Module dentry_cache 

Detect files hidden via dentry unlink (open-but-unlinked file descriptors).

A classic rootkit technique is to unlink() a file while keeping a file descriptor open. The file disappears from the directory tree (i_nlink == 0) but remains accessible via the open fd. This walker scans every process’s open fd table looking for file-backed fds whose dentry inode has i_nlink == 0.

MITRE ATT&CK: T1564.001 — Hide Artifacts: Hidden Files and Directories.

Re-exports

pub use crate::heuristics::classify_hidden_dentry;

Structs

HiddenDentryInfo

Information about a hidden (unlinked but open) file descriptor.

Functions

walk_dentry_cache

Walk the task list and enumerate all open-but-unlinked file descriptors.