update unhide v-20130526 : a forensic tool to find processes and TCP/UDP ports hidden by rootkits

Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits / LKMs or by another hiding technique

Detecting hidden processes. Implements six techniques

  • Compare /proc vs /bin/ps output
  • Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
  • Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
  • Full PIDs space occupation (PIDs bruteforcing)
  • Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
  • Quick compare /proc, procfs walking and syscall vs /bin/ps output.

// Unhide-TCP

Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.

/ Compiling
// ———

Build requires
glibc-devel
glibc-static-devel

Require
– unhide-tcp under linux :
iproute2
net-tools (for netstat)
lsof
psmisc (for fuser)
– unhide-tcp under freeBSD :
sockstat
lsof
netstat

unhide-linux, unhide-posix, unhide_rb :
procps
If you ARE using a Linux kernel >= 2.6
gcc -Wall -O2 –static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
gcc -Wall -O2 –static unhide_rb.c -o unhide_rb
gcc -Wall -O2 –static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
ln -s unhide unhide-linux

Else (Linux < 2.6, *BSD, Solaris and other Unice)
gcc –static unhide-posix.c -o unhide-posix
ln -s unhide unhide-posix

// Using
// —–
You MUST be root to use unhide-linux and unhide-tcp.

Examples:
# ./unhide-linux -vo quick reverse
# ./unhide-linux -vom procall sys
# ./unhide_rb

# ./unhide-tcp -flov
# ./unhide-tcp -flovs

Download : unhide-20130526.tgz (59.6 kB)
Find other version |
Sources : http://www.unhide-forensics.info/
Our POST BEFORE : http://seclist.us/unhide-v-20121218-released.html