Home > Repositories > base > unhide (i586)
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
Unhide (ps) - Detecting hidden processes. Implements six main techniques
1. Compare /proc vs /bin/ps output
2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
4. Full PIDs space ocupation (PIDs bruteforcing).
5. Compare /bin/ps output vs /proc, procfs walking and syscall.
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6. Quick compare /proc, procfs walking and syscall vs /bin/ps output.
It's about 20 times faster than tests 1+2+3 but maybe give more false positives.
Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
Provided files
unhide: Forensic tool to find hidden processes and ports
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.Unhide (ps) - Detecting hidden processes. Implements six main techniques
1. Compare /proc vs /bin/ps output
2. Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
3. Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
4. Full PIDs space ocupation (PIDs bruteforcing).
5. Compare /bin/ps output vs /proc, procfs walking and syscall.
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6. Quick compare /proc, procfs walking and syscall vs /bin/ps output.
It's about 20 times faster than tests 1+2+3 but maybe give more false positives.
Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
| Name: | unhide |
| Release: | 20220611-1mamba |
| Architecture: | i586 |
| Group: | Applications/Security |
| Size: | 1.21 MB |
| Upstream URL: | https://www.unhide-forensics.info/ |
| Source RPM: | unhide |
| Brothers | Provides | Obsoletes | Requires | Recommends |
|---|---|---|---|---|
| unhide = 0:20220611-1mamba unhide(x86-32) = 0:20220611-1mamba |
