Creating and discovering hidden processes based on centos 7 Linux

1, Hide process

1. The tools used in this paper are https://github.com/gianlucaborello/libprocesshider Can be downloaded

2. The idea is to realize the hijacking of system functions by using LD ˊ preload

Ld_preload, an environment variable, is used to load dynamic libraries. The priority of dynamic library loading is the highest. Generally, the loading order is ld_preload > ld_library_path > / etc / ld.so.cache > / lib > / usr / lib. In the program, we often call the functions of some external libraries. Take malloc as an example. If we have a custom malloc function, compile it into a dynamic library and load it through LD_PRELOAD, when we call malloc function in the program, we call the function in our own way.

install

[root@kangcw ~]# git clone https://github.com/gianlucaborello/libprocesshider.git
Cloning into 'libprocesshider'...
remote: Enumerating objects: 30, done.
remote: Total 30 (delta 0), reused 0 (delta 0), pack-reused 30
Unpacking objects: 100% (30/30), done.

[root@kangcw ~]# cd libprocesshider/
[root@kangcw libprocesshider]# ls
evil_script.py  Makefile  processhider.c  README.md

#Modify the process name to hide
[root@kangcw libprocesshider]# vim processhider.c  #open
...
static const char* process_to_filter = "xianyu_cb";    ##Defined process name
...



//Compile
[root@kangcw libprocesshider]# make
gcc -Wall -fPIC -shared -o libprocesshider.so processhider.c -ldl

//Move the file to / usr/local/lib /
[root@kangcw libprocesshider]# mv libprocesshider.so /usr/local/lib/

//Load it into the global dynamic connection Office

echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload



//Or add / etc/profile
[root@kangcw libprocesshider]# cat /etc/profile |tail -n 1
export LD_PRELOAD=/usr/local/lib/libprocesshider.so




test

Before calling that module
//Start a process  
[root@kangcw libprocesshider]# ./xianyu_cb cb &
[1] 17131
[root@kangcw libprocesshider]# Waiting for the server to connect...
[root@kangcw libprocesshider]# ps -ef |grep xianyu
root     17131 17041  0 20:36 pts/2    00:00:00 ./xianyu_cb cb  #You can see the process
root     17149 17041  0 20:36 pts/2    00:00:00 grep --color=auto xianyu


//After opening
[root@kangcw libprocesshider]# vim /etc/profile
[root@kangcw libprocesshider]# source /etc/profile
[root@kangcw libprocesshider]# ./xianyu_cb cb&
[1] 17731
[root@kangcw libprocesshider]# Waiting for the server to connect...
[root@kangcw libprocesshider]# ps -ef|grep xianyu     #Implementing process hiding
root     17749 17411  0 20:38 pts/2    00:00:00 grep --color=auto xianyu
[root@kangcw libprocesshider]# 

processhider.c

  1. The program defines a variable process "to" filter to control which process name is not displayed
  2. Rewrite readdir,
    strcmp(process_name, process_to_filter) == 0)
    Continue the loop when the current process name is found to be the same as process "to" filter
  1. This program fails to compile in some Linux

    Solution

    Delete one of the last two lines

    DECLARE_READDIR(dirent64, readdir64);

    DECLARE_READDIR(dirent, readdir);

  2. Some Linux uses

    echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
    

    It doesn't work
    At this point, we need to configure environment variables

    bmfxgkpt-yhd:~# vi /etc/profile
    

    Add a row

    export LD_PRELOAD=/usr/local/lib/libprocesshider.so

2, How to discover hidden processes

unhide is a small network forensics tool, which can find processes and TCP / UDP ports hidden by rootkit, LKM and other technologies. This tool can work under Linux, UNIX class, MS-Windows and other operating systems.

install

[root@kangcw ~]# yum install unhide
Loaded plugins: fastestmirror, langpacks, priorities
Repository epel is listed more than once in the configuration
Loading mirror speeds from cached hostfile
 * centos-sclo-rh: mirrors.aliyun.com
 * centos-sclo-sclo: mirrors.aliyun.com
 * remi-safe: mirror.innosol.asia
centos-sclo-rh                                                                                                                                                        | 3.0 kB  00:00:00     
centos-sclo-sclo                                                                                                                                                      | 2.9 kB  00:00:00     
epel                                                                                                                                                                  | 5.3 kB  00:00:00     
extras                                                                                                                                                                | 2.9 kB  00:00:00     
google-chrome                                                                                                                                                         | 1.3 kB  00:00:00     
mysql-connectors-community                                                                                                                                            | 2.5 kB  00:00:00     
mysql-tools-community                                                                                                                                                 | 2.5 kB  00:00:00     
mysql57-community                                                                                                                                                     | 2.5 kB  00:00:00     
os                                                                                                                                                                    | 3.6 kB  00:00:00     
remi-safe                                                                                                                                                             | 3.0 kB  00:00:00     
teamviewer                                                                                                                                                            | 2.5 kB  00:00:00     
updates                                                                                                                                                               | 2.9 kB  00:00:00     
remi-safe/primary_db                                                                                                                                                  | 1.7 MB  00:02:53     
Resolving Dependencies
--> Running transaction check
---> Package unhide.x86_64 0:20130526-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================================
 Package                                     Arch                                        Version                                             Repository                                 Size
=============================================================================================================================================================================================
Installing:
 unhide                                      x86_64                                      20130526-1.el7                                      epel                                       63 k

Transaction Summary
=============================================================================================================================================================================================
Install  1 Package

Total download size: 63 k
Installed size: 146 k
Is this ok [y/d/N]: y
Downloading packages:
unhide-20130526-1.el7.x86_64.rpm                                                                                                                                      |  63 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : unhide-20130526-1.el7.x86_64                                                                                                                                              1/1 
  Verifying  : unhide-20130526-1.el7.x86_64                                                                                                                                              1/1 

Installed:
  unhide.x86_64 0:20130526-1.el7                                                                                                                                                             

Complete!

Use

Use unhide proc to discover the hidden process, as shown in the following figure:

Tags: Operation & Maintenance CentOS Linux EPEL github

Posted on Mon, 23 Mar 2020 10:13:26 -0400 by dickey