unhide — forensic tool to find hidden processes
unhide-linux26 proc | sys | brute
unhide-posix proc | sys
unhide is a forensic tool to find processes hidden by rootkits, Linux
kernel modules or by other techniques. It detects hidden processes
using three techniques:
The proc technique consists of comparing /proc with the output of
The sys technique consists of comparing information gathered from
/bin/ps with information gathered from system calls.
The brute technique consists of bruteforcing the all process IDs. This
technique is only available on Linux 2.6 kernels.
This manual page was written by Francois Marier firstname.lastname@example.org for
the Debian system (but may be used by others). Permission is granted to
copy, distribute and/or modify this document under the terms of the GNU
General Public License, Version 3 any later version published by the
Free Software Foundation.
On Debian systems, the complete text of the GNU General Public License
can be found in /usr/share/common-licenses/GPL.