wok-6.x view unhide/description.txt @ rev 25380

updated unhide (20130526 -> 20210124)
author Hans-G?nter Theisgen
date Sat Jul 30 16:42:50 2022 +0100 (2022-07-30)
parents
children
line source
1 Unhide is a forensic tool to find hidden processes and TCP/UDP ports
2 by rootkits, LKMs or by another hiding technique.
4 Detecting hidden processes. Implements six main techniques
6 1- Compare /proc vs /bin/ps output
7 2- Compare info gathered from /bin/ps with info gathered by walking
8 through the procfs.
9 3- Compare info gathered from /bin/ps with info gathered from
10 syscalls (syscall scanning).
11 4- Full PIDs space occupation (PIDs bruteforcing).
12 5- Compare /bin/ps output vs /proc, procfs walking and syscall.
13 Reverse search, verify that all threads seen by ps are also seen
14 in the kernel.
15 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output.
16 It's about 20 times faster than tests 1, 2 and 3 but maybe give
17 more false positives.