[Forensics-changes] [SCM] debian-forensics/unhide branch, debian, updated. debian/20110113-2-5-gf9f97d3
Julien Valroff
julien at kirya.net
Tue Oct 25 18:45:37 UTC 2011
The following commit has been merged in the debian branch:
commit f9f97d34cfee216161880e406ded4858620460c5
Author: Julien Valroff <julien at kirya.net>
Date: Tue Oct 25 20:35:20 2011 +0200
Update package description to state all 6 techniques used to detect hidden processes
diff --git a/debian/changelog b/debian/changelog
index e8d7c1f..4794563 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,8 +4,10 @@ unhide (20110113-3) unstable; urgency=low
available on kfreebsd
* Drop some lintian overrides now that FTP Masters use lintian 2.5.0
* Update DEP-5 uri
+ * Update package description to state all 6 techniques used to detect hidden
+ processes
- -- Julien Valroff <julien at debian.org> Sun, 18 Sep 2011 14:53:40 +0200
+ -- Julien Valroff <julien at debian.org> Tue, 25 Oct 2011 20:34:44 +0200
unhide (20110113-2) unstable; urgency=low
diff --git a/debian/control b/debian/control
index 1feb890..44cfec3 100644
--- a/debian/control
+++ b/debian/control
@@ -18,11 +18,16 @@ Description: Forensic tool to find hidden processes and ports
rootkits, Linux kernel modules or by other techniques. It includes two
utilities: unhide and unhide-tcp.
.
- unhide detects hidden processes using three techniques:
- * comparing the output of /proc and /bin/ps
- * comparing the information gathered from /bin/ps with the one gathered from
- system calls (syscall scanning)
- * full scan of the process ID space (PIDs bruteforcing)
+ unhide detects hidden processes using the following six techniques:
+ * Compare /proc vs /bin/ps output
+ * Compare info gathered from /bin/ps with info gathered by walking thru the
+ procfs.
+ * Compare info gathered from /bin/ps with info gathered from syscalls
+ (syscall scanning).
+ * Full PIDs space occupation (PIDs bruteforcing)
+ * Reverse search, verify that all thread seen by ps are also seen by the
+ kernel (/bin/ps output vs /proc, procfs walking and syscall)
+ * Quick compare /proc, procfs walking and syscall vs /bin/ps output
.
unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
/bin/netstat through brute forcing of all TCP/UDP ports available.
--
debian-forensics/unhide
More information about the forensics-changes
mailing list