1UNHIDE(8)                   System Manager's Manual                  UNHIDE(8)
2
3
4

NAME

6       unhide — forensic tool to find hidden processes
7

SYNOPSIS

9       unhide [OPTIONS] TEST_LIST
10       unhide-posix proc | sys
11

DESCRIPTION

13       unhide  is  a forensic tool to find processes hidden by rootkits, Linux
14       kernel modules or by other techniques.   It  detects  hidden  processes
15       using six techniques.
16

OPTIONS

18       Options are only available for unhide-linux not for unhide-posix.
19
20       -d     Do a double check in brute test to avoid false positive.
21
22       -f     Write a log file (unhide-linux.log) in the current directory.
23
24       -h     Display help
25
26       -m     Do  more  checks. As of 2012-03-17 version, this option has only
27              effect for the  procfs,  procall,  checkopendir  and  checkchdir
28              tests.
29              Implies -v
30
31       -r     Use alternate version of sysinfo check in standard tests
32
33       -V     Show version and exit
34
35       -v     Be  verbose,  display warning message (default : don't display).
36              This option may be repeated more than once.
37

TEST_LIST

39       The checks to do consist of one or more of the following tests.
40       The standard tests are  the  aggregation  of  one  or  more  elementary
41       test(s).
42
43       Standard tests :
44
45       The brute technique consists of bruteforcing the all process IDs.
46       This technique is only available with version unhide-linux.
47
48       The  proc  technique  consists  of  comparing  /proc with the output of
49       /bin/ps.
50
51       The procall technique combinates proc and procfs tests.
52       This technique is only available with version unhide-linux.
53
54       The procfs technique consists of comparing  information  gathered  from
55       /bin/ps with information gathered by walking in the procfs.
56       With -m option, this test makes more checks, see checkchdir test.
57       This technique is only available with version unhide-linux.
58
59       The  quick  technique combines the proc, procfs and sys techniques in a
60       quick way. It's about 20 times faster but may  give  more  false  posi‐
61       tives.
62       This technique is only available with version unhide-linux.
63
64       The reverse technique consists of verifying that all threads seen by ps
65       are also seen in procfs and by system calls. It is intended  to  verify
66       that  a  rootkit has not killed a security tool (IDS or other) and make
67       ps showing a fake process instead.
68       This technique is only available with version unhide-linux.
69
70       The sys technique  consists  of  comparing  information  gathered  from
71       /bin/ps with information gathered from system calls.
72
73       Elementary tests :
74
75       The checkbrute technique consists of bruteforcing the all process IDs.
76       This technique is only available with version unhide-linux.
77
78       The  checkchdir  technique  consists  of comparing information gathered
79       from /bin/ps with information gathered by making chdir() in the procfs.
80       With the -m option, it also verify  that  the  thread  appears  in  its
81       "leader process" threads list.
82       This technique is only available with version unhide-linux.
83
84       The  checkgetaffinity technique consists of comparing information gath‐
85       ered from /bin/ps with the result of call  to  the  sched_getaffinity()
86       system function.
87       This technique is only available with version unhide-linux.
88
89       The  checkgetparam technique consists of comparing information gathered
90       from /bin/ps with the result of call  to  the  sched_getparam()  system
91       function.
92       This technique is only available with version unhide-linux.
93
94       The  checkgetpgid  technique consists of comparing information gathered
95       from /bin/ps with the result of call to the getpgid() system function.
96       This technique is only available with version unhide-linux.
97
98       The checkgetprio technique consists of comparing  information  gathered
99       from  /bin/ps with the result of call to the getpriority() system func‐
100       tion.
101       This technique is only available with version unhide-linux.
102
103       The checkRRgetinterval  technique  consists  of  comparing  information
104       gathered    from   /bin/ps   with   the   result   of   call   to   the
105       sched_rr_get_interval() system function.
106       This technique is only available with version unhide-linux.
107
108       The checkgetsched technique consists of comparing information  gathered
109       from /bin/ps with the result of call to the sched_getscheduler() system
110       function.
111       This technique is only available with version unhide-linux.
112
113       The checkgetsid technique consists of  comparing  information  gathered
114       from /bin/ps with the result of call to the getsid() system function.
115       This technique is only available with version unhide-linux.
116
117       The checkkill technique consists of comparing information gathered from
118       /bin/ps with the result of call to the kill() system function.
119       Note : no process is really killed by this test.
120       This technique is only available with version unhide-linux.
121
122       The checknoprocps technique consists of comparing  the  result  of  the
123       call  to  each  of  the system functions. No comparison is done against
124       /proc or the output of ps.
125       This technique is only available with version unhide-linux.
126
127       The checkopendir technique consists of comparing  information  gathered
128       from  /bin/ps  with  information  gathered  by  making opendir() in the
129       procfs.
130       This technique is only available with version unhide-linux.
131
132       The checkproc technique consists of comparing /proc with the output  of
133       /bin/ps.
134       This technique is only available with version unhide-linux.
135
136       The  checkquick  technique combines the proc, procfs and sys techniques
137       in a quick way. It's about 20 times faster but may give more false pos‐
138       itives.
139       This technique is only available with version unhide-linux.
140
141       The  checkreaddir  technique consists of comparing information gathered
142       from /bin/ps with information gathered by making readdir() in /proc and
143       /proc/pid/task.
144       This technique is only available with version unhide-linux.
145
146       The  checkreverse technique consists of verifying that all threads seen
147       by ps are also seen in procfs and by system calls. It  is  intended  to
148       verify that a rootkit has not killed a security tool (IDS or other) and
149       make ps showing a fake process instead.
150       This technique is only available with version unhide-linux.
151
152       The checksysinfo technique consists of comparing the number of  process
153       seen by /bin/ps with information obtained from sysinfo() system call.
154       This technique is only available with version unhide-linux.
155
156       The  checksysinfo2  technique  is  an alternate version of checksysinfo
157       test.  It might (or not) work better on kernel patched for RT,  preempt
158       or latency and with kernel that don't use the standard scheduler.
159       It's also invoked by standard tests when using the -r option
160       This technique is only available with version unhide-linux.
161
162   Exit status:
163       0      if OK,
164
165       1      if a hidden or fake thread is found.
166

EXAMPLES

168       Quicker test:
169              unhide quick
170
171       Quick test:
172              unhide quick reverse
173
174       Standard test:
175              unhide sys proc
176
177       Deeper test:
178              unhide -m -d sys procall brute reverse
179

BUGS

181       Report  unhide  bugs  on the bug tracker on sourceforge (http://source
182       forge.net/projects/unhide/)
183       With recent versions of Linux kernel (> 2.6.33), the sysinfo  test  may
184       report  false  positives.   It may be due to optimization in the sched‐
185       uler, the use of cgroup or even the use of systemd.   The  use  of  the
186       PREEMPT-RT  patch amplifies the occurence of the problem.  This is cur‐
187       rently under investigation.
188

SEE ALSO

190       unhide-tcp (8).
191

AUTHOR

193       This manual page was written by Francois Marier francois@debian.org and
194       Patrick Gouin.  Permission is granted to copy, distribute and/or modify
195       this document under the terms of the GNU General Public  License,  Ver‐
196       sion 3 or any later version published by the Free Software Foundation.
197

LICENSE

199       License      GPLv3+:     GNU     GPL     version     3     or     later
200       <http://gnu.org/licenses/gpl.html>.
201       This is free software: you are free  to  change  and  redistribute  it.
202       There is NO WARRANTY, to the extent permitted by law.
203
204
205
206Administration commands           March 2012                         UNHIDE(8)
Impressum