wok-current annotate unhide/description.txt @ rev 25380
updated unhide (20130526 -> 20210124)
| author | Hans-G?nter Theisgen |
|---|---|
| date | Sat Jul 30 16:42:50 2022 +0100 (23 months ago) |
| parents | |
| children |
| rev | line source |
|---|---|
| Hans-G?nter@25380 | 1 Unhide is a forensic tool to find hidden processes and TCP/UDP ports |
| Hans-G?nter@25380 | 2 by rootkits, LKMs or by another hiding technique. |
| Hans-G?nter@25380 | 3 |
| Hans-G?nter@25380 | 4 Detecting hidden processes. Implements six main techniques |
| Hans-G?nter@25380 | 5 |
| Hans-G?nter@25380 | 6 1- Compare /proc vs /bin/ps output |
| Hans-G?nter@25380 | 7 2- Compare info gathered from /bin/ps with info gathered by walking |
| Hans-G?nter@25380 | 8 through the procfs. |
| Hans-G?nter@25380 | 9 3- Compare info gathered from /bin/ps with info gathered from |
| Hans-G?nter@25380 | 10 syscalls (syscall scanning). |
| Hans-G?nter@25380 | 11 4- Full PIDs space occupation (PIDs bruteforcing). |
| Hans-G?nter@25380 | 12 5- Compare /bin/ps output vs /proc, procfs walking and syscall. |
| Hans-G?nter@25380 | 13 Reverse search, verify that all threads seen by ps are also seen |
| Hans-G?nter@25380 | 14 in the kernel. |
| Hans-G?nter@25380 | 15 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. |
| Hans-G?nter@25380 | 16 It's about 20 times faster than tests 1, 2 and 3 but maybe give |
| Hans-G?nter@25380 | 17 more false positives. |