[Forensics-changes] [SCM] debian-forensics/unhide branch, debian, updated. debian/20110113-2-5-gf9f97d3

Julien Valroff julien at kirya.net
Tue Oct 25 18:45:37 UTC 2011 

The following commit has been merged in the debian branch:
commit f9f97d34cfee216161880e406ded4858620460c5
Author: Julien Valroff <julien at kirya.net>
Date:   Tue Oct 25 20:35:20 2011 +0200

    Update package description to state all 6 techniques used to detect hidden processes

diff --git a/debian/changelog b/debian/changelog
index e8d7c1f..4794563 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,8 +4,10 @@ unhide (20110113-3) unstable; urgency=low
     available on kfreebsd 
   * Drop some lintian overrides now that FTP Masters use lintian 2.5.0 
   * Update DEP-5 uri
+  * Update package description to state all 6 techniques used to detect hidden
+    processes 
 
- -- Julien Valroff <julien at debian.org>  Sun, 18 Sep 2011 14:53:40 +0200
+ -- Julien Valroff <julien at debian.org>  Tue, 25 Oct 2011 20:34:44 +0200
 
 unhide (20110113-2) unstable; urgency=low
 
diff --git a/debian/control b/debian/control
index 1feb890..44cfec3 100644
--- a/debian/control
+++ b/debian/control
@@ -18,11 +18,16 @@ Description: Forensic tool to find hidden processes and ports
  rootkits, Linux kernel modules or by other techniques. It includes two
  utilities: unhide and unhide-tcp.
  .
- unhide detects hidden processes using three techniques:
-  * comparing the output of /proc and /bin/ps
-  * comparing the information gathered from /bin/ps with the one gathered from
-    system calls (syscall scanning)
-  * full scan of the process ID space (PIDs bruteforcing)
+ unhide detects hidden processes using the following six techniques:
+   * Compare /proc vs /bin/ps output
+   * Compare info gathered from /bin/ps with info gathered by walking thru the
+     procfs.
+   * Compare info gathered from /bin/ps with info gathered from syscalls
+     (syscall scanning).
+   * Full PIDs space occupation (PIDs bruteforcing)
+   * Reverse search, verify that all thread seen by ps are also seen by the
+     kernel (/bin/ps output vs /proc, procfs walking and syscall)
+   * Quick compare /proc, procfs walking and syscall vs /bin/ps output
  .
  unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
  /bin/netstat through brute forcing of all TCP/UDP ports available.

-- 
debian-forensics/unhide

More information about the forensics-changes mailing list