To find processes hidden by rootkits:
Unhide is a forensic tool to find processes hidden by rootkits, Linux kernel modules or by other techniques. It detects hidden processes using six techniques:
Compare /proc vs /bin/ps output
Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for Linux 2.6 version
Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
Full PIDs space ocupation (PIDs bruteforcing). ONLY for Linux 2.6 version
Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for Linux 2.6 version
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for Linux 2.6 version.
Unhide-TCP
Download
Unhide is a forensic tool to find processes hidden by rootkits, Linux kernel modules or by other techniques. It detects hidden processes using six techniques:
Compare /proc vs /bin/ps output
Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for Linux 2.6 version
Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
Full PIDs space ocupation (PIDs bruteforcing). ONLY for Linux 2.6 version
Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for Linux 2.6 version
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for Linux 2.6 version.
Unhide-TCP
Download
No comments:
Post a Comment