18 lines
904 B
Markdown
18 lines
904 B
Markdown
# unhide
|
|
|
|
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
|
|
|
|
Unhide (ps) - Detecting hidden processes. Implements six main techniques
|
|
1. Compare /proc vs /bin/ps output
|
|
2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
|
|
3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
|
|
4. Full PIDs space ocupation (PIDs bruteforcing).
|
|
5. Compare /bin/ps output vs /proc, procfs walking and syscall.
|
|
Reverse search, verify that all thread seen by ps are also seen in the kernel.
|
|
6. Quick compare /proc, procfs walking and syscall vs /bin/ps output.
|
|
It's about 20 times faster than tests 1+2+3 but maybe give more false positives.
|
|
|
|
Unhide-TCP
|
|
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
|
|
|