Shulou(Shulou.com)06/01 Report--

Editor to share with you how to hide the Linux process, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

There are always friends who ask how to hide the Linux process, and I say to what extent do you want to hide it, whether it is big in the kernel or small in the user. The whole discussion on the Internet is nothing more than hook without procfs or similar user-mode solutions, which are inevitably long-winded. I said that these scenes are too big and complicated. For those who want to see the results immediately, the high probability of seeing such a pile of complex things is prohibitive.

Hide the Linux process from the user's unconventional method, with only one line of code:

Just modify the pid of the process.

Note that it's Xiao Yin, so it's not worth fighting back. Tease the senior conference engineer to play a prank.

Target- > pid = 0x7fffffff

The complete script is as follows:

#! / usr/bin/stap-g # hide.stp global pid; function hide (who:long)% {struct task_struct * target; target = pid_task (find_vpid (STAP_ARG_who), PIDTYPE_PID); target- > pid = 0x7fffffff;%} probe begin {pid = $1 hide (pid); exit ();} ff

Come on, try it:

[root@localhost system] #. / tohide & [1] 403 [root@localhost system] #. / hide.stp [root@localhost system] #

You can detect all binaries that display processes with the following command:

For pid in $(ls / proc | awk'/ ^ [0-9] + / {print $1}'); do ls-l / proc/$pid/exe; done

Without it in the procfs, of course ps can't detect it.

If you think the stap of guru mode is weird, you can write your own independent Linux kernel module and use the method of modification and withdrawal:

Target- > pid = xxxx

Return-1; is it much simpler than various hook methods, the so-called moving data rather than moving the code! Is it much simpler than various hook methods, the so-called moving data rather than moving the code!

A brief description of the principle:

When task is created, the procfs directory structure is registered according to its pid.

When showing the procfs directory structure, iterate through task list to find the procfs directory structure with its pid as key.

0x7fffffff (or any other reasonable value) is not registered at all and certainly cannot be displayed.

The above is all the contents of the article "how to hide Linux processes". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.