automatic version update by autodist [release 20130526-1mamba;Mon May 27 2013]

README.md

@@ -1,2 +1,17 @@
 # unhide
 
+Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
+
+Unhide (ps) - Detecting hidden processes. Implements six main techniques
+1. Compare /proc vs /bin/ps output
+2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
+3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
+4. Full PIDs space ocupation (PIDs bruteforcing).
+5. Compare /bin/ps output vs /proc, procfs walking and syscall.
+   Reverse search, verify that all thread seen by ps are also seen in the kernel.
+6. Quick compare /proc, procfs walking and syscall vs /bin/ps output.
+   It's about 20 times faster than tests 1+2+3 but maybe give more false positives.
+
+Unhide-TCP
+Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
+

unhide.spec

@@ -0,0 +1,73 @@
+Name:          unhide
+Version:       20130526
+Release:       1mamba
+Summary:       Forensic tool to find hidden processes and ports
+Group:         Applications/Security
+Vendor:        openmamba
+Distribution:  openmamba
+Packager:      Davide Madrisan <davide.madrisan@gmail.com>
+URL:           http://www.unhide-forensics.info/
+Source:        http://sourceforge.net/projects/unhide/files/unhide-%{version}.tgz
+License:       GPL
+## AUTOBUILDREQ-BEGIN
+## AUTOBUILDREQ-END
+BuildRoot:     %{_tmppath}/%{name}-%{version}-root
+
+%description
+Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
+
+Unhide (ps) - Detecting hidden processes. Implements six main techniques
+1. Compare /proc vs /bin/ps output
+2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
+3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
+4. Full PIDs space ocupation (PIDs bruteforcing).
+5. Compare /bin/ps output vs /proc, procfs walking and syscall.
+   Reverse search, verify that all thread seen by ps are also seen in the kernel.
+6. Quick compare /proc, procfs walking and syscall vs /bin/ps output.
+   It's about 20 times faster than tests 1+2+3 but maybe give more false positives.
+
+Unhide-TCP
+Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
+
+%prep
+%setup -q
+
+%build
+CFLAGS="%optflags" ; export CFLAGS ;
+# Since this is a forensics/security tool, we compile the binaries statically
+# to help prevent a hacked glibc from tampering with the results.
+%{__cc} -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide
+%{__cc} -Wall -O2 --static unhide_rb.c -o unhide_rb
+%{__cc} -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
+
+%install
+[ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
+install -d %{buildroot}%{_sbindir}
+for f in unhide unhide_rb unhide-tcp; do
+   install -m 755 $f %{buildroot}%{_sbindir}/$f
+done
+
+install -d %{buildroot}%{_mandir}/man8
+install -m 644 man/unhide.8 %{buildroot}%{_mandir}/man8/unhide.8
+install -m 644 man/unhide-tcp.8 %{buildroot}%{_mandir}/man8/unhide-tcp.8
+
+%clean
+[ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
+
+%files
+%defattr(-,root,root)
+%{_sbindir}/%{name}*
+%{_mandir}/man8/unhide.*
+%{_mandir}/man8/unhide-tcp.*
+%doc COPYING
+#README.txt TODO
+
+%changelog
+* Mon May 27 2013 Automatic Build System <autodist@mambasoft.it> 20130526-1mamba
+- automatic version update by autodist
+
+* Thu Jan 31 2013 Automatic Build System <autodist@mambasoft.it> 20121229-1mamba
+- automatic version update by autodist
+
+* Tue Dec 13 2011 Davide Madrisan <davide.madrisan@gmail.com> 20110113-1mamba
+- package created by autospec