About Unhide.rb

Yago Jesus yjesus at security-projects.com
Mon Oct 24 13:43:55 UTC 2011

Hi Julien (not Julian, sorry for the mistake in my latest mail ),

Thank you, I think the new description is better.

One more thing, as you can see here
http://www.unhide-forensics.info/?Linux we implement six techniques

Please don't hesitate to leave a message if you've got some problems
with Unhide (I have added myself to this maillist anyway)


2011/10/24 Julien Valroff <julien at debian.org>:
> Hi Yago,
> Le dimanche 23 oct. 2011 à 19:59:00 (+0200 CEST), Yago Jesus a écrit :
>> Hi Julian (and all Debian Forensics team)
>> First, I want to thank you for your quick response.
>> I like the new description but, I have a doubt.
>> Why 10 times faster? Who made this test? Is always 10x faster? is it
>> in both 32 and 64 bits enviroments?
>> Im agree Unhide.rb is faster (due to the less deep tests) but I don't
>> know exactly how much.
> You are right, I haven't tested it myself.
> Then, what about just stating "much" faster?
>> Moreover if you want to highlight this feature I think it is also fair
>> to highlight  the question about static binaries VS non static Ruby
>> Binary.
>> With a security point of view, I think the fact that Unhide should be
>> compiled and shipped in static mode makes Unhide inmune to the most
>> popular rootkits (based in LD_PRELOAD). On the other hand Unhide.rb
>> due to their Ruby dependency could be compromised. So, yes Unhide is
>> more secure than Unhide.rb
> Here is a new proposal:
>  Unhide.rb is a forensic tool to find processes hidden by rootkits.
>  .
>  It looks for active processes in many different ways. Processes found by
>  some means but not others are considered to be "hidden", and are reported
>  to the user.
>  .
>  Unhide.rb is a tentative of rewrite in Ruby of the original Unhide, which
>  is written in C. While being much faster, it does not implement all the
>  diagnostics of the original version. It is also less secure as it cannot
>  be statically compiled.
>  .
>  This package can be used by rkhunter in its daily scans.
> FYI, here is the current description of the unhide package:
>  Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
>  rootkits, Linux kernel modules or by other techniques. It includes two
>  utilities: unhide and unhide-tcp.
>  .
>  unhide detects hidden processes using three techniques:
>  * comparing the output of /proc and /bin/ps
>  * comparing the information gathered from /bin/ps with the one gathered from
>    system calls (syscall scanning)
>  * full scan of the process ID space (PIDs bruteforcing)
>  .
>  unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
>  /bin/netstat through brute forcing of all TCP/UDP ports available.
>  .
>  This package can be used by rkhunter in its daily scans.
>> I understand your perspective about reporting. Unhide.rb is more
>> compact but I think it is more important the fact about finding the
>> exact hidden command (and in some scenarios, the path where
>> rogue-binary lives) But it is subjective
> I consider both tools as complementary and not as competitors, depending on
> the use case.
> Cheers,
> Julien
> --
>  .''`.   Julien Valroff ~ <julien at kirya.net> ~ <julien at debian.org>
>  : :'  :  Debian Developer & Free software contributor
>  `. `'`   http://www.kirya.net/
>   `-     4096R/ E1D8 5796 8214 4687 E416  948C 859F EF67 258E 26B1

More information about the forensics-devel mailing list