Unhide
Overview
Section titled “Overview”Unhide is a forensic tool designed to detect hidden processes and network connections that may indicate rootkit installation or kernel-level malware. It compares multiple methods of enumerating processes and ports to identify discrepancies that suggest system compromise. Unhide operates at multiple levels including userspace, /proc filesystem, and network stack to provide comprehensive hidden process detection.
Rootkits hide malicious processes by intercepting system calls and modifying kernel data structures. Unhide detects these anomalies through forensic analysis and comparison techniques.
Installation
Section titled “Installation”From Kali Linux Repository
Section titled “From Kali Linux Repository”sudo apt-get update
sudo apt-get install unhideFrom Source
Section titled “From Source”# Download source
wget http://www.unhide-forensics.info/unhide-20130526.linux.tgz
tar -xzf unhide-20130526.linux.tgz
cd unhide-20130526
# Compile
make
# Install
sudo make installDocker Installation
Section titled “Docker Installation”docker run -it --pid=host kalilinux/kali-rolling unhide procfsManual Compilation
Section titled “Manual Compilation”# Clone repository
git clone https://github.com/unhide-forensics/unhide.git
cd unhide
# Compile
gcc -o unhide unhide.c -lm
# Install binary
sudo cp unhide /usr/local/bin/Basic Usage
Section titled “Basic Usage”| Command | Purpose |
|---|---|
unhide procfs | Detect hidden processes via /proc filesystem |
unhide sys | Detect hidden processes via /sys filesystem |
unhide pids | Compare PID enumeration methods |
unhide quick | Run all process detection methods quickly |
unhide -l | Listen mode for network anomalies |
unhide-tcp | Detect hidden TCP ports |
unhide-udp | Detect hidden UDP ports |
Process Detection Methods
Section titled “Process Detection Methods”Procfs Method
Section titled “Procfs Method”# Compare /proc enumeration
sudo unhide procfs
# Output shows discrepancies:
# Searching for Hidden processes through /proc...
# [+] PID 1234 found with ls and in /proc
# [+] PID 5678 found with ls but NOT in /proc (HIDDEN)
# [+] PID 9012 NOT found with ls but in /proc (HIDDEN)Sys Method
Section titled “Sys Method”# Check /sys filesystem
sudo unhide sys
# Detects processes not visible in /sys
# Useful for kernel-level rootkits
sudo unhide sys -vPID Method (Comparison)
Section titled “PID Method (Comparison)”# Compare multiple enumeration techniques
sudo unhide pids
# Methods compared:
# 1. opendir/readdir on /proc
# 2. getdents syscall
# 3. stat syscall
# 4. prctl syscall
# Output:
# PID 2847 hidden from method 1
# PID 3921 hidden from method 2Comprehensive Scanning
Section titled “Comprehensive Scanning”Quick Scan
Section titled “Quick Scan”# Run all detection methods quickly
sudo unhide quick
# Output summary:
# Scanning for hidden processes...
# Method 1: 145 processes found
# Method 2: 142 processes found
# Method 3: 144 processes found
# Discrepancies detected: 3 hidden processesDetailed Scanning
Section titled “Detailed Scanning”# Verbose output with all details
sudo unhide -v
# Very verbose with more information
sudo unhide -vv
# Debug mode
sudo unhide -dAll Detection Methods
Section titled “All Detection Methods”# Run all scanning techniques sequentially
for method in procfs sys pids; do
echo "[*] Running $method method..."
sudo unhide $method
doneNetwork Port Detection
Section titled “Network Port Detection”Hidden TCP Ports
Section titled “Hidden TCP Ports”# Detect hidden TCP ports
sudo unhide-tcp
# Output shows anomalies:
# Scanning TCP connections...
# [+] Port 22 visible in netstat
# [+] Port 443 visible in netstat
# [+] Port 3128 NOT visible in netstat (HIDDEN)
# Listen on hidden port
netstat -tlnp | grep 3128Hidden UDP Ports
Section titled “Hidden UDP Ports”# Detect hidden UDP ports
sudo unhide-udp
# Check for backdoor ports
sudo unhide-udp -v
# Compare UDP listeners
netstat -ulnp | grep LISTENCombined Network Scan
Section titled “Combined Network Scan”# Check both TCP and UDP
sudo unhide-tcp
sudo unhide-udp
# Monitor real-time
watch -n 5 'sudo unhide-tcp && sudo unhide-udp'
# Log findings
sudo unhide-tcp > tcp_hidden.txt
sudo unhide-udp > udp_hidden.txtNetwork Connection Monitoring
Section titled “Network Connection Monitoring”Listen Mode
Section titled “Listen Mode”# Monitor network connections
sudo unhide -l
# Detailed connection monitoring
sudo unhide -l -v
# Listen with TCP checking
unhide -l --tcp
# Listen with UDP checking
unhide -l --udpConnection Analysis
Section titled “Connection Analysis”# Compare netstat output across methods
netstat -tlnp > netstat_output.txt
ss -tlnp > ss_output.txt
# Find differences
diff netstat_output.txt ss_output.txt
# Check specific port
sudo lsof -i :22
sudo ss -tlnp | grep :22Rootkit Detection Workflow
Section titled “Rootkit Detection Workflow”Comprehensive System Analysis
Section titled “Comprehensive System Analysis”# Step 1: Process detection
echo "[*] Step 1: Detecting hidden processes..."
sudo unhide procfs -v
# Step 2: Network anomalies
echo "[*] Step 2: Detecting hidden ports..."
sudo unhide-tcp
sudo unhide-udp
# Step 3: File system anomalies
echo "[*] Step 3: Checking file anomalies..."
ls -la /usr/bin | wc -l
stat /usr/bin | wc -l
# Step 4: Compare outputs
echo "[*] Step 4: Analyzing discrepancies..."Process Anomaly Analysis
Section titled “Process Anomaly Analysis”# Get normal process count
ps aux | wc -l
# Check unhide findings
sudo unhide pids | grep "hidden"
# Detailed analysis
ps aux > normal_processes.txt
lsof -p $$ > open_files.txt
# Verify suspicious processes
ps aux | grep -E "kthreadd|kworker|kswapd"Kernel Module Inspection
Section titled “Kernel Module Inspection”Check for Hidden Modules
Section titled “Check for Hidden Modules”# List loaded modules
lsmod
# Check total module count
lsmod | wc -l
# Unhide may reveal discrepancies
sudo unhide -v
# Manual inspection
cat /proc/modules | wc -l
ls /sys/module | wc -lModule Analysis
Section titled “Module Analysis”# List all kernel modules
lsmod > loaded_modules.txt
# Check suspicious modules
grep -i "hidden\|backdoor\|rootkit\|snake" loaded_modules.txt
# Module parameters
modinfo module_name
# Remove suspicious module (if needed)
sudo rmmod module_nameComparative Enumeration Techniques
Section titled “Comparative Enumeration Techniques”Method Comparison
Section titled “Method Comparison”# Get PIDs from /proc
ls /proc | grep -E '^[0-9]+$' | sort > pids_proc.txt
# Get PIDs from ps
ps aux | awk '{print $2}' | tail -n +2 | sort > pids_ps.txt
# Get PIDs from /sys
ls /sys/kernel/debug/tracing/instances/ 2>/dev/null | sort > pids_sys.txt
# Compare outputs
diff pids_proc.txt pids_ps.txt
diff pids_ps.txt pids_sys.txtNetwork Port Comparison
Section titled “Network Port Comparison”# TCP ports from netstat
netstat -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > netstat_ports.txt
# TCP ports from ss
ss -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > ss_ports.txt
# TCP ports from /proc
cat /proc/net/tcp | awk '{print $2}' | grep -oE '[0-9A-F]+' > proc_ports.txt
# Compare
diff netstat_ports.txt ss_ports.txtForensic Investigation
Section titled “Forensic Investigation”Evidence Collection
Section titled “Evidence Collection”# Create forensic image
sudo dd if=/dev/sda1 of=/external/forensic_image.dd bs=4M
# Work on forensic copy
sudo mount forensic_image.dd /mnt/forensic -o ro
# Run unhide on mounted image
cd /mnt/forensic
sudo unhide procfsIncident Analysis
Section titled “Incident Analysis”# Collect baseline data
date > incident_report.txt
hostname >> incident_report.txt
uname -a >> incident_report.txt
# Run unhide checks
sudo unhide procfs -v >> incident_report.txt 2>&1
sudo unhide-tcp >> incident_report.txt 2>&1
sudo unhide-udp >> incident_report.txt 2>&1
# Collect running processes
ps auxf >> incident_report.txt 2>&1
# Collect network connections
netstat -tulnpf >> incident_report.txt 2>&1
ss -tulnpf >> incident_report.txt 2>&1Process Information Extraction
Section titled “Process Information Extraction”# Get details of suspected process
ps aux | grep PID
# Check process files
ls -la /proc/PID/
# Memory dump
sudo cat /proc/PID/maps
sudo gdb -p PID
# Network connections
lsof -p PID | grep ESTABLISHEDAutomated Scanning
Section titled “Automated Scanning”Scheduled Scanning
Section titled “Scheduled Scanning”# Add to crontab for periodic monitoring
0 * * * * /usr/sbin/unhide quick >> /var/log/unhide.log 2>&1
# Daily comprehensive scan
0 2 * * * /usr/sbin/unhide -v >> /var/log/unhide_daily.log 2>&1
# Hourly network check
0 * * * * /usr/sbin/unhide-tcp >> /var/log/tcp_hidden.log 2>&1
0 * * * * /usr/sbin/unhide-udp >> /var/log/udp_hidden.log 2>&1Continuous Monitoring
Section titled “Continuous Monitoring”# Real-time monitoring script
#!/bin/bash
while true; do
echo "[$(date)] Running unhide scan..."
sudo unhide quick | grep -i "hidden"
sleep 300 # Check every 5 minutes
done
# Save to file
./monitor.sh > hidden_processes.log 2>&1 &Analysis and Reporting
Section titled “Analysis and Reporting”Log Review
Section titled “Log Review”# Check for findings
grep -i "hidden" /var/log/unhide.log
# Count suspicious findings
grep -c "hidden" /var/log/unhide.log
# Timeline analysis
grep "hidden" /var/log/unhide.log | sortReport Generation
Section titled “Report Generation”# Create incident report
cat > incident_report.txt << EOF
Unhide Forensic Report
======================
Date: $(date)
System: $(hostname)
Hidden Processes Detected:
$(sudo unhide procfs | grep hidden)
Hidden Ports Detected:
$(sudo unhide-tcp | grep -v "normal")
Recommendations:
1. Isolate system from network
2. Preserve forensic evidence
3. Notify incident response team
4. Begin root cause analysis
EOFPerformance Optimization
Section titled “Performance Optimization”Selective Scanning
Section titled “Selective Scanning”# Scan specific process
ps aux | grep "apache"
sudo unhide pids | grep "httpd"
# Scan specific port ranges
sudo unhide-tcp
sudo unhide-udp
# Limit output
sudo unhide quick | head -20Reduce System Impact
Section titled “Reduce System Impact”# Run with lower priority
nice -n 19 sudo unhide procfs
# Run in background
sudo unhide -v > unhide_results.txt &
# Monitor progress
ps aux | grep unhideTroubleshooting
Section titled “Troubleshooting”Common Issues
Section titled “Common Issues”| Issue | Solution |
|---|---|
| Permission denied | Run with sudo: sudo unhide procfs |
| No hidden processes found | False negative; system may actually be clean |
| False positives | Verify with other tools: netstat, ss, lsof |
| Slow execution | Reduce verbosity or use “quick” mode |
| Segmentation fault | Update unhide: sudo apt-get update && sudo apt-get install --reinstall unhide |
Debug Mode
Section titled “Debug Mode”# Verbose output
sudo unhide -v procfs
# Very verbose
sudo unhide -vv procfs
# Debug mode
sudo unhide -d procfs
# Save debug output
sudo unhide -d procfs > debug.txt 2>&1Cross-Platform Deployment
Section titled “Cross-Platform Deployment”Linux Systems
Section titled “Linux Systems”# Supported on most Linux distributions
sudo unhide procfs
# Check compatibility
file /usr/sbin/unhide
ldd /usr/sbin/unhideUNIX Systems
Section titled “UNIX Systems”# Works on various UNIX variants
# Adjust paths for BSD/Solaris
unhide -v
# Check system-specific processes
ps -ef | wc -l
unhide pidsIntegration with Other Tools
Section titled “Integration with Other Tools”Combined Malware Analysis
Section titled “Combined Malware Analysis”# Unhide + ClamAV
sudo unhide procfs > hidden.txt
clamscan -r / --log=clamav.log
# Unhide + Rootkit Hunter
sudo unhide quick
sudo rkhunter --check
# Unhide + AIDE
aide --check
sudo unhide procfsSIEM Integration
Section titled “SIEM Integration”# Send unhide findings to syslog
sudo unhide procfs | while read line; do
logger -t unhide "$line"
done
# Monitor in SIEM
grep "hidden" /var/log/syslog
# Centralized logging
unhide procfs | nc siem.local 514Security Best Practices
Section titled “Security Best Practices”- Regular Scanning: Run unhide weekly or monthly
- Baseline Establishment: Document normal process/port counts
- Investigation Protocol: Verify findings with multiple tools
- Evidence Preservation: Document all suspicious findings
- Incident Response: Escalate confirmed rootkit detections
- System Hardening: Implement kernel protection mechanisms
Resources
Section titled “Resources”- Unhide Project: http://www.unhide-forensics.info/
- Linux Rootkit Detection: https://www.linux.com/
- Kernel Forensics: https://linux-kernel-labs.github.io/
- AIDE Documentation: http://aide.sourceforge.net/
- Rootkit Hunter: http://rkhunter.sourceforge.net/
Unhide is essential for forensic investigators and system administrators conducting rootkit detection, incident response, and system compromise investigations on Linux and UNIX systems.