Unhide
Overview
Abschnitt betitelt „Overview“Unhide is a forensic tool designed to detect hidden processes and network connections that may indicate rootkit installation or kernel-level malware. It compares multiple methods of enumerating processes and ports to identify discrepancies that suggest system compromise. Unhide operates at multiple levels including userspace, /proc filesystem, and network stack to provide comprehensive hidden process detection.
Rootkits hide malicious processes by intercepting system calls and modifying kernel data structures. Unhide detects these anomalies through forensic analysis and comparison techniques.
Installation
Abschnitt betitelt „Installation“From Kali Linux Repository
Abschnitt betitelt „From Kali Linux Repository“sudo apt-get update
sudo apt-get install unhideFrom Source
Abschnitt betitelt „From Source“# Download source
wget http://www.unhide-forensics.info/unhide-20130526.linux.tgz
tar -xzf unhide-20130526.linux.tgz
cd unhide-20130526
# Compile
make
# Install
sudo make installDocker Installation
Abschnitt betitelt „Docker Installation“docker run -it --pid=host kalilinux/kali-rolling unhide procfsManual Compilation
Abschnitt betitelt „Manual Compilation“# Clone repository
git clone https://github.com/unhide-forensics/unhide.git
cd unhide
# Compile
gcc -o unhide unhide.c -lm
# Install binary
sudo cp unhide /usr/local/bin/Basic Usage
Abschnitt betitelt „Basic Usage“| Command | Purpose |
|---|---|
unhide procfs | Detect hidden processes via /proc filesystem |
unhide sys | Detect hidden processes via /sys filesystem |
unhide pids | Compare PID enumeration methods |
unhide quick | Run all process detection methods quickly |
unhide -l | Listen mode for network anomalies |
unhide-tcp | Detect hidden TCP ports |
unhide-udp | Detect hidden UDP ports |
Process Detection Methods
Abschnitt betitelt „Process Detection Methods“Procfs Method
Abschnitt betitelt „Procfs Method“# Compare /proc enumeration
sudo unhide procfs
# Output shows discrepancies:
# Searching for Hidden processes through /proc...
# [+] PID 1234 found with ls and in /proc
# [+] PID 5678 found with ls but NOT in /proc (HIDDEN)
# [+] PID 9012 NOT found with ls but in /proc (HIDDEN)Sys Method
Abschnitt betitelt „Sys Method“# Check /sys filesystem
sudo unhide sys
# Detects processes not visible in /sys
# Useful for kernel-level rootkits
sudo unhide sys -vPID Method (Comparison)
Abschnitt betitelt „PID Method (Comparison)“# Compare multiple enumeration techniques
sudo unhide pids
# Methods compared:
# 1. opendir/readdir on /proc
# 2. getdents syscall
# 3. stat syscall
# 4. prctl syscall
# Output:
# PID 2847 hidden from method 1
# PID 3921 hidden from method 2Comprehensive Scanning
Abschnitt betitelt „Comprehensive Scanning“Quick Scan
Abschnitt betitelt „Quick Scan“# Run all detection methods quickly
sudo unhide quick
# Output summary:
# Scanning for hidden processes...
# Method 1: 145 processes found
# Method 2: 142 processes found
# Method 3: 144 processes found
# Discrepancies detected: 3 hidden processesDetailed Scanning
Abschnitt betitelt „Detailed Scanning“# Verbose output with all details
sudo unhide -v
# Very verbose with more information
sudo unhide -vv
# Debug mode
sudo unhide -dAll Detection Methods
Abschnitt betitelt „All Detection Methods“# Run all scanning techniques sequentially
for method in procfs sys pids; do
echo "[*] Running $method method..."
sudo unhide $method
doneNetwork Port Detection
Abschnitt betitelt „Network Port Detection“Hidden TCP Ports
Abschnitt betitelt „Hidden TCP Ports“# Detect hidden TCP ports
sudo unhide-tcp
# Output shows anomalies:
# Scanning TCP connections...
# [+] Port 22 visible in netstat
# [+] Port 443 visible in netstat
# [+] Port 3128 NOT visible in netstat (HIDDEN)
# Listen on hidden port
netstat -tlnp | grep 3128Hidden UDP Ports
Abschnitt betitelt „Hidden UDP Ports“# Detect hidden UDP ports
sudo unhide-udp
# Check for backdoor ports
sudo unhide-udp -v
# Compare UDP listeners
netstat -ulnp | grep LISTENCombined Network Scan
Abschnitt betitelt „Combined Network Scan“# Check both TCP and UDP
sudo unhide-tcp
sudo unhide-udp
# Monitor real-time
watch -n 5 'sudo unhide-tcp && sudo unhide-udp'
# Log findings
sudo unhide-tcp > tcp_hidden.txt
sudo unhide-udp > udp_hidden.txtNetwork Connection Monitoring
Abschnitt betitelt „Network Connection Monitoring“Listen Mode
Abschnitt betitelt „Listen Mode“# Monitor network connections
sudo unhide -l
# Detailed connection monitoring
sudo unhide -l -v
# Listen with TCP checking
unhide -l --tcp
# Listen with UDP checking
unhide -l --udpConnection Analysis
Abschnitt betitelt „Connection Analysis“# Compare netstat output across methods
netstat -tlnp > netstat_output.txt
ss -tlnp > ss_output.txt
# Find differences
diff netstat_output.txt ss_output.txt
# Check specific port
sudo lsof -i :22
sudo ss -tlnp | grep :22Rootkit Detection Workflow
Abschnitt betitelt „Rootkit Detection Workflow“Comprehensive System Analysis
Abschnitt betitelt „Comprehensive System Analysis“# Step 1: Process detection
echo "[*] Step 1: Detecting hidden processes..."
sudo unhide procfs -v
# Step 2: Network anomalies
echo "[*] Step 2: Detecting hidden ports..."
sudo unhide-tcp
sudo unhide-udp
# Step 3: File system anomalies
echo "[*] Step 3: Checking file anomalies..."
ls -la /usr/bin | wc -l
stat /usr/bin | wc -l
# Step 4: Compare outputs
echo "[*] Step 4: Analyzing discrepancies..."Process Anomaly Analysis
Abschnitt betitelt „Process Anomaly Analysis“# Get normal process count
ps aux | wc -l
# Check unhide findings
sudo unhide pids | grep "hidden"
# Detailed analysis
ps aux > normal_processes.txt
lsof -p $$ > open_files.txt
# Verify suspicious processes
ps aux | grep -E "kthreadd|kworker|kswapd"Kernel Module Inspection
Abschnitt betitelt „Kernel Module Inspection“Check for Hidden Modules
Abschnitt betitelt „Check for Hidden Modules“# List loaded modules
lsmod
# Check total module count
lsmod | wc -l
# Unhide may reveal discrepancies
sudo unhide -v
# Manual inspection
cat /proc/modules | wc -l
ls /sys/module | wc -lModule Analysis
Abschnitt betitelt „Module Analysis“# List all kernel modules
lsmod > loaded_modules.txt
# Check suspicious modules
grep -i "hidden\|backdoor\|rootkit\|snake" loaded_modules.txt
# Module parameters
modinfo module_name
# Remove suspicious module (if needed)
sudo rmmod module_nameComparative Enumeration Techniques
Abschnitt betitelt „Comparative Enumeration Techniques“Method Comparison
Abschnitt betitelt „Method Comparison“# Get PIDs from /proc
ls /proc | grep -E '^[0-9]+$' | sort > pids_proc.txt
# Get PIDs from ps
ps aux | awk '{print $2}' | tail -n +2 | sort > pids_ps.txt
# Get PIDs from /sys
ls /sys/kernel/debug/tracing/instances/ 2>/dev/null | sort > pids_sys.txt
# Compare outputs
diff pids_proc.txt pids_ps.txt
diff pids_ps.txt pids_sys.txtNetwork Port Comparison
Abschnitt betitelt „Network Port Comparison“# TCP ports from netstat
netstat -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > netstat_ports.txt
# TCP ports from ss
ss -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > ss_ports.txt
# TCP ports from /proc
cat /proc/net/tcp | awk '{print $2}' | grep -oE '[0-9A-F]+' > proc_ports.txt
# Compare
diff netstat_ports.txt ss_ports.txtForensic Investigation
Abschnitt betitelt „Forensic Investigation“Evidence Collection
Abschnitt betitelt „Evidence Collection“# Create forensic image
sudo dd if=/dev/sda1 of=/external/forensic_image.dd bs=4M
# Work on forensic copy
sudo mount forensic_image.dd /mnt/forensic -o ro
# Run unhide on mounted image
cd /mnt/forensic
sudo unhide procfsIncident Analysis
Abschnitt betitelt „Incident Analysis“# Collect baseline data
date > incident_report.txt
hostname >> incident_report.txt
uname -a >> incident_report.txt
# Run unhide checks
sudo unhide procfs -v >> incident_report.txt 2>&1
sudo unhide-tcp >> incident_report.txt 2>&1
sudo unhide-udp >> incident_report.txt 2>&1
# Collect running processes
ps auxf >> incident_report.txt 2>&1
# Collect network connections
netstat -tulnpf >> incident_report.txt 2>&1
ss -tulnpf >> incident_report.txt 2>&1Process Information Extraction
Abschnitt betitelt „Process Information Extraction“# Get details of suspected process
ps aux | grep PID
# Check process files
ls -la /proc/PID/
# Memory dump
sudo cat /proc/PID/maps
sudo gdb -p PID
# Network connections
lsof -p PID | grep ESTABLISHEDAutomated Scanning
Abschnitt betitelt „Automated Scanning“Scheduled Scanning
Abschnitt betitelt „Scheduled Scanning“# Add to crontab for periodic monitoring
0 * * * * /usr/sbin/unhide quick >> /var/log/unhide.log 2>&1
# Daily comprehensive scan
0 2 * * * /usr/sbin/unhide -v >> /var/log/unhide_daily.log 2>&1
# Hourly network check
0 * * * * /usr/sbin/unhide-tcp >> /var/log/tcp_hidden.log 2>&1
0 * * * * /usr/sbin/unhide-udp >> /var/log/udp_hidden.log 2>&1Continuous Monitoring
Abschnitt betitelt „Continuous Monitoring“# Real-time monitoring script
#!/bin/bash
while true; do
echo "[$(date)] Running unhide scan..."
sudo unhide quick | grep -i "hidden"
sleep 300 # Check every 5 minutes
done
# Save to file
./monitor.sh > hidden_processes.log 2>&1 &Analysis and Reporting
Abschnitt betitelt „Analysis and Reporting“Log Review
Abschnitt betitelt „Log Review“# Check for findings
grep -i "hidden" /var/log/unhide.log
# Count suspicious findings
grep -c "hidden" /var/log/unhide.log
# Timeline analysis
grep "hidden" /var/log/unhide.log | sortReport Generation
Abschnitt betitelt „Report Generation“# Create incident report
cat > incident_report.txt << EOF
Unhide Forensic Report
======================
Date: $(date)
System: $(hostname)
Hidden Processes Detected:
$(sudo unhide procfs | grep hidden)
Hidden Ports Detected:
$(sudo unhide-tcp | grep -v "normal")
Recommendations:
1. Isolate system from network
2. Preserve forensic evidence
3. Notify incident response team
4. Begin root cause analysis
EOFPerformance Optimization
Abschnitt betitelt „Performance Optimization“Selective Scanning
Abschnitt betitelt „Selective Scanning“# Scan specific process
ps aux | grep "apache"
sudo unhide pids | grep "httpd"
# Scan specific port ranges
sudo unhide-tcp
sudo unhide-udp
# Limit output
sudo unhide quick | head -20Reduce System Impact
Abschnitt betitelt „Reduce System Impact“# Run with lower priority
nice -n 19 sudo unhide procfs
# Run in background
sudo unhide -v > unhide_results.txt &
# Monitor progress
ps aux | grep unhideTroubleshooting
Abschnitt betitelt „Troubleshooting“Common Issues
Abschnitt betitelt „Common Issues“| Issue | Solution |
|---|---|
| Permission denied | Run with sudo: sudo unhide procfs |
| No hidden processes found | False negative; system may actually be clean |
| False positives | Verify with other tools: netstat, ss, lsof |
| Slow execution | Reduce verbosity or use “quick” mode |
| Segmentation fault | Update unhide: sudo apt-get update && sudo apt-get install --reinstall unhide |
Debug Mode
Abschnitt betitelt „Debug Mode“# Verbose output
sudo unhide -v procfs
# Very verbose
sudo unhide -vv procfs
# Debug mode
sudo unhide -d procfs
# Save debug output
sudo unhide -d procfs > debug.txt 2>&1Cross-Platform Deployment
Abschnitt betitelt „Cross-Platform Deployment“Linux Systems
Abschnitt betitelt „Linux Systems“# Supported on most Linux distributions
sudo unhide procfs
# Check compatibility
file /usr/sbin/unhide
ldd /usr/sbin/unhideUNIX Systems
Abschnitt betitelt „UNIX Systems“# Works on various UNIX variants
# Adjust paths for BSD/Solaris
unhide -v
# Check system-specific processes
ps -ef | wc -l
unhide pidsIntegration with Other Tools
Abschnitt betitelt „Integration with Other Tools“Combined Malware Analysis
Abschnitt betitelt „Combined Malware Analysis“# Unhide + ClamAV
sudo unhide procfs > hidden.txt
clamscan -r / --log=clamav.log
# Unhide + Rootkit Hunter
sudo unhide quick
sudo rkhunter --check
# Unhide + AIDE
aide --check
sudo unhide procfsSIEM Integration
Abschnitt betitelt „SIEM Integration“# Send unhide findings to syslog
sudo unhide procfs | while read line; do
logger -t unhide "$line"
done
# Monitor in SIEM
grep "hidden" /var/log/syslog
# Centralized logging
unhide procfs | nc siem.local 514Security Best Practices
Abschnitt betitelt „Security Best Practices“- Regular Scanning: Run unhide weekly or monthly
- Baseline Establishment: Document normal process/port counts
- Investigation Protocol: Verify findings with multiple tools
- Evidence Preservation: Document all suspicious findings
- Incident Response: Escalate confirmed rootkit detections
- System Hardening: Implement kernel protection mechanisms
Resources
Abschnitt betitelt „Resources“- Unhide Project: http://www.unhide-forensics.info/
- Linux Rootkit Detection: https://www.linux.com/
- Kernel Forensics: https://linux-kernel-labs.github.io/
- AIDE Documentation: http://aide.sourceforge.net/
- Rootkit Hunter: http://rkhunter.sourceforge.net/
Unhide is essential for forensic investigators and system administrators conducting rootkit detection, incident response, and system compromise investigations on Linux and UNIX systems.