wok view unhide/description.txt @ rev 25770
dool,fake-hwclock,gtkam,xfce4-*-plugin,xlogo: add current_version
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Fri Sep 06 11:29:23 2024 +0000 (2 months ago) |
parents | |
children |
line source
1 Unhide is a forensic tool to find hidden processes and TCP/UDP ports
2 by rootkits, LKMs or by another hiding technique.
4 Detecting hidden processes. Implements six main techniques
6 1- Compare /proc vs /bin/ps output
7 2- Compare info gathered from /bin/ps with info gathered by walking
8 through the procfs.
9 3- Compare info gathered from /bin/ps with info gathered from
10 syscalls (syscall scanning).
11 4- Full PIDs space occupation (PIDs bruteforcing).
12 5- Compare /bin/ps output vs /proc, procfs walking and syscall.
13 Reverse search, verify that all threads seen by ps are also seen
14 in the kernel.
15 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output.
16 It's about 20 times faster than tests 1, 2 and 3 but maybe give
17 more false positives.