wok view unhide/description.txt @ rev 25590

liberation-fonts-base (2.1.5), fedorahosted.org retirement
author Pascal Bellard <pascal.bellard@slitaz.org>
date Sat Jun 17 18:59:24 2023 +0000 (16 months ago)
parents
children
line source
1 Unhide is a forensic tool to find hidden processes and TCP/UDP ports
2 by rootkits, LKMs or by another hiding technique.
4 Detecting hidden processes. Implements six main techniques
6 1- Compare /proc vs /bin/ps output
7 2- Compare info gathered from /bin/ps with info gathered by walking
8 through the procfs.
9 3- Compare info gathered from /bin/ps with info gathered from
10 syscalls (syscall scanning).
11 4- Full PIDs space occupation (PIDs bruteforcing).
12 5- Compare /bin/ps output vs /proc, procfs walking and syscall.
13 Reverse search, verify that all threads seen by ps are also seen
14 in the kernel.
15 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output.
16 It's about 20 times faster than tests 1, 2 and 3 but maybe give
17 more false positives.