unhide.rb
Forensics tool to find processes hidden by rootkits. Scans system for hidden processes and lists any hits on stderr.
Description
Unhide.rb is a forensics tool designed to detect processes hidden by rootkits. It looks for active processes in many different ways, considering processes found by some means but not others as 'hidden' and reporting them to the user. This tool can be used by rkhunter in its daily scans.
As a Ruby rewrite of the original C-based Unhide, unhide.rb is significantly faster but does not implement all diagnostics of the original and cannot be statically compiled, making it less secure in some contexts. Progress messages are printed to stdout, which can be redirected, while error diagnostics and hidden process information go to stderr.
It is particularly useful in forensic investigations where rootkit activity is suspected, providing quick detection of discrepancies in process listings.
How It Works
Unhide.rb scans the system for active processes using multiple detection methods. Processes visible in some scans but not others are flagged as hidden. It compares results across various techniques to identify rootkit concealment, reporting discrepancies on stderr with progress on stdout.
Installation
sudo apt install unhide.rbExamples
unhide.rbunhide.rb > /dev/nullunhide.rb 2> hidden_processes.logsudo unhide.rbunhide.rb | grep hiddentimeout 60 unhide.rbunhide.rb && echo 'No hidden processes'