Unhide
Overview
Seção intitulada “Overview”Unhide is a forensic tool designed to detect hidden processes and network connections that may indicate rootkit installation or kernel-level malware. It compares multiple methods of enumerating processes and ports to identify discrepancies that suggest system compromise. Unhide operates at multiple levels including userspace, /proc filesystem, and network stack to provide comprehensive hidden process detection.
Rootkits hide malicious processes by intercepting system calls and modifying kernel data structures. Unhide detects these anomalies through forensic analysis and comparison techniques.
Installation
Seção intitulada “Installation”From Kali Linux Repository
Seção intitulada “From Kali Linux Repository”sudo apt-get update
sudo apt-get install unhideFrom Source
Seção intitulada “From Source”# Download source
wget http://www.unhide-forensics.info/unhide-20130526.linux.tgz
tar -xzf unhide-20130526.linux.tgz
cd unhide-20130526
# Compile
make
# Install
sudo make installDocker Installation
Seção intitulada “Docker Installation”docker run -it --pid=host kalilinux/kali-rolling unhide procfsManual Compilation
Seção intitulada “Manual Compilation”# Clone repository
git clone https://github.com/unhide-forensics/unhide.git
cd unhide
# Compile
gcc -o unhide unhide.c -lm
# Install binary
sudo cp unhide /usr/local/bin/Basic Usage
Seção intitulada “Basic Usage”| Command | Purpose |
|---|---|
unhide procfs | Detect hidden processes via /proc filesystem |
unhide sys | Detect hidden processes via /sys filesystem |
unhide pids | Compare PID enumeration methods |
unhide quick | Run all process detection methods quickly |
unhide -l | Listen mode for network anomalies |
unhide-tcp | Detect hidden TCP ports |
unhide-udp | Detect hidden UDP ports |
Process Detection Methods
Seção intitulada “Process Detection Methods”Procfs Method
Seção intitulada “Procfs Method”# Compare /proc enumeration
sudo unhide procfs
# Output shows discrepancies:
# Searching for Hidden processes through /proc...
# [+] PID 1234 found with ls and in /proc
# [+] PID 5678 found with ls but NOT in /proc (HIDDEN)
# [+] PID 9012 NOT found with ls but in /proc (HIDDEN)Sys Method
Seção intitulada “Sys Method”# Check /sys filesystem
sudo unhide sys
# Detects processes not visible in /sys
# Useful for kernel-level rootkits
sudo unhide sys -vPID Method (Comparison)
Seção intitulada “PID Method (Comparison)”# Compare multiple enumeration techniques
sudo unhide pids
# Methods compared:
# 1. opendir/readdir on /proc
# 2. getdents syscall
# 3. stat syscall
# 4. prctl syscall
# Output:
# PID 2847 hidden from method 1
# PID 3921 hidden from method 2Comprehensive Scanning
Seção intitulada “Comprehensive Scanning”Quick Scan
Seção intitulada “Quick Scan”# Run all detection methods quickly
sudo unhide quick
# Output summary:
# Scanning for hidden processes...
# Method 1: 145 processes found
# Method 2: 142 processes found
# Method 3: 144 processes found
# Discrepancies detected: 3 hidden processesDetailed Scanning
Seção intitulada “Detailed Scanning”# Verbose output with all details
sudo unhide -v
# Very verbose with more information
sudo unhide -vv
# Debug mode
sudo unhide -dAll Detection Methods
Seção intitulada “All Detection Methods”# Run all scanning techniques sequentially
for method in procfs sys pids; do
echo "[*] Running $method method..."
sudo unhide $method
doneNetwork Port Detection
Seção intitulada “Network Port Detection”Hidden TCP Ports
Seção intitulada “Hidden TCP Ports”# Detect hidden TCP ports
sudo unhide-tcp
# Output shows anomalies:
# Scanning TCP connections...
# [+] Port 22 visible in netstat
# [+] Port 443 visible in netstat
# [+] Port 3128 NOT visible in netstat (HIDDEN)
# Listen on hidden port
netstat -tlnp | grep 3128Hidden UDP Ports
Seção intitulada “Hidden UDP Ports”# Detect hidden UDP ports
sudo unhide-udp
# Check for backdoor ports
sudo unhide-udp -v
# Compare UDP listeners
netstat -ulnp | grep LISTENCombined Network Scan
Seção intitulada “Combined Network Scan”# Check both TCP and UDP
sudo unhide-tcp
sudo unhide-udp
# Monitor real-time
watch -n 5 'sudo unhide-tcp && sudo unhide-udp'
# Log findings
sudo unhide-tcp > tcp_hidden.txt
sudo unhide-udp > udp_hidden.txtNetwork Connection Monitoring
Seção intitulada “Network Connection Monitoring”Listen Mode
Seção intitulada “Listen Mode”# Monitor network connections
sudo unhide -l
# Detailed connection monitoring
sudo unhide -l -v
# Listen with TCP checking
unhide -l --tcp
# Listen with UDP checking
unhide -l --udpConnection Analysis
Seção intitulada “Connection Analysis”# Compare netstat output across methods
netstat -tlnp > netstat_output.txt
ss -tlnp > ss_output.txt
# Find differences
diff netstat_output.txt ss_output.txt
# Check specific port
sudo lsof -i :22
sudo ss -tlnp | grep :22Rootkit Detection Workflow
Seção intitulada “Rootkit Detection Workflow”Comprehensive System Analysis
Seção intitulada “Comprehensive System Analysis”# Step 1: Process detection
echo "[*] Step 1: Detecting hidden processes..."
sudo unhide procfs -v
# Step 2: Network anomalies
echo "[*] Step 2: Detecting hidden ports..."
sudo unhide-tcp
sudo unhide-udp
# Step 3: File system anomalies
echo "[*] Step 3: Checking file anomalies..."
ls -la /usr/bin | wc -l
stat /usr/bin | wc -l
# Step 4: Compare outputs
echo "[*] Step 4: Analyzing discrepancies..."Process Anomaly Analysis
Seção intitulada “Process Anomaly Analysis”# Get normal process count
ps aux | wc -l
# Check unhide findings
sudo unhide pids | grep "hidden"
# Detailed analysis
ps aux > normal_processes.txt
lsof -p $$ > open_files.txt
# Verify suspicious processes
ps aux | grep -E "kthreadd|kworker|kswapd"Kernel Module Inspection
Seção intitulada “Kernel Module Inspection”Check for Hidden Modules
Seção intitulada “Check for Hidden Modules”# List loaded modules
lsmod
# Check total module count
lsmod | wc -l
# Unhide may reveal discrepancies
sudo unhide -v
# Manual inspection
cat /proc/modules | wc -l
ls /sys/module | wc -lModule Analysis
Seção intitulada “Module Analysis”# List all kernel modules
lsmod > loaded_modules.txt
# Check suspicious modules
grep -i "hidden\|backdoor\|rootkit\|snake" loaded_modules.txt
# Module parameters
modinfo module_name
# Remove suspicious module (if needed)
sudo rmmod module_nameComparative Enumeration Techniques
Seção intitulada “Comparative Enumeration Techniques”Method Comparison
Seção intitulada “Method Comparison”# Get PIDs from /proc
ls /proc | grep -E '^[0-9]+$' | sort > pids_proc.txt
# Get PIDs from ps
ps aux | awk '{print $2}' | tail -n +2 | sort > pids_ps.txt
# Get PIDs from /sys
ls /sys/kernel/debug/tracing/instances/ 2>/dev/null | sort > pids_sys.txt
# Compare outputs
diff pids_proc.txt pids_ps.txt
diff pids_ps.txt pids_sys.txtNetwork Port Comparison
Seção intitulada “Network Port Comparison”# TCP ports from netstat
netstat -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > netstat_ports.txt
# TCP ports from ss
ss -tlnp | awk '{print $4}' | grep -oE ':[0-9]+' > ss_ports.txt
# TCP ports from /proc
cat /proc/net/tcp | awk '{print $2}' | grep -oE '[0-9A-F]+' > proc_ports.txt
# Compare
diff netstat_ports.txt ss_ports.txtForensic Investigation
Seção intitulada “Forensic Investigation”Evidence Collection
Seção intitulada “Evidence Collection”# Create forensic image
sudo dd if=/dev/sda1 of=/external/forensic_image.dd bs=4M
# Work on forensic copy
sudo mount forensic_image.dd /mnt/forensic -o ro
# Run unhide on mounted image
cd /mnt/forensic
sudo unhide procfsIncident Analysis
Seção intitulada “Incident Analysis”# Collect baseline data
date > incident_report.txt
hostname >> incident_report.txt
uname -a >> incident_report.txt
# Run unhide checks
sudo unhide procfs -v >> incident_report.txt 2>&1
sudo unhide-tcp >> incident_report.txt 2>&1
sudo unhide-udp >> incident_report.txt 2>&1
# Collect running processes
ps auxf >> incident_report.txt 2>&1
# Collect network connections
netstat -tulnpf >> incident_report.txt 2>&1
ss -tulnpf >> incident_report.txt 2>&1Process Information Extraction
Seção intitulada “Process Information Extraction”# Get details of suspected process
ps aux | grep PID
# Check process files
ls -la /proc/PID/
# Memory dump
sudo cat /proc/PID/maps
sudo gdb -p PID
# Network connections
lsof -p PID | grep ESTABLISHEDAutomated Scanning
Seção intitulada “Automated Scanning”Scheduled Scanning
Seção intitulada “Scheduled Scanning”# Add to crontab for periodic monitoring
0 * * * * /usr/sbin/unhide quick >> /var/log/unhide.log 2>&1
# Daily comprehensive scan
0 2 * * * /usr/sbin/unhide -v >> /var/log/unhide_daily.log 2>&1
# Hourly network check
0 * * * * /usr/sbin/unhide-tcp >> /var/log/tcp_hidden.log 2>&1
0 * * * * /usr/sbin/unhide-udp >> /var/log/udp_hidden.log 2>&1Continuous Monitoring
Seção intitulada “Continuous Monitoring”# Real-time monitoring script
#!/bin/bash
while true; do
echo "[$(date)] Running unhide scan..."
sudo unhide quick | grep -i "hidden"
sleep 300 # Check every 5 minutes
done
# Save to file
./monitor.sh > hidden_processes.log 2>&1 &Analysis and Reporting
Seção intitulada “Analysis and Reporting”Log Review
Seção intitulada “Log Review”# Check for findings
grep -i "hidden" /var/log/unhide.log
# Count suspicious findings
grep -c "hidden" /var/log/unhide.log
# Timeline analysis
grep "hidden" /var/log/unhide.log | sortReport Generation
Seção intitulada “Report Generation”# Create incident report
cat > incident_report.txt << EOF
Unhide Forensic Report
======================
Date: $(date)
System: $(hostname)
Hidden Processes Detected:
$(sudo unhide procfs | grep hidden)
Hidden Ports Detected:
$(sudo unhide-tcp | grep -v "normal")
Recommendations:
1. Isolate system from network
2. Preserve forensic evidence
3. Notify incident response team
4. Begin root cause analysis
EOFPerformance Optimization
Seção intitulada “Performance Optimization”Selective Scanning
Seção intitulada “Selective Scanning”# Scan specific process
ps aux | grep "apache"
sudo unhide pids | grep "httpd"
# Scan specific port ranges
sudo unhide-tcp
sudo unhide-udp
# Limit output
sudo unhide quick | head -20Reduce System Impact
Seção intitulada “Reduce System Impact”# Run with lower priority
nice -n 19 sudo unhide procfs
# Run in background
sudo unhide -v > unhide_results.txt &
# Monitor progress
ps aux | grep unhideTroubleshooting
Seção intitulada “Troubleshooting”Common Issues
Seção intitulada “Common Issues”| Issue | Solution |
|---|---|
| Permission denied | Run with sudo: sudo unhide procfs |
| No hidden processes found | False negative; system may actually be clean |
| False positives | Verify with other tools: netstat, ss, lsof |
| Slow execution | Reduce verbosity or use “quick” mode |
| Segmentation fault | Update unhide: sudo apt-get update && sudo apt-get install --reinstall unhide |
Debug Mode
Seção intitulada “Debug Mode”# Verbose output
sudo unhide -v procfs
# Very verbose
sudo unhide -vv procfs
# Debug mode
sudo unhide -d procfs
# Save debug output
sudo unhide -d procfs > debug.txt 2>&1Cross-Platform Deployment
Seção intitulada “Cross-Platform Deployment”Linux Systems
Seção intitulada “Linux Systems”# Supported on most Linux distributions
sudo unhide procfs
# Check compatibility
file /usr/sbin/unhide
ldd /usr/sbin/unhideUNIX Systems
Seção intitulada “UNIX Systems”# Works on various UNIX variants
# Adjust paths for BSD/Solaris
unhide -v
# Check system-specific processes
ps -ef | wc -l
unhide pidsIntegration with Other Tools
Seção intitulada “Integration with Other Tools”Combined Malware Analysis
Seção intitulada “Combined Malware Analysis”# Unhide + ClamAV
sudo unhide procfs > hidden.txt
clamscan -r / --log=clamav.log
# Unhide + Rootkit Hunter
sudo unhide quick
sudo rkhunter --check
# Unhide + AIDE
aide --check
sudo unhide procfsSIEM Integration
Seção intitulada “SIEM Integration”# Send unhide findings to syslog
sudo unhide procfs | while read line; do
logger -t unhide "$line"
done
# Monitor in SIEM
grep "hidden" /var/log/syslog
# Centralized logging
unhide procfs | nc siem.local 514Security Best Practices
Seção intitulada “Security Best Practices”- Regular Scanning: Run unhide weekly or monthly
- Baseline Establishment: Document normal process/port counts
- Investigation Protocol: Verify findings with multiple tools
- Evidence Preservation: Document all suspicious findings
- Incident Response: Escalate confirmed rootkit detections
- System Hardening: Implement kernel protection mechanisms
Resources
Seção intitulada “Resources”- Unhide Project: http://www.unhide-forensics.info/
- Linux Rootkit Detection: https://www.linux.com/
- Kernel Forensics: https://linux-kernel-labs.github.io/
- AIDE Documentation: http://aide.sourceforge.net/
- Rootkit Hunter: http://rkhunter.sourceforge.net/
Unhide is essential for forensic investigators and system administrators conducting rootkit detection, incident response, and system compromise investigations on Linux and UNIX systems.