Unhide Processes Forensics v20100201 released
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
// Unhide (ps)
Detecting hidden processes. Implements three techniques
- Compare /proc vs /bin/ps output
- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning)
- Full PIDs space ocupation (PIDs bruteforcing)
// Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.
Changelog for this new release
- Threads Brute Force added
- Add needed stuff (includes, defines, ...) to eliminate compilation warning. (Thanks to J. Walles)
- Correct a typo in checkps() where fich_tmp is used in place of fich_pgid (Thanks to P. Gouin)
- Corrected several FD leaks where files or pipes are read and closed even if they have failed to open. (Thanks to W. Doekes & P. Gouin)
- Add warning messages if file or pipe fails to open (compatible with rkhunter use of unhide) (Thanks to W. Doekes & P. Gouin)
- Add warning messages if a test is skipped (compatible with rkhunter use of unhide). (Thanks to P. Gouin)
- Correct removing of leading spaces which tests one char too far for end of string in checkps(). (Thanks to P. Gouin)
- Close fd in get_max_pid(). (Thanks to P. Gouin)
- Close cmd_file in printbadpid(). (Thanks to P. Gouin)
- Add display of test name in checkallnoprocps(). (Thanks to P. Gouin)
- Close fich_processo in checksysinfo() (Thanks to W. Doekes)
- Avoid potential buffer overflow in checksysinfo() (Thanks to W. Doekes)
- Correct allpids[] initialization in brute() (Thanks to W. Doekes)
- Modify brute as modifying allpid from within the forked process may have undefined results (Linux vfork() man page) (Thanks to P. Gouin)
- Add return to main() (Thanks to W. Doekes)
- Optimizations (Thanks to P. Gouin)
Tool Submitted by YJesus from http://www.securitybydefault.com
Post scriptum
Compliance Mandates
|
Related Articles
Configurations checks |
|
Forensics |
|
Rootkits |
|
Unhide |
|