writing a program for hiding processes from ps command result
I believe most root-kits would include something like this, and that root-kits are the only reason I can think of for writing something like this.
If you see some other, more valid, use, please enlighten me. (Honey pots are not a good answer, since you're much better off running them in a virtual machine observed from the outside in the first place.)
writing a program for hiding processes from ps command result
I believe most root-kits would include something like this, and that root-kits are the only reason I can think of for writing something like this.
If you see some other, more valid, use, please enlighten me. (Honey pots are not a good answer, since you're much better off running them in a virtual machine observed from the outside in the first place.)
How to Hide/Change name Processes called in Bash Script from ps
Linux provides information about running processes in a variety of places in the /proc filesystem. Most of these are hard to spoof, without a lot of work. In general, you would have to modify the system execution environment, and even then you might not be able to hide the information completely.
In a comment, @sjsam provides a link to an article which shows how to use the preload mechanism to intercept calls which would open the /proc filesystem, and use that to hide information about specific processes. However, as that article also points out, there are other mechanisms for acquiring process information.
There are four /proc entries which hold relevant information: (In all the following, PID should be replaced with the numeric PID of the process.)
/proc/PID/cmdline: This is the easiest to spoof, since it shows theargvarray (or, more accurately, the first 4,096 bytes of theargvarray), in whichargv[0]is presented as the command name. With the bashexecbuilt-in, you can provide anything you want as the value ofargv[0]using the-aflag. (This is a bash extension. It may not be present in other shells.) So you could simply use:exec -a SpoofedName RealCommandName arg...Since this is the default source of information for
ps, it will hide the command name (but not the arguments) from a casual use ofps./proc/PID/statand/proc/PID/status: These show status information forPID; the first one is in a format easy for programs to parse, and the second one in a format easier for human beings to read. Both show the actual filename of the process executable. This is the source of information for thecommselector inps, and also for the process name intop.You can spoof this name by creating a symlink to the executable, and executing the symlink instead of the original file. That will take care of
ps -ocommandtop/proc/PID/exe: This is a symlink to the actual executable. I don't believe there is a simple way of spoofing this value, other than actually copying the executable to a new file and executing that file (which is not really a spoof). However, as far as I know, it is not used by any command-line utility which shows process information. The user would need to type something like:ls -ld /proc/8325/exeor
readlink /proc/8325/exeto see the filename of the executable.
How to run a PowerShell script without displaying a window?
You can either run it like this (but this shows a window for a while):
PowerShell.exe -WindowStyle hidden { your script.. }
Or you use a helper file I created to avoid the window called PsRun.exe that does exactly that. You can download the source and exe file from Run scheduled tasks with WinForm GUI in PowerShell. I use it for scheduled tasks.
Edited: as Marco noted this -WindowStyle parameter is available only for V2 and above.
How to hide execl() arguments from ps?
Alternative solution:
Bash content can be piped and thus hidden from ps
script="script goes here"
echo $script | bash
Mitigated solution:
This is not a perfect solution, but it will answer the question, this code will create an shc_x.c under /tmp build it, then preload it with environment variable.
shc_x.c, inject the bash sh content to ******** argument by replacing it and change the location of child commands arguments and thus hide them from ps as well.
shc_x.c: (this file is generated with the second code)
/*
* Copyright 2019 - Intika <intika@librefox.org>
* Replace ******** with secret read from fd 21
* Also change arguments location of sub commands (sh script commands)
* gcc -Wall -fpic -shared -o shc_secret.so shc_secret.c -ldl
*/
#define _GNU_SOURCE /* needed to get RTLD_NEXT defined in dlfcn.h */
#define PLACEHOLDER "********"
#include <dlfcn.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <signal.h>
static char secret[128000]; //max size
typedef int (*pfi)(int, char **, char **);
static pfi real_main;
// copy argv to new location
char **copyargs(int argc, char** argv){
char **newargv = malloc((argc+1)*sizeof(*argv));
char *from,*to;
int i,len;
for(i = 0; i<argc; i++){
from = argv[i];
len = strlen(from)+1;
to = malloc(len);
memcpy(to,from,len);
// zap old argv space
memset(from,'\0',len);
newargv[i] = to;
argv[i] = 0;
}
newargv[argc] = 0;
return newargv;
}
static int mymain(int argc, char** argv, char** env) {
//fprintf(stderr, "Inject main argc = %d\n", argc);
return real_main(argc, copyargs(argc,argv), env);
}
int __libc_start_main(int (*main) (int, char**, char**),
int argc,
char **argv,
void (*init) (void),
void (*fini)(void),
void (*rtld_fini)(void),
void (*stack_end)){
static int (*real___libc_start_main)() = NULL;
int n;
if (!real___libc_start_main) {
real___libc_start_main = dlsym(RTLD_NEXT, "__libc_start_main");
if (!real___libc_start_main) abort();
}
n = read(21, secret, sizeof(secret));
if (n > 0) {
int i;
if (secret[n - 1] == '\n') secret[--n] = '\0';
for (i = 1; i < argc; i++)
if (strcmp(argv[i], PLACEHOLDER) == 0)
argv[i] = secret;
}
real_main = main;
return real___libc_start_main(mymain, argc, argv, init, fini, rtld_fini, stack_end);
}
On the main c application:
static const char * shc_x[] = {
"/*",
" * Copyright 2019 - Intika <intika@librefox.org>",
" * Replace ******** with secret read from fd 21",
" * Also change arguments location of sub commands (sh script commands)",
" * gcc -Wall -fpic -shared -o shc_secret.so shc_secret.c -ldl",
" */",
"",
"#define _GNU_SOURCE /* needed to get RTLD_NEXT defined in dlfcn.h */",
"#define PLACEHOLDER \"********\"",
"#include <dlfcn.h>",
"#include <stdlib.h>",
"#include <string.h>",
"#include <unistd.h>",
"#include <stdio.h>",
"#include <signal.h>",
"",
"static char secret[128000]; //max size",
"typedef int (*pfi)(int, char **, char **);",
"static pfi real_main;",
"",
"// copy argv to new location",
"char **copyargs(int argc, char** argv){",
" char **newargv = malloc((argc+1)*sizeof(*argv));",
" char *from,*to;",
" int i,len;",
"",
" for(i = 0; i<argc; i++){",
" from = argv[i];",
" len = strlen(from)+1;",
" to = malloc(len);",
" memcpy(to,from,len);",
" // zap old argv space",
" memset(from,'\\0',len);",
" newargv[i] = to;",
" argv[i] = 0;",
" }",
" newargv[argc] = 0;",
" return newargv;",
"}",
"",
"static int mymain(int argc, char** argv, char** env) {",
" //fprintf(stderr, \"Inject main argc = %d\\n\", argc);",
" return real_main(argc, copyargs(argc,argv), env);",
"}",
"",
"int __libc_start_main(int (*main) (int, char**, char**),",
" int argc,",
" char **argv,",
" void (*init) (void),",
" void (*fini)(void),",
" void (*rtld_fini)(void),",
" void (*stack_end)){",
" static int (*real___libc_start_main)() = NULL;",
" int n;",
"",
" if (!real___libc_start_main) {",
" real___libc_start_main = dlsym(RTLD_NEXT, \"__libc_start_main\");",
" if (!real___libc_start_main) abort();",
" }",
"",
" n = read(21, secret, sizeof(secret));",
" if (n > 0) {",
" int i;",
"",
" if (secret[n - 1] == '\\n') secret[--n] = '\\0';",
" for (i = 1; i < argc; i++)",
" if (strcmp(argv[i], PLACEHOLDER) == 0)",
" argv[i] = secret;",
" }",
"",
" real_main = main;",
"",
" return real___libc_start_main(mymain, argc, argv, init, fini, rtld_fini, stack_end);",
"}",
"",
0};
#include <sys/stat.h>
#include <sys/types.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <signal.h>
#include <sys/prctl.h>
#define PR_SET_PTRACER 0x59616d61
#include <stddef.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/audit.h>
void shc_x_file() {
FILE *fp;
int line = 0;
if ((fp = fopen("/tmp/shc_x.c", "w")) == NULL ) {exit(1); exit(1);}
for (line = 0; shc_x[line]; line++) fprintf(fp, "%s\n", shc_x[line]);
fflush(fp);fclose(fp);
}
int make() {
char * cc, * cflags, * ldflags;
char cmd[4096];
cc = getenv("CC");
if (!cc) cc = "cc";
sprintf(cmd, "%s %s -o %s %s", cc, "-Wall -fpic -shared", "/tmp/shc_x.so", "/tmp/shc_x.c -ldl");
if (system(cmd)) {remove("/tmp/shc_x.c"); return -1;}
remove("/tmp/shc_x.c"); return 0;
}
int main(int argc, char ** argv)
{
shc_x_file();
if (make()) {exit(1);}
setenv("LD_PRELOAD","/tmp/shc_x.so",1);
// rest of the code execl etc...
}
Note: arguments can always be recovered by many ways, this code just makes it a little bit more complicated to reverse.
How to wait for a child process to finish in Node.js
You should use exec-sync
That allow your script to wait that you exec is done
really easy to use:
var execSync = require('exec-sync');
var user = execSync('python celulas.py');
Take a look at:
https://www.npmjs.org/package/exec-sync
Related Topics
Logrotate to Clean Up Date Stamped Files
Simple Way to Convert Hh:Mm:Ss (Hours:Minutes:Seconds.Split Seconds) to Seconds
How to Parse Netstat Command in Order to Get Process Name and Pid from It
Segfault with Rip-Relative Addressing on Linux
Bash Echo with an $ Character Outside the String
Explicitly Invoke Sig_Dfl/Sig_Ign Handlers on Linux
Split Fasta Files Based on Header
How to Divide in the Linux Console
Rsync - Mkstemp Failed: Permission Denied (13)
Genymotion Throws Libssl_Conf.So: Cannot Open Shared Object File: No Such File or Directory