unhide - Forensic tool to find hidden processes and ports

Property Value
Distribution Debian 9 (Stretch)
Repository Debian Main amd64
Package name unhide
Package version 20130526
Package release 1
Package architecture amd64
Package type deb
Installed size 137 B
Download size 50.73 KB
Official Mirror ftp.br.debian.org
Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
rootkits, Linux kernel modules or by other techniques. It includes two
utilities: unhide and unhide-tcp.
unhide detects hidden processes using the following six techniques:
* Compare /proc vs /bin/ps output
* Compare info gathered from /bin/ps with info gathered by walking thru the
* Compare info gathered from /bin/ps with info gathered from syscalls
(syscall scanning).
* Full PIDs space occupation (PIDs bruteforcing)
* Reverse search, verify that all thread seen by ps are also seen by the
kernel (/bin/ps output vs /proc, procfs walking and syscall)
* Quick compare /proc, procfs walking and syscall vs /bin/ps output
unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
/bin/netstat through brute forcing of all TCP/UDP ports available.
This package can be used by rkhunter in its daily scans.
This package is useful for network security checks, in addition to forensics


Package Version Architecture Repository
unhide_20130526-1_i386.deb 20130526 i386 Debian Main
unhide - - -


Name Value
libc6 >= 2.14


Type URL
Binary Package unhide_20130526-1_amd64.deb
Source Package unhide

Install Howto

  1. Update the package index:
    # sudo apt-get update
  2. Install unhide deb package:
    # sudo apt-get install unhide




2015-10-24 - Giovani Augusto Ferreira <giovani@riseup.net>
unhide (20130526-1) unstable; urgency=medium
* Team upload.
* New upstream release
* DH level to 9.
* debian/control:
- Added ${shlibs:Depends} in Depends.
- Bumped Standards-Version to 3.9.6.
- Fix VCS fields.
- Improved long description.
- Updated Priority and Architecture fields.
* debian/copyright:
- Reviewed and updated some information.
* debian/patches/fix-man:
- Rewritten and updated patch fixing minor formatting
error in the manpages.
* debian/rules:
- Made some changes to implement GCC hardening.
- Improved compilation parameters in GCC command and
removed useless link static parameter. (Closes: #769345)
* debian/unhide.docs:
- New docs included: LEEME.txt, LISEZ-MOI.TXT and NEWS.
* debian/unhide.links:
- Added a link to unhide_rb manpage.
- Fixed link to /usr/sbin/unhide.
* debian/unhide.lintian-overrides: useless overrides, removed.
* debian/watch: improved the syntax.
2013-02-15 - Julien Valroff <julien@debian.org>
unhide (20121229-1) unstable; urgency=low
* New upstream release
* Add unhide_rb and unhide-posix to the package
2012-03-09 - Julien Valroff <julien@debian.org>
unhide (20110113-4) unstable; urgency=low
* Update DEP-5 URI to the final location 
* Use unhide-2.6 features unconditionally since Debian doesn't support
pre-2.6 Linux kernels. As a consequence, drop us of alternatives, and
ships unhide-2.6 as unhide (Closes: #662588)
* Update to latest policy 3.9.3
2011-10-25 - Julien Valroff <julien@debian.org>
unhide (20110113-3) unstable; urgency=low
* Make the package arch: linux-any as sysinfo system call is not 
available on kfreebsd 
* Drop some lintian overrides now that FTP Masters use lintian 2.5.0 
* Update DEP-5 uri
* Update package description to state all 6 techniques used to detect hidden
2011-06-01 - Julien Valroff <julien@debian.org>
unhide (20110113-2) unstable; urgency=low
* Previous version was rejected as FTP Masters still use lintian 
2.4.x - hence re-add older overrides in this version
2011-06-01 - Julien Valroff <julien@debian.org>
unhide (20110113-1) unstable; urgency=low
[ Christophe Monniez ]
* Merging upstream version 20100819 (Closes: #607374)
* Removing isfaked-leaks patch as it seems useless now.
* Fixing watch file (thanks to Guillaume Delacour).
* Removing quilt option in rules.
* Fixing watch file.
[ Julien Valroff ]
* Add myself as uploader
* Imported Upstream version 20110113
* Update project homepage
* Fix VCS fields
* Update to new policy 3.9.2 (no changes needed)
* Use 3.0 (quilt) source package format
* Add rkhunter-propupd trigger call
* Update lintian overrides for newer lintian versions
* Remove unused ${shlibs:Depends} substitution variable
* Use upstream manpages 
* Add README.txt and TODO files to the package 
* Bump debhelper compat to 8 
* Add patch to fix minor formatting warnings in manpages 
* Update copyright information 
2010-03-30 - Michael Prokop <mika@debian.org>
unhide (20100201-1) unstable; urgency=low
[ Christophe Monniez ]
* Merging upstream version 20100201.
* Refactoring isfaked-leaks patch.
* Adding support for pthread at compilation time.
* Updating the debhelper build-depends (should fix a lintian warning).
* Bumping standards-version to 3.8.4.
* Adjusting quilt build dependency to make lintian happy.
2009-07-29 - Daniel Baumann <daniel@debian.org>
unhide (20080519-6) unstable; urgency=low
* Setting uploaders to Christophe.

See Also

Package Description
unhtml_2.3.9-4_amd64.deb Remove the markup tags from an HTML file
uni2ascii_4.18-2+b2_amd64.deb UTF-8 to 7-bit ASCII and vice versa converter
unicode-data_9.0-1_all.deb Property data for the Unicode character set
unicode-screensaver_0.5-1+b1_amd64.deb screensaver displaying unicode characters
unicode_2.4_all.deb display unicode character properties
unicon-imc2_3.0.4+dfsg1-1_amd64.deb Chinese Input Method Library
uniconf-tools_4.6.1-11_amd64.deb Tools to interface with UniConf
uniconfd_4.6.1-11_amd64.deb Server that manages UniConf elements
unicorn_5.2.0-1_amd64.deb Rack HTTP server for fast clients
unidic-mecab_2.1.2~dfsg-6_all.deb free Japanese Dictionaries for mecab
unifdef_2.10-1.1_amd64.deb Remove cpp '#ifdef' lines from files
unifont-bin_9.0.06-2_amd64.deb utilities for manipulating GNU Unifont
unifont_9.0.06-2_all.deb font with a glyph for each visible Unicode Plane 0 character
unionfs-fuse_1.0-1+b1_amd64.deb Fuse implementation of unionfs
unison-all-gtk_2.48+2_all.deb file synchronization tool (all GTK+ versions)