![]() The checkproc technique consists of comparing /proc with the output of /bin/ps. Information gathered by making opendir() in the procfs. The checkopendir technique consists of comparing information gathered from /bin/ps with No comparison is done against /proc or the output of ps. The checknoprocps technique consists of comparing the result of the call to each of the Note : no process is really killed by this test. Result of call to the kill() system function. The checkkill technique consists of comparing information gathered from /bin/ps with the Result of call to the getsid() system function. The checkgetsid technique consists of comparing information gathered from /bin/ps with the The result of call to the sched_getscheduler() system function. The checkgetsched technique consists of comparing information gathered from /bin/ps with With the result of call to the sched_rr_get_interval() system function. ![]() The checkRRgetinterval technique consists of comparing information gathered from /bin/ps The result of call to the getpriority() system function. The checkgetprio technique consists of comparing information gathered from /bin/ps with The result of call to the getpgid() system function. The checkgetpgid technique consists of comparing information gathered from /bin/ps with The result of call to the sched_getparam() system function. The checkgetparam technique consists of comparing information gathered from /bin/ps with With the result of call to the sched_getaffinity() system function. The checkgetaffinity technique consists of comparing information gathered from /bin/ps With the -m option, it also verify that the thread appears in its "leader process" threads Information gathered by making chdir() in the procfs. The checkchdir technique consists of comparing information gathered from /bin/ps with The checkbrute technique consists of bruteforcing the all process IDs. The sys technique consists of comparing information gathered from /bin/ps with information Security tool (IDS or other) and make ps showing a fake process instead. It is intended to verify that a rootkit has not killed a The reverse technique consists of verifying that all threads seen by ps are also seen in It'sĪbout 20 times faster but may give more false positives. The quick technique combines the proc, procfs and sys techniques in a quick way. ![]() With -m option, this test makes more checks, see checkchdir test. Information gathered by walking in the procfs. The procfs technique consists of comparing information gathered from /bin/ps with The procall technique combinates proc and procfs tests. The proc technique consists of comparing /proc with the output of /bin/ps. This technique is only available with version unhide-linux. The brute technique consists of bruteforcing the all process IDs. The standard tests are the aggregation of one or more elementary test(s). The checks to do consist of one or more of the following tests. v Be verbose, display warning message (default : don't display). r Use alternate version of sysinfo check in standard tests Procfs, procall, checkopendir and checkchdir tests. As of version, this option has only effect for the f Write a log file (unhide-linux.log) in the current directory. d Do a double check in brute test to avoid false positive. Options are only available for unhide-linux not for unhide-posix. It detects hidden processes using six techniques. SYNOPSIS unhide TEST_LIST unhide-posix proc | sys DESCRIPTION unhide is a forensic tool to find processes hidden by rootkits, Linux kernel modules or by Unhide - forensic tool to find hidden processes ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |