DEV Community

Cover image for Process hiding in Linux
fx2301
fx2301

Posted on

1

Process hiding in Linux

Why?

You want to evade detection post compromise of a host, and hide your process as something innocuous when someone inspects /proc or ps.

When?

You're host is Linux, and your executable is in C, or a language with FFI support.

How?

There are two classes of data to spoof:

  1. The contents of /proc/pid/cmdline. This is what shows up with ps -f.
  2. The contents of /proc/pid/comm and the first line of /proc/pid/status. This is what shows up with ps without -f.

In nim

import os

proc NimMain() {.cdecl, importc.}

proc syscall(number: clong): clong
    {.importc, varargs, header: "sys/syscall.h".}
var NR_PRCTL
    {.importc: "__NR_prctl", header: "unistd.h".}: int
var PR_SET_NAME
    {.importc: "PR_SET_NAME", header: "sys/prctl.h".}: int

proc main(argc: int, argv: cstringArray, envp: cstringArray): int
        {.cdecl, exportc.} =
    NimMain()

    const FAKE_COMMAND = "spoofed"

    # handles /proc/pid/comm and /proc/pid/status
    discard syscall(NR_PRCTL, PR_SET_NAME, cstring(FAKE_COMMAND))

    # handles /proc/pid/cmdline
    let totalLength = len(argv[0])
    var i = 0
    for ch in FAKE_COMMAND:
        argv[0][i] = FAKE_COMMAND[i]
        i += 1
    argv[0][i] = '\x00'
    for j in i .. totalLength:
        argv[0][j] = '\x00'

    sleep(60000)
Enter fullscreen mode Exit fullscreen mode
  • Note that you'll need to compile this with --nomain.
  • Note that as argc and envp is consecutive in memory this means that a longer FAKE_COMMAND than the actual argv[0] means we overwrite the contents of /proc/pid/environ. To work around this, ensure your executable has a longer name than the what you want to spoof as.

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

Top comments (0)

Billboard image

Create up to 10 Postgres Databases on Neon's free plan.

If you're starting a new project, Neon has got your databases covered. No credit cards. No trials. No getting in your way.

Try Neon for Free →