Module magic_gid 

Magic GID detection — identifies processes controlled by LD_PRELOAD rootkits.

Father rootkit (github.com/mav8557/Father) grants GID 7823 to processes it controls via its accept() hook. Scanning /proc//status for supplementary GIDs that match known rootkit magic values is a reliable indicator even when the process is hidden from readdir.

Structs

MagicGidFinding

A finding produced when a process carries a known rootkit magic GID.

Constants

FATHER_MAGIC_GID

Magic GID used by the Father rootkit to mark controlled processes.

KNOWN_MAGIC_GIDS

Known rootkit magic GIDs to watch for.

Functions

classify_magic_gid

Returns Some(rootkit_name) if the GID is a known rootkit magic GID, or None if it is not recognised.

has_magic_gid

Returns true if any GID in the list is a known rootkit magic GID.