diff --git a/README.md b/README.md index 3a68346..454a2ab 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,17 @@ # unhide +Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. + +Unhide (ps) - Detecting hidden processes. Implements six main techniques +1. Compare /proc vs /bin/ps output +2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs. +3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning). +4. Full PIDs space ocupation (PIDs bruteforcing). +5. Compare /bin/ps output vs /proc, procfs walking and syscall. + Reverse search, verify that all thread seen by ps are also seen in the kernel. +6. Quick compare /proc, procfs walking and syscall vs /bin/ps output. + It's about 20 times faster than tests 1+2+3 but maybe give more false positives. + +Unhide-TCP +Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables. + diff --git a/unhide.spec b/unhide.spec new file mode 100644 index 0000000..e511dc4 --- /dev/null +++ b/unhide.spec @@ -0,0 +1,73 @@ +Name: unhide +Version: 20130526 +Release: 1mamba +Summary: Forensic tool to find hidden processes and ports +Group: Applications/Security +Vendor: openmamba +Distribution: openmamba +Packager: Davide Madrisan +URL: http://www.unhide-forensics.info/ +Source: http://sourceforge.net/projects/unhide/files/unhide-%{version}.tgz +License: GPL +## AUTOBUILDREQ-BEGIN +## AUTOBUILDREQ-END +BuildRoot: %{_tmppath}/%{name}-%{version}-root + +%description +Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. + +Unhide (ps) - Detecting hidden processes. Implements six main techniques +1. Compare /proc vs /bin/ps output +2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs. +3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning). +4. Full PIDs space ocupation (PIDs bruteforcing). +5. Compare /bin/ps output vs /proc, procfs walking and syscall. + Reverse search, verify that all thread seen by ps are also seen in the kernel. +6. Quick compare /proc, procfs walking and syscall vs /bin/ps output. + It's about 20 times faster than tests 1+2+3 but maybe give more false positives. + +Unhide-TCP +Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables. + +%prep +%setup -q + +%build +CFLAGS="%optflags" ; export CFLAGS ; +# Since this is a forensics/security tool, we compile the binaries statically +# to help prevent a hacked glibc from tampering with the results. +%{__cc} -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide +%{__cc} -Wall -O2 --static unhide_rb.c -o unhide_rb +%{__cc} -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp + +%install +[ "%{buildroot}" != / ] && rm -rf "%{buildroot}" +install -d %{buildroot}%{_sbindir} +for f in unhide unhide_rb unhide-tcp; do + install -m 755 $f %{buildroot}%{_sbindir}/$f +done + +install -d %{buildroot}%{_mandir}/man8 +install -m 644 man/unhide.8 %{buildroot}%{_mandir}/man8/unhide.8 +install -m 644 man/unhide-tcp.8 %{buildroot}%{_mandir}/man8/unhide-tcp.8 + +%clean +[ "%{buildroot}" != / ] && rm -rf "%{buildroot}" + +%files +%defattr(-,root,root) +%{_sbindir}/%{name}* +%{_mandir}/man8/unhide.* +%{_mandir}/man8/unhide-tcp.* +%doc COPYING +#README.txt TODO + +%changelog +* Mon May 27 2013 Automatic Build System 20130526-1mamba +- automatic version update by autodist + +* Thu Jan 31 2013 Automatic Build System 20121229-1mamba +- automatic version update by autodist + +* Tue Dec 13 2011 Davide Madrisan 20110113-1mamba +- package created by autospec