Home » , » Unhide - forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hiding technique

Unhide - forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hiding technique

Written By mediana saputra on Thursday, 14 February 2013 | 20:53

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs
or by another hiding technique.

Unhide (unhide-linux or unhide-posix)

Features - 
Detecting hidden processes. Implements six main techniques
1- Compare /proc vs /bin/ps output
2- Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for unhide-linux version
3- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
4- Full PIDs space ocupation (PIDs bruteforcing). ONLY for unhide-linux version
5- Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for unhide-linux version
   Reverse search, verify that all thread seen by ps are also seen in the kernel.
6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for unhide-linux version
  It's about 20 times faster than tests 1+2+3 but maybe give more false positives.


It's a back port in C language of the ruby unhide.rb
As the original unhide.rb, it is roughly equivalent to "unhide-linux quick reverse" :
- it makes three tests less (kill, opendir and chdir),
- it only run /bin/ps once at start and once for the double check,
- also, its tests are less accurate (e.g.. testing return value instead of errno),
- processes are only identified by their exe link (unhide-linux also use cmdline and
  "sleeping kernel process" name),
- there's little protection against failures (failed fopen or popen by example),
- there's no logging capability.
It is very quick, about 80 times quicker than "unhide-linux quick reverse"


Identify TCP/UDP ports that are listening but not listed in sbin/ss or /bin/netstat.
It use two methods: 
- brute force of all TCP/UDP ports availables and compare with SS/netstat output.
- probe of all TCP/UDP ports not reported by netstat.


unhide-linux.c      -- Hidden processes, for Linux >= 2.6

unhide-tcp.c        -- Hidden TCP/UDP Ports

unhide-output.c     -- Common routines of unhide tools

unhide_rb.c         -- C port of unhide.rb (a very light version of unhide-linux in ruby)

unhide-posix.c      -- Hidden processes, for generic Unix systems (*BSD, Solaris, linux 2.2 / 2.4)
                       It doesn't implement PIDs brute forcing check yet. Needs more testing
                       Warning : This version is somewhat outdated and may generate false positive.
                                 Prefer unhide-linux.c if you can use it.

changelog           -- As the name implied log of the change to unhide
COPYING             -- License file, GNU GPL V3
LEEME.txt           -- Spanish version of this file
LISEZ-MOI.TXT       -- French version of this file
NEWS                -- Release notes
README.txt          -- This file
sanity.sh           -- unhide-linux testsuite file
TODO                -- Evolutions to do (any volunteers ?)
man/unhide.8        -- English man page of unhide
man/unhide-tcp.8    -- English man page of unhide-tcp
man/fr/unhide.8     -- French man page of unhide
man/fr/unhide-tcp.8 -- French man page of unhide-tcp

If you ARE using a Linux kernel >= 2.6
      gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
      gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
      gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
      ln -s unhide unhide-linux

Else (Linux < 2.6, *BSD, Solaris and other Unice)
      gcc --static unhide-posix.c -o unhide-posix
      ln -s unhide unhide-posix

You MUST be root to use unhide-linux and unhide-tcp.

 # ./unhide-linux  -vo quick reverse
 # ./unhide-linux  -vom procall sys
 # ./unhide_rb

 # ./unhide-tcp  -flov
 # ./unhide-tcp  -flovs

Download -
Download WinUnhide.zip (38.5 kB)

Current Stable Version:
[ Changelog ]
  - unhide-linux26.c was renamed to unhide-linux.c
  - unhide.c was renamed to unhide-posix.c
  - The log file of unhide-linux is renamed 'unhide-linux_AAAA-MM-DD.log'
  - The log file of unhide-tcp is named 'unhide-tcp_AAAA-MM-DD.log'
  - By default, unhide-tcp now use /sbin/ss from iproute2 package, to use netstat as before '-n' option must be given on command line.
  - Display is more verbose and multi-lines for hidden processes (unhide-linux).
  - If asked to (-l and/or -f), display is more verbose and multi-lines for hidden ports (unhide-tcp).
  - sysinfo test is no more called as part of compound quick and sys tests as it may give false positives.
    It could still be run using the checksysinfo, checksysinfo2 or checksysinfo3 command line parameter.

  - Major enhancement of unhide-tcp :
     * Add capability to output a log file (unhide-tcp_AAA-MM-DD.log)
     * Add capability to output more information (via lsof and/or fuser) on hidden port if available
     * Add verbose mode (disabled by default) to display warning
     * Add a new method (via option '-s') very fast on system with huge number of opened ports
     * Make a double check of port access to avoid false positive (previous single check  version is available as unhide-tcp-simple-check.c if needed).
  - Add a quick port in C language of unhide.rb (unhide_rb.c) and guess what ... it's 40 times faster than original ruby unhide.rb
Note: unhide_rb doesn't take any option.
  - Add "-d" option for doing a double check in brute test, this reduce false positives.
  - Add "-o" option as synonym of "-f".
  - For found hidden processes, display the user and the working directoryas extracted from the process environment. 
Note that it doesn't work well for kernel processes/threads nor for daemons.
  - For found hidden processes, display cmdline, exe link and internal command name.

  - Add french and spanish man page for unhide-tcp
  - Update english manpage of unhide-tcp to reflect changes
  - Minor corrections in french manpage of unhide
  - Display copyright and license information in start banners.
  - Make message from sysinfo tests more clear.
  - Add a NEWS file :)
  - Update README.txt, LISEZ-MOI.txt and LEEME.txt to clarify difference between
    unhide-posix and unhide-linux.
  - Remove sysinfo test from quick and sys compound tests as it may give false positive.
    sysinfo test still can be used via the checksysinfo[2|3] command line parameters.

  - Suppress pedantic compilation warnings (glibc >=2.3, gcc >=4.6).
  - Correct the number of processes displayed for /proc counting in sysinfo test.



Share this article :

Post a Comment

Support : Creating Website | Johny Template | Mas Template
Copyright © 2011. Turorial Grapich Design and Blog Design - All Rights Reserved
Template Created by Creating Website Published by Mas Template
Proudly powered by Blogger