writing a program for hiding processes from ps command result
I believe most root-kits would include something like this, and that root-kits are the only reason I can think of for writing something like this.
If you see some other, more valid, use, please enlighten me. (Honey pots are not a good answer, since you're much better off running them in a virtual machine observed from the outside in the first place.)
writing a program for hiding processes from ps command result
I believe most root-kits would include something like this, and that root-kits are the only reason I can think of for writing something like this.
If you see some other, more valid, use, please enlighten me. (Honey pots are not a good answer, since you're much better off running them in a virtual machine observed from the outside in the first place.)
How to Hide/Change name Processes called in Bash Script from ps
Linux provides information about running processes in a variety of places in the /proc
filesystem. Most of these are hard to spoof, without a lot of work. In general, you would have to modify the system execution environment, and even then you might not be able to hide the information completely.
In a comment, @sjsam provides a link to an article which shows how to use the preload mechanism to intercept calls which would open the /proc
filesystem, and use that to hide information about specific processes. However, as that article also points out, there are other mechanisms for acquiring process information.
There are four /proc
entries which hold relevant information: (In all the following, PID
should be replaced with the numeric PID of the process.)
/proc/PID/cmdline
: This is the easiest to spoof, since it shows theargv
array (or, more accurately, the first 4,096 bytes of theargv
array), in whichargv[0]
is presented as the command name. With the bashexec
built-in, you can provide anything you want as the value ofargv[0]
using the-a
flag. (This is a bash extension. It may not be present in other shells.) So you could simply use:exec -a SpoofedName RealCommandName arg...
Since this is the default source of information for
ps
, it will hide the command name (but not the arguments) from a casual use ofps
./proc/PID/stat
and/proc/PID/status
: These show status information forPID
; the first one is in a format easy for programs to parse, and the second one in a format easier for human beings to read. Both show the actual filename of the process executable. This is the source of information for thecomm
selector inps
, and also for the process name intop
.You can spoof this name by creating a symlink to the executable, and executing the symlink instead of the original file. That will take care of
ps -ocomm
andtop
/proc/PID/exe
: This is a symlink to the actual executable. I don't believe there is a simple way of spoofing this value, other than actually copying the executable to a new file and executing that file (which is not really a spoof). However, as far as I know, it is not used by any command-line utility which shows process information. The user would need to type something like:ls -ld /proc/8325/exe
or
readlink /proc/8325/exe
to see the filename of the executable.
How to run a PowerShell script without displaying a window?
You can either run it like this (but this shows a window for a while):
PowerShell.exe -WindowStyle hidden { your script.. }
Or you use a helper file I created to avoid the window called PsRun.exe that does exactly that. You can download the source and exe file from Run scheduled tasks with WinForm GUI in PowerShell. I use it for scheduled tasks.
Edited: as Marco noted this -WindowStyle
parameter is available only for V2 and above.
How to hide execl() arguments from ps?
Alternative solution:
Bash content can be piped and thus hidden from ps
script="script goes here"
echo $script | bash
Mitigated solution:
This is not a perfect solution, but it will answer the question, this code will create an shc_x.c
under /tmp build it, then preload it with environment variable.
shc_x.c, inject the bash sh content to ******** argument by replacing it and change the location of child commands arguments and thus hide them from ps as well.
shc_x.c: (this file is generated with the second code)
/*
* Copyright 2019 - Intika <intika@librefox.org>
* Replace ******** with secret read from fd 21
* Also change arguments location of sub commands (sh script commands)
* gcc -Wall -fpic -shared -o shc_secret.so shc_secret.c -ldl
*/
#define _GNU_SOURCE /* needed to get RTLD_NEXT defined in dlfcn.h */
#define PLACEHOLDER "********"
#include <dlfcn.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <signal.h>
static char secret[128000]; //max size
typedef int (*pfi)(int, char **, char **);
static pfi real_main;
// copy argv to new location
char **copyargs(int argc, char** argv){
char **newargv = malloc((argc+1)*sizeof(*argv));
char *from,*to;
int i,len;
for(i = 0; i<argc; i++){
from = argv[i];
len = strlen(from)+1;
to = malloc(len);
memcpy(to,from,len);
// zap old argv space
memset(from,'\0',len);
newargv[i] = to;
argv[i] = 0;
}
newargv[argc] = 0;
return newargv;
}
static int mymain(int argc, char** argv, char** env) {
//fprintf(stderr, "Inject main argc = %d\n", argc);
return real_main(argc, copyargs(argc,argv), env);
}
int __libc_start_main(int (*main) (int, char**, char**),
int argc,
char **argv,
void (*init) (void),
void (*fini)(void),
void (*rtld_fini)(void),
void (*stack_end)){
static int (*real___libc_start_main)() = NULL;
int n;
if (!real___libc_start_main) {
real___libc_start_main = dlsym(RTLD_NEXT, "__libc_start_main");
if (!real___libc_start_main) abort();
}
n = read(21, secret, sizeof(secret));
if (n > 0) {
int i;
if (secret[n - 1] == '\n') secret[--n] = '\0';
for (i = 1; i < argc; i++)
if (strcmp(argv[i], PLACEHOLDER) == 0)
argv[i] = secret;
}
real_main = main;
return real___libc_start_main(mymain, argc, argv, init, fini, rtld_fini, stack_end);
}
On the main c application:
static const char * shc_x[] = {
"/*",
" * Copyright 2019 - Intika <intika@librefox.org>",
" * Replace ******** with secret read from fd 21",
" * Also change arguments location of sub commands (sh script commands)",
" * gcc -Wall -fpic -shared -o shc_secret.so shc_secret.c -ldl",
" */",
"",
"#define _GNU_SOURCE /* needed to get RTLD_NEXT defined in dlfcn.h */",
"#define PLACEHOLDER \"********\"",
"#include <dlfcn.h>",
"#include <stdlib.h>",
"#include <string.h>",
"#include <unistd.h>",
"#include <stdio.h>",
"#include <signal.h>",
"",
"static char secret[128000]; //max size",
"typedef int (*pfi)(int, char **, char **);",
"static pfi real_main;",
"",
"// copy argv to new location",
"char **copyargs(int argc, char** argv){",
" char **newargv = malloc((argc+1)*sizeof(*argv));",
" char *from,*to;",
" int i,len;",
"",
" for(i = 0; i<argc; i++){",
" from = argv[i];",
" len = strlen(from)+1;",
" to = malloc(len);",
" memcpy(to,from,len);",
" // zap old argv space",
" memset(from,'\\0',len);",
" newargv[i] = to;",
" argv[i] = 0;",
" }",
" newargv[argc] = 0;",
" return newargv;",
"}",
"",
"static int mymain(int argc, char** argv, char** env) {",
" //fprintf(stderr, \"Inject main argc = %d\\n\", argc);",
" return real_main(argc, copyargs(argc,argv), env);",
"}",
"",
"int __libc_start_main(int (*main) (int, char**, char**),",
" int argc,",
" char **argv,",
" void (*init) (void),",
" void (*fini)(void),",
" void (*rtld_fini)(void),",
" void (*stack_end)){",
" static int (*real___libc_start_main)() = NULL;",
" int n;",
"",
" if (!real___libc_start_main) {",
" real___libc_start_main = dlsym(RTLD_NEXT, \"__libc_start_main\");",
" if (!real___libc_start_main) abort();",
" }",
"",
" n = read(21, secret, sizeof(secret));",
" if (n > 0) {",
" int i;",
"",
" if (secret[n - 1] == '\\n') secret[--n] = '\\0';",
" for (i = 1; i < argc; i++)",
" if (strcmp(argv[i], PLACEHOLDER) == 0)",
" argv[i] = secret;",
" }",
"",
" real_main = main;",
"",
" return real___libc_start_main(mymain, argc, argv, init, fini, rtld_fini, stack_end);",
"}",
"",
0};
#include <sys/stat.h>
#include <sys/types.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <signal.h>
#include <sys/prctl.h>
#define PR_SET_PTRACER 0x59616d61
#include <stddef.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/audit.h>
void shc_x_file() {
FILE *fp;
int line = 0;
if ((fp = fopen("/tmp/shc_x.c", "w")) == NULL ) {exit(1); exit(1);}
for (line = 0; shc_x[line]; line++) fprintf(fp, "%s\n", shc_x[line]);
fflush(fp);fclose(fp);
}
int make() {
char * cc, * cflags, * ldflags;
char cmd[4096];
cc = getenv("CC");
if (!cc) cc = "cc";
sprintf(cmd, "%s %s -o %s %s", cc, "-Wall -fpic -shared", "/tmp/shc_x.so", "/tmp/shc_x.c -ldl");
if (system(cmd)) {remove("/tmp/shc_x.c"); return -1;}
remove("/tmp/shc_x.c"); return 0;
}
int main(int argc, char ** argv)
{
shc_x_file();
if (make()) {exit(1);}
setenv("LD_PRELOAD","/tmp/shc_x.so",1);
// rest of the code execl etc...
}
Note: arguments can always be recovered by many ways, this code just makes it a little bit more complicated to reverse.
How to wait for a child process to finish in Node.js
You should use exec-sync
That allow your script to wait that you exec is done
really easy to use:
var execSync = require('exec-sync');
var user = execSync('python celulas.py');
Take a look at:
https://www.npmjs.org/package/exec-sync
Related Topics
Logrotate to Clean Up Date Stamped Files
Simple Way to Convert Hh:Mm:Ss (Hours:Minutes:Seconds.Split Seconds) to Seconds
How to Parse Netstat Command in Order to Get Process Name and Pid from It
Segfault with Rip-Relative Addressing on Linux
Bash Echo with an $ Character Outside the String
Explicitly Invoke Sig_Dfl/Sig_Ign Handlers on Linux
Split Fasta Files Based on Header
How to Divide in the Linux Console
Rsync - Mkstemp Failed: Permission Denied (13)
Genymotion Throws Libssl_Conf.So: Cannot Open Shared Object File: No Such File or Directory