wok view unhide/description.txt @ rev 25598
Update some current_version
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Sun Jul 16 12:03:07 2023 +0000 (17 months ago) |
parents | |
children |
line source
1 Unhide is a forensic tool to find hidden processes and TCP/UDP ports
2 by rootkits, LKMs or by another hiding technique.
4 Detecting hidden processes. Implements six main techniques
6 1- Compare /proc vs /bin/ps output
7 2- Compare info gathered from /bin/ps with info gathered by walking
8 through the procfs.
9 3- Compare info gathered from /bin/ps with info gathered from
10 syscalls (syscall scanning).
11 4- Full PIDs space occupation (PIDs bruteforcing).
12 5- Compare /bin/ps output vs /proc, procfs walking and syscall.
13 Reverse search, verify that all threads seen by ps are also seen
14 in the kernel.
15 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output.
16 It's about 20 times faster than tests 1, 2 and 3 but maybe give
17 more false positives.