The qualification of thoose guy's that install rootkits seems not to be the question, but the effect. An installed root-kit by the way, says nothing about the skills off the attacker. If he gained access to your box by an self explored and exploited buffer-overrun he is'nt a script-kid -> please choose : hacker,[white|grey|black]hat.
If they prevent to see their activities be installing mechanism like rootkits its harder too seek'em.
So my question was initially:
Show this really all processes even if a rootkit is installed
cd /proc
for i in $(ls | grep -E ^[0-9]) ; do cat $i/status | xargs | awk '{printf $4 $7 " " $2 " " $5}'; echo ;done
This is may not work as expected if rootkit change ls command, and/or if have kernel modules changing syscalls used for ls or cat command. Regards, ./nelson -murilo