// Unhide (ps)

Detecting hidden processes. Implements three techniques

 Compare /proc vs /bin/ps output
 Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning)
 Full PIDs space ocupation (PIDs bruteforcing)

// Unhide-TCP

Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.

Changelog for this new release

 Threads Brute Force added
 Add needed stuff (includes, defines, ...) to eliminate compilation warning. (Thanks to J. Walles)
 Correct a typo in checkps() where fich_tmp is used in place of fich_pgid (Thanks to P. Gouin)
 Corrected several FD leaks where files or pipes are read and closed even if they have failed to open. (Thanks to W. Doekes & P. Gouin)
 Add warning messages if file or pipe fails to open (compatible with rkhunter use of unhide) (Thanks to W. Doekes & P. Gouin)
 Add warning messages if a test is skipped (compatible with rkhunter use of unhide). (Thanks to P. Gouin)
 Correct removing of leading spaces which tests one char too far for end of string in checkps(). (Thanks to P. Gouin)
 Close fd in get_max_pid(). (Thanks to P. Gouin)
 Close cmd_file in printbadpid(). (Thanks to P. Gouin)
 Add display of test name in checkallnoprocps(). (Thanks to P. Gouin)
 Close fich_processo in checksysinfo() (Thanks to W. Doekes)
 Avoid potential buffer overflow in checksysinfo() (Thanks to W. Doekes)
 Correct allpids[] initialization in brute() (Thanks to W. Doekes)
 Modify brute as modifying allpid from within the forked process may have undefined results (Linux vfork() man page) (Thanks to P. Gouin)
 Add return to main() (Thanks to W. Doekes)
 Optimizations (Thanks to P. Gouin)

Tool Submitted by YJesus from http://www.securitybydefault.com