1UNHIDE(8)                   System Manager's Manual                  UNHIDE(8)
2
3
4

NAME

6       unhide — forensic tool to find hidden processes
7

SYNOPSIS

9       unhide [OPTIONS] TEST_LIST
10       unhide-posix proc | sys
11

DESCRIPTION

13       unhide  is  a forensic tool to find processes hidden by rootkits, Linux
14       kernel modules or by other techniques.  It detects hidden processes us‐
15       ing six techniques.
16

OPTIONS

18       Options are only available for unhide-linux not for unhide-posix.
19
20       -d     Do a double check in brute test to avoid false positive.
21
22       -f     Write a log file (unhide-linux.log) in the current directory.
23
24       -h     Display help
25
26       -m     Do  more  checks. As of 2012-03-17 version, this option has only
27              effect for the  procfs,  procall,  checkopendir  and  checkchdir
28              tests.
29              Implies -v
30
31       -r     Use alternate version of sysinfo check in standard tests
32
33       -V     Show version and exit
34
35       -v     Be  verbose,  display warning message (default : don't display).
36              This option may be repeated more than once.
37
38       -u     Do unbuffered write to stdout.  This option could be useful when
39              unhide  is  spawned  by  another  process (e.g. it's used by un‐
40              hideGui).
41
42       -H     Provide a slightly human frienlier  output.   This  option  adds
43              ending messages to tests and indicates when no hidden process is
44              found.
45

TEST_LIST

47       The checks to do consist of one or more of the following tests.
48       The standard tests are  the  aggregation  of  one  or  more  elementary
49       test(s).
50
51       Standard tests :
52
53       The brute technique consists of bruteforcing the all process IDs.
54       This technique is only available with version unhide-linux.
55
56       The  proc  technique  consists  of  comparing  /proc with the output of
57       /bin/ps.
58
59       The procall technique combinates proc and procfs tests.
60       This technique is only available with version unhide-linux.
61
62       The procfs technique consists of comparing  information  gathered  from
63       /bin/ps with information gathered by walking in the procfs.
64       With -m option, this test makes more checks, see checkchdir test.
65       This technique is only available with version unhide-linux.
66
67       The  quick  technique combines the proc, procfs and sys techniques in a
68       quick way. It's about 20 times faster but may  give  more  false  posi‐
69       tives.
70       This technique is only available with version unhide-linux.
71
72       The reverse technique consists of verifying that all threads seen by ps
73       are also seen in procfs and by system calls. It is intended  to  verify
74       that  a  rootkit has not killed a security tool (IDS or other) and make
75       ps showing a fake process instead.
76       This technique is only available with version unhide-linux.
77
78       The sys technique  consists  of  comparing  information  gathered  from
79       /bin/ps with information gathered from system calls.
80
81       Elementary tests :
82
83       The checkbrute technique consists of bruteforcing the all process IDs.
84       This technique is only available with version unhide-linux.
85
86       The  checkchdir  technique  consists  of comparing information gathered
87       from /bin/ps with information gathered by making chdir() in the procfs.
88       With the -m option, it also verify  that  the  thread  appears  in  its
89       "leader process" threads list.
90       This technique is only available with version unhide-linux.
91
92       The  checkgetaffinity technique consists of comparing information gath‐
93       ered from /bin/ps with the result of call  to  the  sched_getaffinity()
94       system function.
95       This technique is only available with version unhide-linux.
96
97       The  checkgetparam technique consists of comparing information gathered
98       from /bin/ps with the result of call  to  the  sched_getparam()  system
99       function.
100       This technique is only available with version unhide-linux.
101
102       The  checkgetpgid  technique consists of comparing information gathered
103       from /bin/ps with the result of call to the getpgid() system function.
104       This technique is only available with version unhide-linux.
105
106       The checkgetprio technique consists of comparing  information  gathered
107       from  /bin/ps with the result of call to the getpriority() system func‐
108       tion.
109       This technique is only available with version unhide-linux.
110
111       The checkRRgetinterval  technique  consists  of  comparing  information
112       gathered  from  /bin/ps with the result of call to the sched_rr_get_in‐
113       terval() system function.
114       This technique is only available with version unhide-linux.
115
116       The checkgetsched technique consists of comparing information  gathered
117       from /bin/ps with the result of call to the sched_getscheduler() system
118       function.
119       This technique is only available with version unhide-linux.
120
121       The checkgetsid technique consists of  comparing  information  gathered
122       from /bin/ps with the result of call to the getsid() system function.
123       This technique is only available with version unhide-linux.
124
125       The checkkill technique consists of comparing information gathered from
126       /bin/ps with the result of call to the kill() system function.
127       Note : no process is really killed by this test.
128       This technique is only available with version unhide-linux.
129
130       The checknoprocps technique consists of comparing  the  result  of  the
131       call  to  each  of  the system functions. No comparison is done against
132       /proc or the output of ps.
133       This technique is only available with version unhide-linux.
134
135       The checkopendir technique consists of comparing  information  gathered
136       from  /bin/ps  with  information  gathered  by  making opendir() in the
137       procfs.
138       This technique is only available with version unhide-linux.
139
140       The checkproc technique consists of comparing /proc with the output  of
141       /bin/ps.
142       This technique is only available with version unhide-linux.
143
144       The  checkquick  technique combines the proc, procfs and sys techniques
145       in a quick way. It's about 20 times faster but may give more false pos‐
146       itives.
147       This technique is only available with version unhide-linux.
148
149       The  checkreaddir  technique consists of comparing information gathered
150       from /bin/ps with information gathered by making readdir() in /proc and
151       /proc/pid/task.
152       This technique is only available with version unhide-linux.
153
154       The  checkreverse technique consists of verifying that all threads seen
155       by ps are also seen in procfs and by system calls. It  is  intended  to
156       verify that a rootkit has not killed a security tool (IDS or other) and
157       make ps showing a fake process instead.
158       This technique is only available with version unhide-linux.
159
160       The checksysinfo technique consists of comparing the number of  process
161       seen by /bin/ps with information obtained from sysinfo() system call.
162       This technique is only available with version unhide-linux.
163
164       The  checksysinfo2  technique  is  an alternate version of checksysinfo
165       test.  It might (or not) work better on kernel patched for RT,  preempt
166       or latency and with kernel that don't use the standard scheduler.
167       It's also invoked by standard tests when using the -r option
168       This technique is only available with version unhide-linux.
169
170   Exit status:
171       0      if OK,
172
173       1      if a hidden or fake thread is found.
174

EXAMPLES

176       Quicker test:
177              unhide quick
178
179       Quick test:
180              unhide quick reverse
181
182       Standard test:
183              unhide sys proc
184
185       Deeper test:
186              unhide -m -d sys procall brute reverse
187

BUGS

189       Report    unhide    bugs    on    the    bug    tracker    on    GitHub
190       (https://github.com/YJesus/Unhide/issues)
191       With recent versions of Linux kernel (> 2.6.33), the sysinfo  test  may
192       report  false  positives.   It may be due to optimization in the sched‐
193       uler, the use of cgroup or even the use of systemd.   The  use  of  the
194       PREEMPT-RT patch amplifies the occurrence of the problem.  This is cur‐
195       rently under investigation.
196

SEE ALSO

198       unhide-tcp (8).
199

AUTHOR

201       This manual page was written by Francois  Marier  (francois@debian.org)
202       and Patrick Gouin (patrickg.github@free.fr).
203       Permission  is  granted to copy, distribute and/or modify this document
204       under the terms of the GNU General Public License,  Version  3  or  any
205       later version published by the Free Software Foundation.
206

LICENSE

208       License   GPLv3+:  GNU  GPL  version  3  or  later  <http://gnu.org/li
209       censes/gpl.html>.
210       This is free software: you are free  to  change  and  redistribute  it.
211       There is NO WARRANTY, to the extent permitted by law.
212
213
214
215Administration commands            June 2022                         UNHIDE(8)
Impressum