Expand description
Zombie and orphan process detection for Linux memory forensics.
Detects zombie processes (exited but not reaped by their parent) and orphan processes (parent died, reparented to init/pid 1). These are forensically significant: malware that crashes leaves zombies; processes that survive their parent may indicate persistence or injection.
MITRE ATT&CK T1036 (masquerading via orphan reparenting).
Re-exports§
pub use crate::heuristics::classify_zombie_orphan;
Structs§
- Zombie
Orphan Info - Information about a zombie or orphan process found in memory.
Functions§
- walk_
zombie_ orphan - Walk the Linux process list and detect zombie and orphan processes.