Name | unhide |
Version | 20210124 |
Category | security |
Description | Forensic tool to find hidden processes and TCP/UDP ports. |
Maintainer | pascal.bellard@slitaz.org |
License | GPL3 |
Website | https://www.unhide-forensics.info/?Linux |
Sizes | |
Depends on | iproute2 procps |
Download package | |
Show receipt | |
Show files list | |
Show cooking log | |
Install package Remove package |
Description
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits, LKMs or by another hiding technique. Detecting hidden processes. Implements six main techniques 1- Compare /proc vs /bin/ps output 2- Compare info gathered from /bin/ps with info gathered by walking through the procfs. 3- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning). 4- Full PIDs space occupation (PIDs bruteforcing). 5- Compare /bin/ps output vs /proc, procfs walking and syscall. Reverse search, verify that all threads seen by ps are also seen in the kernel. 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. It's about 20 times faster than tests 1, 2 and 3 but maybe give more false positives. |