Unhide
Overview
Sezione intitolata “Overview”Unhide is a forensic tool designed to detect hidden processes and network connections that may indicate rootkit installation or kernel-level malware. It compares multiple methods of enumerating processes and ports to identify discrepancies that suggest system compromise. Unhide operates at multiple levels including userspace, /proc filesystem, and network stack to provide comprehensive hidden process detection.
Rootkits hide malicious processes by intercepting system calls and modifying kernel data structures. Unhide detects these anomalies through forensic analysis and comparison techniques.
Installation
Sezione intitolata “Installation”From Kali Linux Repository
Sezione intitolata “From Kali Linux Repository”sudo apt-get update
sudo apt-get install unhideFrom Source
Sezione intitolata “From Source”# Download source
wget http://www.unhide-forensics.info/unhide-20130526.linux.tgz
tar -xzf unhide-20130526.linux.tgz
cd unhide-20130526
# Compile
make
# Install
sudo make installDocker Installation
Sezione intitolata “Docker Installation”docker run -it --pid=host kalilinux/kali-rolling unhide procfsManual Compilation
Sezione intitolata “Manual Compilation”# Clone repository
git clone https://github.com/unhide-forensics/unhide.git
cd unhide
# Compile
gcc -o unhide unhide.c -lm
# Install binary
sudo cp unhide /usr/local/bin/Basic Usage
Sezione intitolata “Basic Usage”| Command | Purpose |
|---|---|
unhide procfs | Detect hidden processes via /proc filesystem |
unhide sys | Detect hidden processes via /sys filesystem |
unhide pids | Compare PID enumeration methods |
unhide quick | Run all process detection methods quickly |
unhide -l | Listen mode for network anomalies |
unhide-tcp | Detect hidden TCP ports |
unhide-udp | Detect hidden UDP ports |
Process Detection Methods
Sezione intitolata “Process Detection Methods”Procfs Method
Sezione intitolata “Procfs Method”# Compare /proc enumeration
sudo unhide procfs
# Output shows discrepancies:
# Searching for Hidden processes through /proc...
# [+] PID 1234 found with ls and in /proc
# [+] PID 5678 found with ls but NOT in /proc (HIDDEN)
# [+] PID 9012 NOT found with ls but in /proc (HIDDEN)Sys Method
Sezione intitolata “Sys Method”# Check /sys filesystem
sudo unhide sys
# Detects processes not visible in /sys
# Useful for kernel-level rootkits
sudo unhide sys -vPID Method (Comparison)
Sezione intitolata “PID Method (Comparison)”# Compare multiple enumeration techniques
sudo unhide pids
# Methods compared:
# 1. opendir/readdir on /proc
# 2. getdents syscall
# 3. stat syscall
# 4. prctl syscall
# Output:
# PID 2847 hidden from method 1
# PID 3921 hidden from method 2Comprehensive Scanning
Sezione intitolata “Comprehensive Scanning”Quick Scan
Sezione intitolata “Quick Scan”# Run all detection methods quickly
sudo unhide quick
# Output summary:
# Scanning for hidden processes...
# Method 1: 145 processes found
# Method 2: 142 processes found
# Method 3: 144 processes found
# Discrepancies detected: 3 hidden processesDetailed Scanning
Sezione intitolata “Detailed Scanning”# Verbose output with all details
sudo unhide -v
# Very verbose with more information
sudo unhide -vv
# Debug mode
sudo unhide -dAll Detection Methods
Sezione intitolata “All Detection Methods”# Run all scanning techniques sequentially
for method in procfs sys pids; do
echo "[*] Running $method method..."
sudo unhide $method
doneNetwork Port Detection
Sezione intitolata “Network Port Detection”Hidden TCP Ports
Sezione intitolata “Hidden TCP Ports”# Detect hidden TCP ports
sudo unhide-tcp
# Output shows anomalies:
# Scanning TCP connections...
# [+] Port 22 visible in netstat
# [+] Port 443 visible in netstat
# [+] Port 3128 NOT visible in netstat (HIDDEN)
# Listen on hidden port
netstat -tlnp | grep 3128Hidden UDP Ports
Sezione intitolata “Hidden UDP Ports”# Detect hidden UDP ports
sudo unhide-udp
# Check for backdoor ports
sudo unhide-udp -v
# Compare UDP listeners
netstat -ulnp | grep LISTENCombined Network Scan
Sezione intitolata “Combined Network Scan”# Check both TCP and UDP
sudo unhide-tcp
sudo unhide-udp
# Monitor real-time
watch -n 5 'sudo unhide-tcp && sudo unhide-udp'
# Log findings
sudo unhide-tcp > tcp_hidden.txt
sudo unhide-udp > udp_hidden.txtNetwork Connection Monitoring
Sezione intitolata “Network Connection Monitoring”Listen Mode
Sezione intitolata “Listen Mode”# Monitor network connections
sudo unhide -l
# Detailed connection monitoring
sudo unhide -l -v
# Listen with TCP checking
unhide -l --tcp
# Listen with UDP checking
unhide -l --udpConnection Analysis
Sezione intitolata “Connection Analysis”# Compare netstat output across methods
netstat -tlnp > netstat_output.txt
ss -tlnp > ss_output.txt
# Find differences
diff netstat_output.txt ss_output.txt
# Check specific port
sudo lsof -i :22
sudo ss -tlnp | grep :22Rootkit Detection Workflow
Sezione intitolata “Rootkit Detection Workflow”Comprehensive System Analysis
Sezione intitolata “Comprehensive System Analysis”# Step 1: Process detection
echo "[*] Step 1: Detecting hidden processes..."
sudo unhide procfs -v
# Step 2: Network anomalies
echo "[*] Step 2: Detecting hidden ports..."
sudo unhide-tcp
sudo unhide-udp
# Step 3: File system anomalies
echo "[*] Step 3: Checking file anomalies..."
ls -la /usr/bin | wc -l
stat /usr/bin | wc -l
# Step 4: Compare outputs
echo "[*] Step 4: Analyzing discrepancies..."Process Anomaly Analysis
Sezione intitolata “Process Anomaly Analysis”# Get normal process count
ps aux | wc -l
# Check unhide findings
sudo unhide pids | grep "hidden"
# Detailed analysis
ps aux > normal_processes.txt
lsof -p $$ > open_files.txt
# Verify suspicious processes
ps aux | grep -E "kthreadd|kworker|kswapd"Kernel Module Inspection
Sezione intitolata “Kernel Module Inspection”Check for Hidden Modules
Sezione intitolata “Check for Hidden Modules”# List loaded modules
lsmod
# Check total module count
lsmod | wc -l
# Unhide may reveal discrepancies
sudo unhide -v
# Manual inspection
cat /proc/modules | wc -l
ls /sys/module | wc -lModule Analysis
Sezione intitolata “Module Analysis”# List all kernel modules
lsmod > loaded_modules.txt
# Check suspicious modules
grep -i "hidden\|backdoor\|rootkit\|snake" loaded_modules.txt
# Module parameters
modinfo module_name
# Remove suspicious module (if needed)
sudo rmmod module_nameComparative Enumeration Techniques
Sezione intitolata “Comparative Enumeration Techniques”Method Comparison
Sezione intitolata “Method Comparison”# Get PIDs from /proc
ls /proc | grep -E '^[0-9]+$' | sort > pids_proc.txt
# Get PIDs from ps
ps aux | awk '{print $2}' | tail -n +2 | sort > pids_ps.txt
# Get PIDs from /sys
ls /sys/kernel/debug/tracing/instances/ 2>/dev/null | sort > pids_sys.txt
# Compare outputs
diff pids_proc.txt pids_ps.txt
diff pids_ps.txt pids_sys.txtNetwork Port Comparison
Sezione intitolata “Network Port Comparison”# TCP ports from netstat
netstat -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > netstat_ports.txt
# TCP ports from ss
ss -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > ss_ports.txt
# TCP ports from /proc
cat /proc/net/tcp | awk '{print $2}' | grep -oE '[0-9A-F]+' > proc_ports.txt
# Compare
diff netstat_ports.txt ss_ports.txtForensic Investigation
Sezione intitolata “Forensic Investigation”Evidence Collection
Sezione intitolata “Evidence Collection”# Create forensic image
sudo dd if=/dev/sda1 of=/external/forensic_image.dd bs=4M
# Work on forensic copy
sudo mount forensic_image.dd /mnt/forensic -o ro
# Run unhide on mounted image
cd /mnt/forensic
sudo unhide procfsIncident Analysis
Sezione intitolata “Incident Analysis”# Collect baseline data
date > incident_report.txt
hostname >> incident_report.txt
uname -a >> incident_report.txt
# Run unhide checks
sudo unhide procfs -v >> incident_report.txt 2>&1
sudo unhide-tcp >> incident_report.txt 2>&1
sudo unhide-udp >> incident_report.txt 2>&1
# Collect running processes
ps auxf >> incident_report.txt 2>&1
# Collect network connections
netstat -tulnpf >> incident_report.txt 2>&1
ss -tulnpf >> incident_report.txt 2>&1Process Information Extraction
Sezione intitolata “Process Information Extraction”# Get details of suspected process
ps aux | grep PID
# Check process files
ls -la /proc/PID/
# Memory dump
sudo cat /proc/PID/maps
sudo gdb -p PID
# Network connections
lsof -p PID | grep ESTABLISHEDAutomated Scanning
Sezione intitolata “Automated Scanning”Scheduled Scanning
Sezione intitolata “Scheduled Scanning”# Add to crontab for periodic monitoring
0 * * * * /usr/sbin/unhide quick >> /var/log/unhide.log 2>&1
# Daily comprehensive scan
0 2 * * * /usr/sbin/unhide -v >> /var/log/unhide_daily.log 2>&1
# Hourly network check
0 * * * * /usr/sbin/unhide-tcp >> /var/log/tcp_hidden.log 2>&1
0 * * * * /usr/sbin/unhide-udp >> /var/log/udp_hidden.log 2>&1Continuous Monitoring
Sezione intitolata “Continuous Monitoring”# Real-time monitoring script
#!/bin/bash
while true; do
echo "[$(date)] Running unhide scan..."
sudo unhide quick | grep -i "hidden"
sleep 300 # Check every 5 minutes
done
# Save to file
./monitor.sh > hidden_processes.log 2>&1 &Analysis and Reporting
Sezione intitolata “Analysis and Reporting”Log Review
Sezione intitolata “Log Review”# Check for findings
grep -i "hidden" /var/log/unhide.log
# Count suspicious findings
grep -c "hidden" /var/log/unhide.log
# Timeline analysis
grep "hidden" /var/log/unhide.log | sortReport Generation
Sezione intitolata “Report Generation”# Create incident report
cat > incident_report.txt << EOF
Unhide Forensic Report
======================
Date: $(date)
System: $(hostname)
Hidden Processes Detected:
$(sudo unhide procfs | grep hidden)
Hidden Ports Detected:
$(sudo unhide-tcp | grep -v "normal")
Recommendations:
1. Isolate system from network
2. Preserve forensic evidence
3. Notify incident response team
4. Begin root cause analysis
EOFPerformance Optimization
Sezione intitolata “Performance Optimization”Selective Scanning
Sezione intitolata “Selective Scanning”# Scan specific process
ps aux | grep "apache"
sudo unhide pids | grep "httpd"
# Scan specific port ranges
sudo unhide-tcp
sudo unhide-udp
# Limit output
sudo unhide quick | head -20Reduce System Impact
Sezione intitolata “Reduce System Impact”# Run with lower priority
nice -n 19 sudo unhide procfs
# Run in background
sudo unhide -v > unhide_results.txt &
# Monitor progress
ps aux | grep unhideTroubleshooting
Sezione intitolata “Troubleshooting”Common Issues
Sezione intitolata “Common Issues”| Issue | Solution |
|---|---|
| Permission denied | Run with sudo: sudo unhide procfs |
| No hidden processes found | False negative; system may actually be clean |
| False positives | Verify with other tools: netstat, ss, lsof |
| Slow execution | Reduce verbosity or use “quick” mode |
| Segmentation fault | Update unhide: sudo apt-get update && sudo apt-get install --reinstall unhide |
Debug Mode
Sezione intitolata “Debug Mode”# Verbose output
sudo unhide -v procfs
# Very verbose
sudo unhide -vv procfs
# Debug mode
sudo unhide -d procfs
# Save debug output
sudo unhide -d procfs > debug.txt 2>&1Cross-Platform Deployment
Sezione intitolata “Cross-Platform Deployment”Linux Systems
Sezione intitolata “Linux Systems”# Supported on most Linux distributions
sudo unhide procfs
# Check compatibility
file /usr/sbin/unhide
ldd /usr/sbin/unhideUNIX Systems
Sezione intitolata “UNIX Systems”# Works on various UNIX variants
# Adjust paths for BSD/Solaris
unhide -v
# Check system-specific processes
ps -ef | wc -l
unhide pidsIntegration with Other Tools
Sezione intitolata “Integration with Other Tools”Combined Malware Analysis
Sezione intitolata “Combined Malware Analysis”# Unhide + ClamAV
sudo unhide procfs > hidden.txt
clamscan -r / --log=clamav.log
# Unhide + Rootkit Hunter
sudo unhide quick
sudo rkhunter --check
# Unhide + AIDE
aide --check
sudo unhide procfsSIEM Integration
Sezione intitolata “SIEM Integration”# Send unhide findings to syslog
sudo unhide procfs | while read line; do
logger -t unhide "$line"
done
# Monitor in SIEM
grep "hidden" /var/log/syslog
# Centralized logging
unhide procfs | nc siem.local 514Security Best Practices
Sezione intitolata “Security Best Practices”- Regular Scanning: Run unhide weekly or monthly
- Baseline Establishment: Document normal process/port counts
- Investigation Protocol: Verify findings with multiple tools
- Evidence Preservation: Document all suspicious findings
- Incident Response: Escalate confirmed rootkit detections
- System Hardening: Implement kernel protection mechanisms
Resources
Sezione intitolata “Resources”- Unhide Project: http://www.unhide-forensics.info/
- Linux Rootkit Detection: https://www.linux.com/
- Kernel Forensics: https://linux-kernel-labs.github.io/
- AIDE Documentation: http://aide.sourceforge.net/
- Rootkit Hunter: http://rkhunter.sourceforge.net/
Unhide is essential for forensic investigators and system administrators conducting rootkit detection, incident response, and system compromise investigations on Linux and UNIX systems.