unhide
Forensic tool to find hidden processes and ports
Install
- All systems
-
curl cmd.cat/unhide.sh
- Debian
-
apt-get install unhide
- Ubuntu
-
apt-get install unhide
- Arch Linux
-
pacman -S unhide
- Kali Linux
-
apt-get install unhide
- Fedora
-
dnf install unhide
- Windows (WSL2)
-
sudo apt-get update
sudo apt-get install unhide
- Raspbian
-
apt-get install unhide
- Dockerfile
- dockerfile.run/unhide
unhide
Forensic tool to find hidden processes and ports
Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp. unhide detects hidden processes using the following six techniques: * Compare /proc vs /bin/ps output * Compare info gathered from /bin/ps with info gathered by walking thru the procfs. * Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning). * Full PIDs space occupation (PIDs bruteforcing) * Reverse search, verify that all thread seen by ps are also seen by the kernel (/bin/ps output vs /proc, procfs walking and syscall) * Quick compare /proc, procfs walking and syscall vs /bin/ps output unhide-tcp identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available. This package can be used by rkhunter in its daily scans. This package is useful for network security checks, in addition to forensics investigations.