kill(pid, 0) is also a classic trick for detecting crappy rootkits; cycle through all ~65k possible pids, and see if the ESRCH results agree with "ps -axo pid". A patched ps, a patched KVM library, or even a patched procfs can still miss the code path used by the kill(2) syscall.