[Hidden] Memory Forensics Debugger Extension for Microsoft Debugging Tools - This extension for WinDbg allows to detect all hidden processes.
[WMFT] Windows Memory Forensic Toolkit - is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2000/2003/XP machines. There are two versions of toolkit. The version for Windows is written in C# for .NET technology and can analyze memory images. This version has additional functionally such as detecting hidden objects. You can download this version from rootkit.com. Also Linux based version is available. This version has limited functionally and it allows only enumerating internal kernel structures such as _EPROCESS blocks or driver objects. To configure WMFT it is necessary to manually locate addresses of some internal kernel objects. So hints and procedures are put together in document: "An introduction to Windows memory forensics". Also techniques used by WMFT are discussed in this "how-to" document. Additionally, I recommend to see slides presented at Black Hat conferences.
[PROCENUM] Hidden Processes Detection - is a small utility to enumerate all user-mode processes. This tool uses technique which relies on enumerating all page descriptors that are allocated by an operating system. During enumerating processes some information about internal data structures are correlated in order to find all structures of active processes. This very generic method allows to detect all user-mode processes which are hidden by tools using various techniques like patching code, modifying function pointers or DKOM (Direct Kernel Object Manipulation). Detailed description of technique used by the procenum can be found in chapter 8 of the following document: "Digital forensics of the physical memory".
[IDETECT] Linux Memory Forensic toolkit is used to help digital investigators in extracting useful information from Linux memory image. Current version allows to identify content of files mapped into memory in the past. This toolkit also displays detailed information about each active process. We can enumerate any structure related to selected process. Instead of working on memory image it is possible to use this toolkit against live system! All necessary information about memory forensic analysis is available in document: "Digital forensics of the physical memory".
[noname] Simple LKM-based rootkit - This basic rootkit was written for education propose only for the Hakin9 - hardcover magazine. Detailed "how-to" article is available here (Only German version of an article is available online:(). Rootkit can be installed on 2.4.x kernel releases. I advice to read my article about detecting kernel rootkits by using GNU gdb tool. Techniques covered in this article will lead you through the process of comparing kernel memory with kernel image file (kernel image file have be trusted). The article "Detecting rootkits and kernel-level compromises in Linux" was published by SecurityFocus in November 2004.