illicius/Unhide
This branch is 1 commit behind YJesus/Unhide:master.
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Latest commit1ad85fd · | ||||
Repository files navigation
**-Unhide-**
http://www.unhide-forensics.info
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs
or by another hiding technique.
// Unhide (unhide-linux or unhide-posix)
// -------------------------------------
Detecting hidden processes. Implements six main techniques
1- Compare /proc vs /bin/ps output
2- Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for unhide-linux version
3- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
4- Full PIDs space occupation (PIDs bruteforcing). ONLY for unhide-linux version
5- Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for unhide-linux version
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for unhide-linux version
It's about 20 times faster than tests 1+2+3 but maybe give more false positives.
// Unhide_rb
// ---------
It's a back port in C language of the ruby unhide.rb
As the original unhide.rb, it is roughly equivalent to "unhide-linux quick reverse" but:
- it makes three tests less (kill, opendir and chdir),
- it only run /bin/ps once at start and once for the double check, this gives more false positives:
short live processes are seen as hidden.
- also, its tests are less accurate (e.g. testing return value instead of errno),
- it doesn't scale well when max_PID number increases,
- processes are only identified by their exe link (unhide-linux also use cmdline and
"sleeping kernel process" name),
- there's little protection against failures (failed fopen or popen by example),
- there's no logging capability.
On 32 bits system (with max_PID = 2^16) It is about 80 times quicker than "unhide-linux quick reverse"
On 64 bits system (with max_PID = 2^22) It is about 2 times quicker than "unhide-linux quick reverse"
// Unhide-TCP
// ----------
Identify TCP/UDP ports that are listening but not listed in sbin/ss or /bin/netstat.
It use two methods:
- brute force of all TCP/UDP ports availables and compare with SS/netstat output.
- probe of all TCP/UDP ports not reported by netstat.
// Files
// -----
unhide-linux.c -- Hidden processes, for Linux >= 2.6
unhide-linux.h
unhide-tcp.c -- Hidden TCP/UDP Ports
unhide-tcp-fast.c
unhide-tcp.h
unhide-output.c -- Common routines of unhide tools
unhide-output.h
unhide_rb.c -- C port of unhide.rb (a very light version of unhide-linux in ruby)
unhide-posix.c -- Hidden processes, for generic Unix systems (*BSD, Solaris, linux 2.2 / 2.4)
It doesn't implement PIDs brute forcing check yet. Needs more testing
Warning : This version is somewhat outdated and may generate false positive.
Prefer unhide-linux.c if you can use it.
changelog -- As the name implied log of the change to unhide
COPYING -- License file, GNU GPL V3
LEEME.txt -- Spanish version of this file
LISEZ-MOI.TXT -- French version of this file
NEWS -- Release notes
README.txt -- This file
sanity.sh -- unhide-linux testsuite file
TODO -- Evolutions to do (any volunteers ?)
man/unhide.8 -- English man page of unhide
man/unhide-tcp.8 -- English man page of unhide-tcp
man/fr/unhide.8 -- French man page of unhide
man/fr/unhide-tcp.8 -- French man page of unhide-tcp
// Compiling
// ---------
Build requires :
--------------
glibc-devel
glibc-static-devel
Requires :
--------
- unhide-tcp under linux :
iproute2
net-tools (for netstat)
lsof
psmisc (for fuser)
- unhide-tcp under freeBSD :
sockstat
lsof
netstat
- unhide-linux, unhide-posix, unhide_rb :
procps
IMPORTANT : Notes that, as a forensic tool, unhide is built statically as the host system libraries may be compromised.
If you ARE using a Linux kernel >= 2.6
gcc -Wall -Wextra -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
gcc -Wall -Wextra -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
gcc -Wall -Wextra -O2 --static unhide_rb.c -o unhide_rb
ln -s unhide unhide-linux
Else (Linux < 2.6, *BSD, Solaris and other Unice)
gcc --static unhide-posix.c -o unhide-posix
ln -s unhide unhide-posix
// Using
// -----
You MUST be root to use unhide-linux and unhide-tcp.
Examples:
# ./unhide-linux -vo quick reverse
# ./unhide-linux -vom procall sys
# ./unhide_rb
# ./unhide-tcp -flov
# ./unhide-tcp -flovs
// License
// -------
GPL V.3 (http://www.gnu.org/licenses/gpl-3.0.html)
// Greets
// ------
A. Ramos (aramosf@unsec.net) for some regexps
unspawn (unspawn@rootshell.be) CentOS support
Martin Bowers (Martin.Bowers@freescale.com) CentOS support
Lorenzo Martinez (lorenzo@lorenzomartinez.homeip.net) Some ideas to improve and betatesting
Francois Marier (francois@debian.org) Author of the man pages and Debian support
Johan Walles (johan.walles@gmail.com) Find and fix a very nasty race condition bug
Jan Iven (jan.iven@cern.ch) Because of his great improvements, new tests and bugfixing
P. Gouin (patrick-g@users.sourceforge.net) Because of his incredible work fixing bugs and improving the performance
François Boisson for his idea of a double check in brute test
Leandro Lucarella (leandro.lucarella@sociomantic.com) for the fast scan method and his factorization work for unhide-tcp
Nikos Ntarmos (ntarmos@ceid.upatras.gr) for its invaluable help in the FreeBSD port of unhide-tcp and for packaging unhide on FreeBSD.
Fubin Zhang (zfb132 on GitHub) for reporting missing file in distribution tarball.
Buo-ren, Lin (brlin-tw in GitHub ; Buo.Ren.Lin@gmail.com) for fixing typo in Readme file
daichifukui (a.dog.will.talk@akane.waseda.jp) for pinpoint untranslated strings in GUI and fix them.