unhide (part #2)

In the unhide source we have the following lines of code

// sysctl kernel.pid_max
int maxpid = 32768;

Lets look at what my Linux system that has unhide says.

# sysctl kernel.pid_max
kernel.pid_max = 131072

More code in unhide:

unsigned int proc_parent_pids[65536] ;

char *proc_tasks[65536];
char *ps_pids[65536];
char *messages_pids[65536];
char message[1000] ;
char description[1000] ;
int ps_count = 0 ;

This looks like it's assuming 16bit PIDs.. I won't investigate further, but it's likely to be a problem that will allow for a rootkit to bypass unhide.

Popular posts from this blog

Empowering Women in Cybersecurity: InfoSect's 2024 Training Initiative

C++ Memory Corruption (std::string) - part 4

Pointer Compression in V8