From 63197cb654c33b51e648c6e1068b5d53719b9391 Mon Sep 17 00:00:00 2001
From: "Ilya V. Matveychikov" <matvejchikov@gmail.com>
Date: Wed, 4 Jul 2018 18:32:44 +0400
Subject: [PATCH] Update rkduck.md

---
 details/rkduck.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/details/rkduck.md b/details/rkduck.md
index 56cfc31..8ef7fb3 100644
--- a/details/rkduck.md
+++ b/details/rkduck.md
@@ -56,7 +56,13 @@ Hooking of system calls by patching syscall-handlers in `sys_call_table[]`:
     - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L59 (vfs_hijacked_filldir)
   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L157 (vfs_hijacked_proc_iterate)
     - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L78 (vfs_hijacked_proc_filldir)
- 
+
+## Hiding of processes and process trees
+
+Filtering PID-like numeric entries while listing `/proc`:
+ - based on hiding of files capabilty (vfs_hide_file)
+   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L30
+
 ## Keylogger
 
 Keylogger is implemented using `register_keyboard_notifier()`: