DEV Community

Cover image for Process hiding in Linux
fx2301
fx2301

Posted on

1

Process hiding in Linux

Why?

You want to evade detection post compromise of a host, and hide your process as something innocuous when someone inspects /proc or ps.

When?

You're host is Linux, and your executable is in C, or a language with FFI support.

How?

There are two classes of data to spoof:

  1. The contents of /proc/pid/cmdline. This is what shows up with ps -f.
  2. The contents of /proc/pid/comm and the first line of /proc/pid/status. This is what shows up with ps without -f.

In nim

import os

proc NimMain() {.cdecl, importc.}

proc syscall(number: clong): clong
    {.importc, varargs, header: "sys/syscall.h".}
var NR_PRCTL
    {.importc: "__NR_prctl", header: "unistd.h".}: int
var PR_SET_NAME
    {.importc: "PR_SET_NAME", header: "sys/prctl.h".}: int

proc main(argc: int, argv: cstringArray, envp: cstringArray): int
        {.cdecl, exportc.} =
    NimMain()

    const FAKE_COMMAND = "spoofed"

    # handles /proc/pid/comm and /proc/pid/status
    discard syscall(NR_PRCTL, PR_SET_NAME, cstring(FAKE_COMMAND))

    # handles /proc/pid/cmdline
    let totalLength = len(argv[0])
    var i = 0
    for ch in FAKE_COMMAND:
        argv[0][i] = FAKE_COMMAND[i]
        i += 1
    argv[0][i] = '\x00'
    for j in i .. totalLength:
        argv[0][j] = '\x00'

    sleep(60000)
Enter fullscreen mode Exit fullscreen mode
  • Note that you'll need to compile this with --nomain.
  • Note that as argc and envp is consecutive in memory this means that a longer FAKE_COMMAND than the actual argv[0] means we overwrite the contents of /proc/pid/environ. To work around this, ensure your executable has a longer name than the what you want to spoof as.

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay