Forensicsforensicsrootkitprocesslinuxincident-response

unhide

unhide is a forensic tool that finds hidden processes, ports, and threads by comparing the results of multiple OS-level APIs and /proc entries. It detects rootkit-hidden processes that are invisible to standard tools like ps or netstat.

Description

unhide works by cross-referencing three independent data sources — the /proc filesystem, system call outputs (e.g. kill, getpriority), and the results of procps-based utilities. Any process visible in one source but absent from another is flagged as potentially hidden. It includes two binaries: unhide for processes and threads, and unhide-tcp for hidden TCP/UDP ports. Useful during incident response when a rootkit is suspected.

How It Works

unhide iterates through all possible PIDs using brute force, checking each against /proc entries and system call responses. For TCP scanning, unhide-tcp compares the kernel internal socket list against what is visible via /proc/net/tcp and /proc/net/tcp6. Discrepancies indicate a rootkit is hiding entries from userspace. The tool runs as root to access all necessary interfaces.

Installation

bash

sudo apt install -y unhide

Flags

procSearch for hidden processes using /proc filesystem comparison

sysSearch using system calls (kill, getpriority, getpgid)

bruteBrute-force scan all PIDs from 1 to max

procallCombine proc and sys checks

-vVerbose mode — show all checked PIDs

-mMore checks — compare additional data sources

-dDo double checking — run each test twice

Examples

Scan for hidden processes using all methods

sudo unhide procall

Brute-force all PIDs for hidden processes

sudo unhide brute

Find hidden TCP/UDP ports

sudo unhide-tcp

Verbose scan with double-checking

sudo unhide -v -d sys

Run all checks together

sudo unhide proc sys brute

Updated 2026-04-17kali.org ↗