Unhide – The opensource forensic tool
// Unhide (ps)
Detecting hidden processes. Implements six techniques
Compare /proc vs /bin/ps output
Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
Full PIDs space occupation (PIDs bruteforcing)
Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
Quick compare /proc, procfs walking and syscall vs /bin/ps output.
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
Install unhide in ubuntu
Open the terminal and run the following command
sudo apt-get install unhide
Using unhide command
Using the unhide tool can be done by typing in the following command from your terminal
sudo unhide-posix proc
sudo unhide-posix sys
Or, if you are on a Linux 2.6 kernel system run the following commands from your terminal
sudo unhide-linux26 sys
sudo unhide-linux26 brute
The unhide tool will begin to scan the kernel in every directory looking for any hidden processes. Each directory will be listed as the tool scans. If processes are found, you will be given a message:
HIDDEN Processes Found: (#)
The # will display how many processes were found on the system. If no hidden processes were found, the output will read, No hidden processes found.
The unhide tool can also help you find hidden ports that you would normally not find in the netstat. You can locate these by typing in: