rpms/unhide
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Forensic tool to find hidden processes and ports https://www.unhide-forensics.info/
3 Commits 1 Branch 2 Tags 32 KiB
RPM Spec 100%
main
Go to file
Silvan Calarco 56c3aac945 update to 20220611 [release 20220611-1mamba;Sat Nov 26 2022]
2024-01-05 18:48:53 +01:00
README.md automatic version update by autodist [release 20130526-1mamba;Mon May 27 2013] 2024-01-05 18:48:52 +01:00
unhide.spec update to 20220611 [release 20220611-1mamba;Sat Nov 26 2022] 2024-01-05 18:48:53 +01:00

README.md

unhide

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.

Unhide (ps) - Detecting hidden processes. Implements six main techniques

  1. Compare /proc vs /bin/ps output
  2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
  3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
  4. Full PIDs space ocupation (PIDs bruteforcing).
  5. Compare /bin/ps output vs /proc, procfs walking and syscall. Reverse search, verify that all thread seen by ps are also seen in the kernel.
  6. Quick compare /proc, procfs walking and syscall vs /bin/ps output. It's about 20 times faster than tests 1+2+3 but maybe give more false positives.

Unhide-TCP Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.