wok view unhide/description.txt @ rev 25680

updated gnu-efi (3.0.14 -> 3.0.17)
author Hans-G?nter Theisgen
date Mon Mar 18 18:46:02 2024 +0100 (8 months ago)
parents
children
line source
1 Unhide is a forensic tool to find hidden processes and TCP/UDP ports
2 by rootkits, LKMs or by another hiding technique.
4 Detecting hidden processes. Implements six main techniques
6 1- Compare /proc vs /bin/ps output
7 2- Compare info gathered from /bin/ps with info gathered by walking
8 through the procfs.
9 3- Compare info gathered from /bin/ps with info gathered from
10 syscalls (syscall scanning).
11 4- Full PIDs space occupation (PIDs bruteforcing).
12 5- Compare /bin/ps output vs /proc, procfs walking and syscall.
13 Reverse search, verify that all threads seen by ps are also seen
14 in the kernel.
15 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output.
16 It's about 20 times faster than tests 1, 2 and 3 but maybe give
17 more false positives.