Hiding a Running Process

Now, equipped with the macros and functions from the previous sections, I'll detail how to hide a running process using DKOM. First, though, we need some background information on process management.

The proc Structure

In FreeBSD the context of each process is maintained in a proc structure, which is defined in the <sys/proc.h> header. The following list describes the fields in struct proc that you'll need to understand in order to hide a running process.

Note

I've tried to keep this list brief so that it can be used as a reference. You can skip over this list on your first reading and refer back to it when you face some real C code.

LIST_ENTRY(proc) p_list;: This field contains the linkage pointers that are associated with the ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Hiding a Running Process

The proc Structure

Note

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly