Unhide.rb is a tool that attempts to find processes hidden by rootkits. It does that by scanning for processes in many different ways, and then lists processes found through some means but not through others.
Unhide.rb is a reimplementation of unhide in Ruby. On 2013jan13, the relationships between the two programs are:
* Unhide.rb does the same checks as "unhide procall" and "unhide sys" plus some more.
* Unhide.rb is about 14x faster than the original C code (7s vs 100s on my system).
* Unhide.rb is only about a tenth as much code (437 lines vs 5100 lines) as the original C code, so it should be easier to maintain / extend.
* Unhide.rb actively tries to avoid false positives when hidden processes are found.
The original unhide can be found here:
http://
View full history Series and milestones
trunk series is the current focus of development.
All code Code
- Version control system:
- Bazaar
- Programming languages:
- Ruby
All packages Packages in Distributions
-
unhide.rb source package in Xenial
Version 22-2 uploaded on 2015-11-09 -
unhide.rb source package in Trusty
Version 22-1 uploaded on 2013-02-15 -
unhide.rb source package in Precise
Version 13-1 uploaded on 2011-07-09 -
unhide.rb source package in Focal
Version 22-4 uploaded on 2018-12-16 -
unhide.rb source package in Eoan
Version 22-4 uploaded on 2018-12-16
All bugs Latest bugs reported
-
Bug #1420897: unhide.rb Requires DL, Which Has Been Deprecated
Reported on 2015-02-11 -
Bug #1077573: in `<module:LibC>': uninitialized constant DL::Importable
Reported on 2012-11-11 -
Bug #806405: False positive when process started by running a symlink to the binary
Reported on 2011-07-06
