Unhide is a forensic tool to find processes hidden by rootkits, Linux kernel modules or by other techniques. It detects hidden processes using six techniques:
unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.
- Compare /proc vs /bin/ps output
- Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for Linux 2.6 version
- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
- Full PIDs space ocupation (PIDs bruteforcing). ONLY for Linux 2.6 version
- Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for Linux 2.6 version
- Reverse search, verify that all thread seen by ps are also seen in the kernel.
- 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for Linux 2.6 version.
- Unhide-TCP
unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.
How to Use ?
- -f Write a log file (unhide.log) in the current directory.
- -h Display help
- -m Do more checks. As of 2010-11-21 version, this option has only effect for the procfs, procall, checkopendir and checkchdir tests.
- -r Use alternate version of sysinfo check in standard tests
- -V Show version and exit
- -v Be verbose, display warning message (default : don't display). This option may be repeated more than once.
gcc –static unhide.c -o unhide
gcc -Wall -O2 –static unhide-tcp.c -o unhide-tcp
gcc -Wall -O2 –static -pthread unhide-linux26.c -o unhide-linux26
gcc -Wall -O2 -static -o unhide_rb unhide_rb.c
Available for Windows & Linux Platform.
Download latest Version : Windows or Linux
