Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
// Unhide (ps)
Detecting hidden processes. Implements six techniques
* Compare /proc vs /bin/ps output
* Compare info gathered from /bin/ps with info gathered by walking thru the procfs.
* Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
* Full PIDs space occupation (PIDs bruteforcing)
* Reverse search, verify that all thread seen by ps are also seen by the kernel ( /bin/ps output vs /proc, procfs walking and syscall )
* Quick compare /proc, procfs walking and syscall vs /bin/ps output.
// Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in /bin/netstat doing brute forcing of all TCP/UDP ports availables.