Expand description
Pure heuristic classifiers for Linux forensic artifacts.
This module consolidates all classify_* functions from the individual
walker modules into one discoverable, collectively-testable location.
Each function is a pure heuristic: it takes only primitive values and
returns bool or a tuple — no ObjectReader dependency.
The original walker modules re-export every symbol from here so all existing call sites continue to compile unchanged.
Functions§
- classify_
afinfo_ hook - Classify whether a network protocol handler function pointer has been hooked.
- classify_
bpf_ program - Classify whether a BPF program type/name combination is suspicious.
- classify_
capabilities - Classify whether a non-root process holds suspicious Linux capabilities.
- classify_
cgroup - Classify whether a cgroup path indicates a container runtime.
- classify_
container_ escape - Classify whether a process indicator suggests a container escape attempt.
- classify_
deleted_ exe - Classify whether a process running from a deleted executable is suspicious.
- classify_
ebpf_ map - Classify whether an eBPF map is suspicious.
- classify_
ftrace_ hook - Classify whether an ftrace function pointer is outside the kernel text range.
- classify_
futex - Classify whether a futex entry is suspicious.
- classify_
hidden_ dentry - Classify whether a dentry is hidden or suspicious.
- classify_
idt_ entry - Classify whether an IDT handler address has been hooked.
- classify_
io_ uring - Classify whether an io_uring submission is suspicious.
- classify_
iomem - Classify whether an
/proc/iomemregion entry is suspicious. - classify_
kernel_ timer - Classify whether a kernel timer callback is outside the kernel text range.
- classify_
kmsg - Classify whether a kernel log message matches known suspicious patterns.
- classify_
kthread - Classify whether a kernel thread entry looks suspicious.
- classify_
ld_ preload - Classify whether an
LD_PRELOADvalue references a suspicious library path. - classify_
library - Classify whether a mapped library path is suspicious.
- classify_
memfd - Classify whether a
memfd_createfile is suspicious. - classify_
module_ visibility - Classify whether a kernel module is hidden by cross-referencing three views.
- classify_
mount - Classify whether a mount entry is suspicious.
- classify_
notifier - Classify whether a keyboard notifier callback is outside the kernel text range.
- classify_
oom_ victim - Classify whether an OOM-killed process is suspicious.
- classify_
pam_ hook - Classify whether a PAM library path is suspicious.
- classify_
perf_ event - Classify whether a
perf_eventis suspicious. - classify_
psaux - Classify whether process auxiliary state is suspicious.
- classify_
ptrace - Classify whether a ptrace relationship is suspicious.
- classify_
raw_ socket - Classify whether a raw socket is suspicious.
- classify_
shared_ creds - Classify whether shared
struct credpointers indicate credential theft. - classify_
signal_ handler - Classify whether a signal handler configuration is suspicious.
- classify_
systemd_ unit - Classify whether a systemd unit is suspicious.
- classify_
tmpfs_ file - Classify whether a tmpfs file is suspicious.
- classify_
unix_ socket - Classify whether a Unix domain socket is suspicious.
- classify_
zombie_ orphan - Classify whether a zombie or orphan process is suspicious.