Unhide
Overview
Sección titulada «Overview»Unhide is a forensic tool designed to detect hidden processes and network connections that may indicate rootkit installation or kernel-level malware. It compares multiple methods of enumerating processes and ports to identify discrepancies that suggest system compromise. Unhide operates at multiple levels including userspace, /proc filesystem, and network stack to provide comprehensive hidden process detection.
Rootkits hide malicious processes by intercepting system calls and modifying kernel data structures. Unhide detects these anomalies through forensic analysis and comparison techniques.
Installation
Sección titulada «Installation»From Kali Linux Repository
Sección titulada «From Kali Linux Repository»sudo apt-get update
sudo apt-get install unhideFrom Source
Sección titulada «From Source»# Download source
wget http://www.unhide-forensics.info/unhide-20130526.linux.tgz
tar -xzf unhide-20130526.linux.tgz
cd unhide-20130526
# Compile
make
# Install
sudo make installDocker Installation
Sección titulada «Docker Installation»docker run -it --pid=host kalilinux/kali-rolling unhide procfsManual Compilation
Sección titulada «Manual Compilation»# Clone repository
git clone https://github.com/unhide-forensics/unhide.git
cd unhide
# Compile
gcc -o unhide unhide.c -lm
# Install binary
sudo cp unhide /usr/local/bin/Basic Usage
Sección titulada «Basic Usage»| Command | Purpose |
|---|---|
unhide procfs | Detect hidden processes via /proc filesystem |
unhide sys | Detect hidden processes via /sys filesystem |
unhide pids | Compare PID enumeration methods |
unhide quick | Run all process detection methods quickly |
unhide -l | Listen mode for network anomalies |
unhide-tcp | Detect hidden TCP ports |
unhide-udp | Detect hidden UDP ports |
Process Detection Methods
Sección titulada «Process Detection Methods»Procfs Method
Sección titulada «Procfs Method»# Compare /proc enumeration
sudo unhide procfs
# Output shows discrepancies:
# Searching for Hidden processes through /proc...
# [+] PID 1234 found with ls and in /proc
# [+] PID 5678 found with ls but NOT in /proc (HIDDEN)
# [+] PID 9012 NOT found with ls but in /proc (HIDDEN)Sys Method
Sección titulada «Sys Method»# Check /sys filesystem
sudo unhide sys
# Detects processes not visible in /sys
# Useful for kernel-level rootkits
sudo unhide sys -vPID Method (Comparison)
Sección titulada «PID Method (Comparison)»# Compare multiple enumeration techniques
sudo unhide pids
# Methods compared:
# 1. opendir/readdir on /proc
# 2. getdents syscall
# 3. stat syscall
# 4. prctl syscall
# Output:
# PID 2847 hidden from method 1
# PID 3921 hidden from method 2Comprehensive Scanning
Sección titulada «Comprehensive Scanning»Quick Scan
Sección titulada «Quick Scan»# Run all detection methods quickly
sudo unhide quick
# Output summary:
# Scanning for hidden processes...
# Method 1: 145 processes found
# Method 2: 142 processes found
# Method 3: 144 processes found
# Discrepancies detected: 3 hidden processesDetailed Scanning
Sección titulada «Detailed Scanning»# Verbose output with all details
sudo unhide -v
# Very verbose with more information
sudo unhide -vv
# Debug mode
sudo unhide -dAll Detection Methods
Sección titulada «All Detection Methods»# Run all scanning techniques sequentially
for method in procfs sys pids; do
echo "[*] Running $method method..."
sudo unhide $method
doneNetwork Port Detection
Sección titulada «Network Port Detection»Hidden TCP Ports
Sección titulada «Hidden TCP Ports»# Detect hidden TCP ports
sudo unhide-tcp
# Output shows anomalies:
# Scanning TCP connections...
# [+] Port 22 visible in netstat
# [+] Port 443 visible in netstat
# [+] Port 3128 NOT visible in netstat (HIDDEN)
# Listen on hidden port
netstat -tlnp | grep 3128Hidden UDP Ports
Sección titulada «Hidden UDP Ports»# Detect hidden UDP ports
sudo unhide-udp
# Check for backdoor ports
sudo unhide-udp -v
# Compare UDP listeners
netstat -ulnp | grep LISTENCombined Network Scan
Sección titulada «Combined Network Scan»# Check both TCP and UDP
sudo unhide-tcp
sudo unhide-udp
# Monitor real-time
watch -n 5 'sudo unhide-tcp && sudo unhide-udp'
# Log findings
sudo unhide-tcp > tcp_hidden.txt
sudo unhide-udp > udp_hidden.txtNetwork Connection Monitoring
Sección titulada «Network Connection Monitoring»Listen Mode
Sección titulada «Listen Mode»# Monitor network connections
sudo unhide -l
# Detailed connection monitoring
sudo unhide -l -v
# Listen with TCP checking
unhide -l --tcp
# Listen with UDP checking
unhide -l --udpConnection Analysis
Sección titulada «Connection Analysis»# Compare netstat output across methods
netstat -tlnp > netstat_output.txt
ss -tlnp > ss_output.txt
# Find differences
diff netstat_output.txt ss_output.txt
# Check specific port
sudo lsof -i :22
sudo ss -tlnp | grep :22Rootkit Detection Workflow
Sección titulada «Rootkit Detection Workflow»Comprehensive System Analysis
Sección titulada «Comprehensive System Analysis»# Step 1: Process detection
echo "[*] Step 1: Detecting hidden processes..."
sudo unhide procfs -v
# Step 2: Network anomalies
echo "[*] Step 2: Detecting hidden ports..."
sudo unhide-tcp
sudo unhide-udp
# Step 3: File system anomalies
echo "[*] Step 3: Checking file anomalies..."
ls -la /usr/bin | wc -l
stat /usr/bin | wc -l
# Step 4: Compare outputs
echo "[*] Step 4: Analyzing discrepancies..."Process Anomaly Analysis
Sección titulada «Process Anomaly Analysis»# Get normal process count
ps aux | wc -l
# Check unhide findings
sudo unhide pids | grep "hidden"
# Detailed analysis
ps aux > normal_processes.txt
lsof -p $$ > open_files.txt
# Verify suspicious processes
ps aux | grep -E "kthreadd|kworker|kswapd"Kernel Module Inspection
Sección titulada «Kernel Module Inspection»Check for Hidden Modules
Sección titulada «Check for Hidden Modules»# List loaded modules
lsmod
# Check total module count
lsmod | wc -l
# Unhide may reveal discrepancies
sudo unhide -v
# Manual inspection
cat /proc/modules | wc -l
ls /sys/module | wc -lModule Analysis
Sección titulada «Module Analysis»# List all kernel modules
lsmod > loaded_modules.txt
# Check suspicious modules
grep -i "hidden\|backdoor\|rootkit\|snake" loaded_modules.txt
# Module parameters
modinfo module_name
# Remove suspicious module (if needed)
sudo rmmod module_nameComparative Enumeration Techniques
Sección titulada «Comparative Enumeration Techniques»Method Comparison
Sección titulada «Method Comparison»# Get PIDs from /proc
ls /proc | grep -E '^[0-9]+$' | sort > pids_proc.txt
# Get PIDs from ps
ps aux | awk '{print $2}' | tail -n +2 | sort > pids_ps.txt
# Get PIDs from /sys
ls /sys/kernel/debug/tracing/instances/ 2>/dev/null | sort > pids_sys.txt
# Compare outputs
diff pids_proc.txt pids_ps.txt
diff pids_ps.txt pids_sys.txtNetwork Port Comparison
Sección titulada «Network Port Comparison»# TCP ports from netstat
netstat -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > netstat_ports.txt
# TCP ports from ss
ss -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > ss_ports.txt
# TCP ports from /proc
cat /proc/net/tcp | awk '{print $2}' | grep -oE '[0-9A-F]+' > proc_ports.txt
# Compare
diff netstat_ports.txt ss_ports.txtForensic Investigation
Sección titulada «Forensic Investigation»Evidence Collection
Sección titulada «Evidence Collection»# Create forensic image
sudo dd if=/dev/sda1 of=/external/forensic_image.dd bs=4M
# Work on forensic copy
sudo mount forensic_image.dd /mnt/forensic -o ro
# Run unhide on mounted image
cd /mnt/forensic
sudo unhide procfsIncident Analysis
Sección titulada «Incident Analysis»# Collect baseline data
date > incident_report.txt
hostname >> incident_report.txt
uname -a >> incident_report.txt
# Run unhide checks
sudo unhide procfs -v >> incident_report.txt 2>&1
sudo unhide-tcp >> incident_report.txt 2>&1
sudo unhide-udp >> incident_report.txt 2>&1
# Collect running processes
ps auxf >> incident_report.txt 2>&1
# Collect network connections
netstat -tulnpf >> incident_report.txt 2>&1
ss -tulnpf >> incident_report.txt 2>&1Process Information Extraction
Sección titulada «Process Information Extraction»# Get details of suspected process
ps aux | grep PID
# Check process files
ls -la /proc/PID/
# Memory dump
sudo cat /proc/PID/maps
sudo gdb -p PID
# Network connections
lsof -p PID | grep ESTABLISHEDAutomated Scanning
Sección titulada «Automated Scanning»Scheduled Scanning
Sección titulada «Scheduled Scanning»# Add to crontab for periodic monitoring
0 * * * * /usr/sbin/unhide quick >> /var/log/unhide.log 2>&1
# Daily comprehensive scan
0 2 * * * /usr/sbin/unhide -v >> /var/log/unhide_daily.log 2>&1
# Hourly network check
0 * * * * /usr/sbin/unhide-tcp >> /var/log/tcp_hidden.log 2>&1
0 * * * * /usr/sbin/unhide-udp >> /var/log/udp_hidden.log 2>&1Continuous Monitoring
Sección titulada «Continuous Monitoring»# Real-time monitoring script
#!/bin/bash
while true; do
echo "[$(date)] Running unhide scan..."
sudo unhide quick | grep -i "hidden"
sleep 300 # Check every 5 minutes
done
# Save to file
./monitor.sh > hidden_processes.log 2>&1 &Analysis and Reporting
Sección titulada «Analysis and Reporting»Log Review
Sección titulada «Log Review»# Check for findings
grep -i "hidden" /var/log/unhide.log
# Count suspicious findings
grep -c "hidden" /var/log/unhide.log
# Timeline analysis
grep "hidden" /var/log/unhide.log | sortReport Generation
Sección titulada «Report Generation»# Create incident report
cat > incident_report.txt << EOF
Unhide Forensic Report
======================
Date: $(date)
System: $(hostname)
Hidden Processes Detected:
$(sudo unhide procfs | grep hidden)
Hidden Ports Detected:
$(sudo unhide-tcp | grep -v "normal")
Recommendations:
1. Isolate system from network
2. Preserve forensic evidence
3. Notify incident response team
4. Begin root cause analysis
EOFPerformance Optimization
Sección titulada «Performance Optimization»Selective Scanning
Sección titulada «Selective Scanning»# Scan specific process
ps aux | grep "apache"
sudo unhide pids | grep "httpd"
# Scan specific port ranges
sudo unhide-tcp
sudo unhide-udp
# Limit output
sudo unhide quick | head -20Reduce System Impact
Sección titulada «Reduce System Impact»# Run with lower priority
nice -n 19 sudo unhide procfs
# Run in background
sudo unhide -v > unhide_results.txt &
# Monitor progress
ps aux | grep unhideTroubleshooting
Sección titulada «Troubleshooting»Common Issues
Sección titulada «Common Issues»| Issue | Solution |
|---|---|
| Permission denied | Run with sudo: sudo unhide procfs |
| No hidden processes found | False negative; system may actually be clean |
| False positives | Verify with other tools: netstat, ss, lsof |
| Slow execution | Reduce verbosity or use “quick” mode |
| Segmentation fault | Update unhide: sudo apt-get update && sudo apt-get install --reinstall unhide |
Debug Mode
Sección titulada «Debug Mode»# Verbose output
sudo unhide -v procfs
# Very verbose
sudo unhide -vv procfs
# Debug mode
sudo unhide -d procfs
# Save debug output
sudo unhide -d procfs > debug.txt 2>&1Cross-Platform Deployment
Sección titulada «Cross-Platform Deployment»Linux Systems
Sección titulada «Linux Systems»# Supported on most Linux distributions
sudo unhide procfs
# Check compatibility
file /usr/sbin/unhide
ldd /usr/sbin/unhideUNIX Systems
Sección titulada «UNIX Systems»# Works on various UNIX variants
# Adjust paths for BSD/Solaris
unhide -v
# Check system-specific processes
ps -ef | wc -l
unhide pidsIntegration with Other Tools
Sección titulada «Integration with Other Tools»Combined Malware Analysis
Sección titulada «Combined Malware Analysis»# Unhide + ClamAV
sudo unhide procfs > hidden.txt
clamscan -r / --log=clamav.log
# Unhide + Rootkit Hunter
sudo unhide quick
sudo rkhunter --check
# Unhide + AIDE
aide --check
sudo unhide procfsSIEM Integration
Sección titulada «SIEM Integration»# Send unhide findings to syslog
sudo unhide procfs | while read line; do
logger -t unhide "$line"
done
# Monitor in SIEM
grep "hidden" /var/log/syslog
# Centralized logging
unhide procfs | nc siem.local 514Security Best Practices
Sección titulada «Security Best Practices»- Regular Scanning: Run unhide weekly or monthly
- Baseline Establishment: Document normal process/port counts
- Investigation Protocol: Verify findings with multiple tools
- Evidence Preservation: Document all suspicious findings
- Incident Response: Escalate confirmed rootkit detections
- System Hardening: Implement kernel protection mechanisms
Resources
Sección titulada «Resources»- Unhide Project: http://www.unhide-forensics.info/
- Linux Rootkit Detection: https://www.linux.com/
- Kernel Forensics: https://linux-kernel-labs.github.io/
- AIDE Documentation: http://aide.sourceforge.net/
- Rootkit Hunter: http://rkhunter.sourceforge.net/
Unhide is essential for forensic investigators and system administrators conducting rootkit detection, incident response, and system compromise investigations on Linux and UNIX systems.