I have just executed the tool in debian, and I think that it is generating a false positive (I have checked the tool in several machines). The kernel that I am using is 3.2.0-2-amd64. I have used the debian version of unhide (the one downloaded with apt), and I have also tried the last version published in sourceforge.
The execution is as follows:
>>unhide checksysinfo2 (it happens also with checksysinfo)
Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found: 1 sysinfo.procs = 384 ps_count = 385
If you need any other information please contact me (email@example.com)
P.D. Very nice tool
That's a known problem with checksysinfo(2) test.
It used to happen with modified kernel (BFS scheduler, RT_PREEMPT patch for exemple).
I suppose Debian doesn't modify kernel, so in your case, it's probably due to the time needed to count
the processes reported by the ps command via the pipe.
A short time process has certainly run during the test.
There's no real solution to this problem, but there is a workaround.
Using verbose mode will show if the number of processes change during the test (but may report even more false positives).
# ./unhide-linux -v checksysinfo
Copyright © 2012 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
NOTE : This version of unhide is for systems using Linux >= 2.6
[*]Searching for Hidden processes through sysinfo() scanning
WARNING : info.procs changed during test : 270 (was 269)
WARNING : info.procs changed during test : 269 (was 270)
This option permits you to differentiate false positives from true ones.
Note: As you can see in the above example, ps command may see or not this short process, depending when it happens during the ps work.
i had the same problem with unhide 20110113-4 on debian wheezy and can confirm that this is fixed with unhide 20121229-1 from debian testing.
I'm sorry to say that but it is not fixed in any version of unhide. There's nothing that can be done, except maybe include 'ps' source code in unhide and stop scheduling :).
Starting with 20121229 version we suppress sysinfo test from quick and sys compound tests to avoid false positives, but if sysinfo or sysinfo2 is given on the command line, the FP can occurs (that's quite random, it never appears on my machine with kernels from 2.6.14 to 3.4.45).
BTW version 20130526 has just been released. nothing fancy thought, just minor bug fix and predisposition for packaging under *BSD.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.