Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
Unhide (ps)
Detecting hidden processes. Implements six techniques
- Compare /proc vs /bin/ps output
- Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
- Full PIDs space occupation (PIDs bruteforcing)
- Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
- Quick compare /proc, procfs walking and syscall vs /bin/ps output.
Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
How do I install unhide
To install Unhide under CentOS/RedHat, login as root and type the following command
# yum install unhide
Sample outputs
Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package unhide.x86_64 0:0.0.20080519-1.el5.rf set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: unhide x86_64 0.0.20080519-1.el5.rf rpmforge 528 k Transaction Summary ================================================================================ Install 1 Package(s) Upgrade 0 Package(s) Total download size: 528 k Is this ok [y/N]: y Downloading Packages: unhide-0.0.20080519-1.el5.rf.x86_64.rpm | 528 kB 00:02 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : unhide 1/1 Installed: unhide.x86_64 0:0.0.20080519-1.el5.rf Complete!
How do I use this tool
You can use it as follows:
# unhide proc | sys | brute
Example, type the following command to find hidden proc
# unhide proc Unhide 20080519 [email protected] [*]Searching for Hidden processes through /proc scanning
Example, type the following command to find the hidden TCP/UDP ports
# unhide-tcp
Sample outputs
Unhide 20080519 [email protected] Starting TCP checking Starting UDP checking
No found hidden ports using the unhide-tcp command.