 +1- Compare /proc vs /bin/ps output 1.10 +2- Compare info gathered from /bin/ps with info gathered by walking 1.11 + through the procfs. 1.12 +3- Compare info gathered from /bin/ps with info gathered from 1.13 + syscalls (syscall scanning). 1.14 +4- Full PIDs space occupation (PIDs bruteforcing). 1.15 +5- Compare /bin/ps output vs /proc, procfs walking and syscall. 1.16 + Reverse search, verify that all threads seen by ps are also seen 1.17 + in the kernel. 1.18 +6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. 1.19 + It's about 20 times faster than tests 1, 2 and 3 but maybe give 1.20 + more false positives.