1UNHIDE(8) System Manager's Manual UNHIDE(8)
2
6 unhide — forensic tool to find hidden processes
7
9 unhide [OPTIONS] TEST_LIST
10 unhide-posix proc | sys
11
13 unhide is a forensic tool to find processes hidden by rootkits, Linux
14 kernel modules or by other techniques. It detects hidden processes
15 using six techniques.
16
18 Options are only available for unhide-linux not for unhide-posix.
19 -d Do a double check in brute test to avoid false positive.
21 -f Write a log file (unhide-linux.log) in the current directory.
23 -h Display help
25 -m Do more checks. As of 2012-03-17 version, this option has only
27 effect for the procfs, procall, checkopendir and checkchdir
28 tests.
29 Implies -v
30 -r Use alternate version of sysinfo check in standard tests
32 -V Show version and exit
34 -v Be verbose, display warning message (default : don't display).
36 This option may be repeated more than once.
37
39 The checks to do consist of one or more of the following tests.
40 The standard tests are the aggregation of one or more elementary
41 test(s).
42 Standard tests :
44 The brute technique consists of bruteforcing the all process IDs.
46 This technique is only available with version unhide-linux.
47 The proc technique consists of comparing /proc with the output of
49 /bin/ps.
50 The procall technique combinates proc and procfs tests.
52 This technique is only available with version unhide-linux.
53 The procfs technique consists of comparing information gathered from
55 /bin/ps with information gathered by walking in the procfs.
56 With -m option, this test makes more checks, see checkchdir test.
57 This technique is only available with version unhide-linux.
58 The quick technique combines the proc, procfs and sys techniques in a
60 quick way. It's about 20 times faster but may give more false posi‐
61 tives.
62 This technique is only available with version unhide-linux.
63 The reverse technique consists of verifying that all threads seen by ps
65 are also seen in procfs and by system calls. It is intended to verify
66 that a rootkit has not killed a security tool (IDS or other) and make
67 ps showing a fake process instead.
68 This technique is only available with version unhide-linux.
69 The sys technique consists of comparing information gathered from
71 /bin/ps with information gathered from system calls.
72 Elementary tests :
74 The checkbrute technique consists of bruteforcing the all process IDs.
76 This technique is only available with version unhide-linux.
77 The checkchdir technique consists of comparing information gathered
79 from /bin/ps with information gathered by making chdir() in the procfs.
80 With the -m option, it also verify that the thread appears in its
81 "leader process" threads list.
82 This technique is only available with version unhide-linux.
83 The checkgetaffinity technique consists of comparing information gath‐
85 ered from /bin/ps with the result of call to the sched_getaffinity()
86 system function.
87 This technique is only available with version unhide-linux.
88 The checkgetparam technique consists of comparing information gathered
90 from /bin/ps with the result of call to the sched_getparam() system
91 function.
92 This technique is only available with version unhide-linux.
93 The checkgetpgid technique consists of comparing information gathered
95 from /bin/ps with the result of call to the getpgid() system function.
96 This technique is only available with version unhide-linux.
97 The checkgetprio technique consists of comparing information gathered
99 from /bin/ps with the result of call to the getpriority() system func‐
100 tion.
101 This technique is only available with version unhide-linux.
102 The checkRRgetinterval technique consists of comparing information
104 gathered from /bin/ps with the result of call to the
105 sched_rr_get_interval() system function.
106 This technique is only available with version unhide-linux.
107 The checkgetsched technique consists of comparing information gathered
109 from /bin/ps with the result of call to the sched_getscheduler() system
110 function.
111 This technique is only available with version unhide-linux.
112 The checkgetsid technique consists of comparing information gathered
114 from /bin/ps with the result of call to the getsid() system function.
115 This technique is only available with version unhide-linux.
116 The checkkill technique consists of comparing information gathered from
118 /bin/ps with the result of call to the kill() system function.
119 Note : no process is really killed by this test.
120 This technique is only available with version unhide-linux.
121 The checknoprocps technique consists of comparing the result of the
123 call to each of the system functions. No comparison is done against
124 /proc or the output of ps.
125 This technique is only available with version unhide-linux.
126 The checkopendir technique consists of comparing information gathered
128 from /bin/ps with information gathered by making opendir() in the
129 procfs.
130 This technique is only available with version unhide-linux.
131 The checkproc technique consists of comparing /proc with the output of
133 /bin/ps.
134 This technique is only available with version unhide-linux.
135 The checkquick technique combines the proc, procfs and sys techniques
137 in a quick way. It's about 20 times faster but may give more false pos‐
138 itives.
139 This technique is only available with version unhide-linux.
140 The checkreaddir technique consists of comparing information gathered
142 from /bin/ps with information gathered by making readdir() in /proc and
143 /proc/pid/task.
144 This technique is only available with version unhide-linux.
145 The checkreverse technique consists of verifying that all threads seen
147 by ps are also seen in procfs and by system calls. It is intended to
148 verify that a rootkit has not killed a security tool (IDS or other) and
149 make ps showing a fake process instead.
150 This technique is only available with version unhide-linux.
151 The checksysinfo technique consists of comparing the number of process
153 seen by /bin/ps with information obtained from sysinfo() system call.
154 This technique is only available with version unhide-linux.
155 The checksysinfo2 technique is an alternate version of checksysinfo
157 test. It might (or not) work better on kernel patched for RT, preempt
158 or latency and with kernel that don't use the standard scheduler.
159 It's also invoked by standard tests when using the -r option
160 This technique is only available with version unhide-linux.
161 Exit status:
163 0 if OK,
164 1 if a hidden or fake thread is found.
166
168 Quicker test:
169 unhide quick
170 Quick test:
172 unhide quick reverse
173 Standard test:
175 unhide sys proc
176 Deeper test:
178 unhide -m -d sys procall brute reverse
179
181 Report unhide bugs on the bug tracker on sourceforge (http://source‐
182 forge.net/projects/unhide/)
183 With recent versions of Linux kernel (> 2.6.33), the sysinfo test may
184 report false positives. It may be due to optimization in the sched‐
185 uler, the use of cgroup or even the use of systemd. The use of the
186 PREEMPT-RT patch amplifies the occurence of the problem. This is cur‐
187 rently under investigation.
188
190 unhide-tcp (8).
191
193 This manual page was written by Francois Marier francois@debian.org and
194 Patrick Gouin. Permission is granted to copy, distribute and/or modify
195 this document under the terms of the GNU General Public License, Ver‐
196 sion 3 or any later version published by the Free Software Foundation.
197
199 License GPLv3+: GNU GPL version 3 or later
200 <http://gnu.org/licenses/gpl.html>.
201 This is free software: you are free to change and redistribute it.
202 There is NO WARRANTY, to the extent permitted by law.
203Administration commands March 2012 UNHIDE(8)