Techly NewsGet the app

Get the latest tech news

The 'Invisibility Cloak' – Slash-Proc Magic


Technical blog by Stephan Berger (@malmoeb)

Analyzing/proc/mounts indicates that at least one filesystem is mounted onto a directory that typically corresponds to a process ID (PID), as evidenced by entries like ‘/proc/PID’ in the ‘/proc/mounts’ listing. Through practical experimentation and analysis, we’ve uncovered the potential forensic artifacts left behind by such techniques, including anomalous filesystem mounts and empty process directories. These indicators can serve as valuable clues for forensic investigators seeking to uncover hidden processes and detect malicious activity on compromised systems.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Invisibility Cloak

Invisibility Cloak

Photo of proc magic

proc magic

Related news:

News photo

Invisibility Cloak

« Stabilizing the Obra Dinn 1-bit dithering process (2017)
Gears is "so back" as original voice talents are confirmed for Gears of War: E-Day »