I have read somewhere that rootkits hide a process by dropping off its links in task list.First my question is when it is dropped off task list, how it can be scheduled in kernel 3.*? In fact I want to detect hidden processes by comparing running processes in task list and processes in something like runqueue.
Asked
Active
Viewed 1,792 times
2
Peggy
- 639
- 9
- 28
1 Answers
1
You can use unhide
apt-get install unhide
it compare running processes by various methods for example :
getpriority()
getpgid()
getsid()
sched_getaffinity()
sched_getparam()
sched_getscheduler()
sched_rr_get_interval()
...
Iman
- 473
- 1
- 4
- 20