Forensicsforensicsrootkitshidden-processesruby

unhide.rb

Forensics tool to find processes hidden by rootkits. Scans system for hidden processes and lists any hits on stderr.

Description

Unhide.rb is a forensics tool designed to detect processes hidden by rootkits. It looks for active processes in many different ways, considering processes found by some means but not others as 'hidden' and reporting them to the user. This tool can be used by rkhunter in its daily scans.

As a Ruby rewrite of the original C-based Unhide, unhide.rb is significantly faster but does not implement all diagnostics of the original and cannot be statically compiled, making it less secure in some contexts. Progress messages are printed to stdout, which can be redirected, while error diagnostics and hidden process information go to stderr.

It is particularly useful in forensic investigations where rootkit activity is suspected, providing quick detection of discrepancies in process listings.

How It Works

Unhide.rb scans the system for active processes using multiple detection methods. Processes visible in some scans but not others are flagged as hidden. It compares results across various techniques to identify rootkit concealment, reporting discrepancies on stderr with progress on stdout.

Installation

bash
sudo apt install unhide.rb

Examples

Scans the system for hidden processes and lists any hits on stderr
unhide.rb
Runs the scan with progress messages redirected to /dev/null, hidden processes reported on stderr
unhide.rb > /dev/null
Captures error diagnostics and hidden process information to a log file
unhide.rb 2> hidden_processes.log
Runs with elevated privileges as shown in root context to scan for hidden processes
sudo unhide.rb
Pipes stdout to filter progress messages, focusing on stderr hidden process output
unhide.rb | grep hidden
Limits scan duration to 60 seconds while detecting hidden processes
timeout 60 unhide.rb
Checks exit status 0 to confirm no hidden processes found
unhide.rb && echo 'No hidden processes'
Updated 2026-04-16kali.org ↗