Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hiding technique.
Detecting hidden processes. Implements six main techniques
- Compare /proc vs /bin/ps output
- Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for unhide-linux version
- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
- Full PIDs space ocupation (PIDs bruteforcing). ONLY for unhide-linux version
- Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for unhide-linux version. Reverse search, verify that all thread seen by ps are also seen in the kernel.
- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for unhide-linux version. It’s about 20 times faster than tests 1+2+3 but maybe give more false positives.
- unhide-linux26.c was renamed to unhide-linux.c
- unhide.c was renamed to unhide-posix.c
- The log file of unhide-linux is renamed ‘unhide-linux_AAAA-MM-DD.log’
- The log file of unhide-tcp is named ‘unhide-tcp_AAAA-MM-DD.log’
- By default, unhide-tcp now use /sbin/ss from iproute2 package, to use netstat as before ‘-n’ option must be given on command line.
- Display is more verbose and multi-lines for hidden processes (unhide-linux).
- If asked to (-l and/or -f), display is more verbose and multi-lines for hidden ports (unhide-tcp).
- sysinfo test is no more called as part of compound quick and sys tests as it may give false positives.
It could still be run using the checksysinfo, checksysinfo2 or checksysinfo3 command line parameter.
Major enhancement of unhide-tcp :
- Add capability to output a log file (unhide-tcp_AAA-MM-DD.log)
- Add capability to output more information (via lsof and/or fuser) on hidden port if available
- Add verbose mode (disabled by default) to display warning
- Add a new method (via option ‘-s’) very fast on system with huge number of opened ports
- Make a double check of port access to avoid false positive (previous single check version is available as unhide-tcp-simple-check.c if needed).
- Add a quick port in C language of unhide.rb (unhide_rb.c) and guess what … it’s 40 times faster than original ruby unhide.rb
Note: unhide_rb doesn’t take any option.
- Add “-d” option for doing a double check in brute test, this reduce false positives.
- Add “-o” option as synonym of “-f”.
- For found hidden processes, display the user and the working directoryas extracted from the process environment.
Note that it doesn’t work well for kernel processes/threads nor for deamons.
- For found hidden processes, display cmdline, exe link and internal command name.
- Add french and spanish man page for unhide-tcp
- Update english manpage of unhide-tcp to reflect changes
- Minor corrections in french manpage of unhide
- Display copyright and license information in start banners.
- Make message from sysinfo tests more clear.
- Add a NEWS file 🙂
- Update README.txt, LISEZ-MOI.txt and LEEME.txt to clarify difference between unhide-posix and unhide-linux.
- Remove sysinfo test from quick and sys compound tests as it may give false positive.
sysinfo test still can be used via the checksysinfo[2|3] command line parameters.
- Suppress pedantic compilation warnings (glibc >=2.3, gcc >=4.6).
- Correct the number of processes displayed for /proc counting in sysinfo test.
Thank you Yago Jesus for sharing this tool with ToolsWatch.