About Unhide.rb

Julien Valroff julien at debian.org
Mon Oct 24 05:02:24 UTC 2011

Hi Yago,

Le dimanche 23 oct. 2011 à 19:59:00 (+0200 CEST), Yago Jesus a écrit :
> Hi Julian (and all Debian Forensics team)
> First, I want to thank you for your quick response.
> I like the new description but, I have a doubt.
> Why 10 times faster? Who made this test? Is always 10x faster? is it
> in both 32 and 64 bits enviroments?
> Im agree Unhide.rb is faster (due to the less deep tests) but I don't
> know exactly how much.

You are right, I haven't tested it myself.
Then, what about just stating "much" faster?

> Moreover if you want to highlight this feature I think it is also fair
> to highlight  the question about static binaries VS non static Ruby
> Binary.
> With a security point of view, I think the fact that Unhide should be
> compiled and shipped in static mode makes Unhide inmune to the most
> popular rootkits (based in LD_PRELOAD). On the other hand Unhide.rb
> due to their Ruby dependency could be compromised. So, yes Unhide is
> more secure than Unhide.rb

Here is a new proposal:

 Unhide.rb is a forensic tool to find processes hidden by rootkits.
 It looks for active processes in many different ways. Processes found by
 some means but not others are considered to be "hidden", and are reported
 to the user.
 Unhide.rb is a tentative of rewrite in Ruby of the original Unhide, which
 is written in C. While being much faster, it does not implement all the
 diagnostics of the original version. It is also less secure as it cannot
 be statically compiled.
 This package can be used by rkhunter in its daily scans.

FYI, here is the current description of the unhide package:

 Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
 rootkits, Linux kernel modules or by other techniques. It includes two
 utilities: unhide and unhide-tcp.
 unhide detects hidden processes using three techniques:
  * comparing the output of /proc and /bin/ps
  * comparing the information gathered from /bin/ps with the one gathered from
    system calls (syscall scanning)
  * full scan of the process ID space (PIDs bruteforcing)
 unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
 /bin/netstat through brute forcing of all TCP/UDP ports available.
 This package can be used by rkhunter in its daily scans.

> I understand your perspective about reporting. Unhide.rb is more
> compact but I think it is more important the fact about finding the
> exact hidden command (and in some scenarios, the path where
> rogue-binary lives) But it is subjective

I consider both tools as complementary and not as competitors, depending on
the use case.


  .''`.   Julien Valroff ~ <julien at kirya.net> ~ <julien at debian.org>    
 : :'  :  Debian Developer & Free software contributor
 `. `'`   http://www.kirya.net/
   `-     4096R/ E1D8 5796 8214 4687 E416  948C 859F EF67 258E 26B1

More information about the forensics-devel mailing list