UnHide – Forensics Tools to find processes and TCP/UDP ports hidden by rootkits

Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits / LKMs or by another hiding technique.

Platform Windows & Linux

Detecting hidden processes. Implements six main techniques :

  • Compare /proc vs /bin/ps output
  • Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for Linux 2.6 version
  •  Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
  • Full PIDs space ocupation (PIDs bruteforcing). ONLY for Linux 2.6 version
  •  Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for Linux 2.6 version
  • Reverse search, verify that all thread seen by ps are also seen in the kernel.
  • 6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for Linux 2.6 version.

Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.

Files

  • unhide.c –> Hidden processes, for generic Unix systems (*BSD, Solaris, linux 2.2 / 2.4) It doesn’t implement PIDs brute forcing check yet. Needs more testing Warning : This version is somewhat outdated and may generate false positive. Prefer unhide-linux26.c if you can use it.
  • unhide-linux26.c –> Hidden processes, for Linux 2.6.x
  • unhide-tcp.c –> Hidden TCP/UDP Ports
  • unhide_rb.c –> C port of unhide.rb (a very light version of unhide-linux26 in ruby)

Compiling :
gcc –static unhide.c -o unhide

gcc -Wall -O2 –static unhide-tcp.c -o unhide-tcp

gcc -Wall -O2 –static -pthread unhide-linux26.c -o unhide-linux26

gcc -Wall -O2 -static -o unhide_rb unhide_rb.c

Windows :
- WinUnhide
Compare info gathered from wmic command with info gathered from openprocess and Toolhelp
- WinUnhide-TCP
First it lists open TCP/UDP ports through GetTcpTable and GetUdpTable and then identify hidden ports using bind() bruteforcing

Download latest Version :

WindowsWinUnhide.zip (38.5 kB) 

Linux : unhide_20120222_beta.tgz

Or Find other version | read more in here : http://www.unhide-forensics.info

About these ads