Hiding Processes
Adore
is a popular LKM-based
rootkit. Among its many features, it allows a user to hide processes
by altering the /proc system’s
readdir
handler.
Tip
Download the Adore rootkit at http://packetstormsecurity.nl/groups/teso/.
The /proc system stores a lot of system
information, including process information. For example,
let’s assume sshd
is running on
our system. You can use the
ps
tool to obtain
sshd
’s Process ID (PID):
[notroot]$ ps x | grep sshd
1431 ? S 0:00 /usr/sbin/sshd
4721 tty1 S 0:00 grep sshd
In our example, the sshd
process’s PID is 1431. Let’s look
in /proc/1431 to obtain more information about
the sshd
process:
[notroot]$ ls -l /proc/1431/ total 0 -r-------- 1 root root 0 Sep 4 09:14 auxv -r--r--r-- 1 root root 0 Sep 4 09:12 cmdline lrwxrwxrwx 1 root root 0 Sep 4 09:14 cwd -> / -r-------- 1 root root 0 Sep 4 09:12 environ lrwxrwxrwx 1 root root 0 Sep 4 09:14 exe -> /usr/sbin/sshd dr-x------ 2 root root 0 Sep 4 09:14 fd -r--r--r-- 1 root root 0 Sep 4 09:14 maps -rw------- 1 root root 0 Sep 4 09:14 mem -r--r--r-- 1 root root 0 Sep 4 09:14 mounts lrwxrwxrwx 1 root root 0 Sep 4 09:14 root -> / -r--r--r-- 1 root root 0 Sep 4 09:12 stat -r--r--r-- 1 root root 0 Sep 4 09:14 statm -r--r--r-- 1 root root 0 Sep 4 09:12 status dr-xr-xr-x 3 root root 0 Sep 4 09:14 task -r--r--r-- 1 root root 0 Sep 4 09:14 wchan
As you can see, the /proc filesystem also stores
process information. The ps
tool uses the
/proc system to enumerate the processes running
on a system.
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.