Unhide.rb is a tool that attempts to find processes hidden by rootkits. It does that by scanning for processes in many different ways, and then lists processes found through some means but not through others.
Unhide.rb is a reimplementation of unhide in Ruby. On 2013jan13, the relationships between the two programs are:
* Unhide.rb does the same checks as "unhide procall" and "unhide sys" plus some more.
* Unhide.rb is about 14x faster than the original C code (7s vs 100s on my system).
* Unhide.rb is only about a tenth as much code (437 lines vs 5100 lines) as the original C code, so it should be easier to maintain / extend.
* Unhide.rb actively tries to avoid false positives when hidden processes are found.
The original unhide can be found here:
http://
Project information
- Maintainer:
- Johan Walles
- Driver:
- Not yet selected
- Development focus:
- Programming Languages:
- Ruby
- Licences:
-
GNU GPL v3
()
View full history Series and milestones
unhide.rb trunk series is the current focus of development
All bugs Latest bugs reported
-
Bug #1077573: in `<module:LibC>': uninitialized constant DL::Importable
Reported on 2012-11-11 -
Bug #806405: False positive when process started by running a symlink to the binary
Reported on 2011-07-06
All packages Packages in Distributions
-
“unhide.rb” source package in Trusty
Version 22-1 uploaded on 2013-02-15 -
“unhide.rb” source package in Saucy
Version 22-1 uploaded on 2013-02-15 -
“unhide.rb” source package in Raring
Version 13-1.1 uploaded on 2012-12-06 -
“unhide.rb” source package in Quantal
Version 13-1 uploaded on 2011-07-09 -
“unhide.rb” source package in Precise
Version 13-1 uploaded on 2011-07-09
