Hiding a Running Process Redux

Of course, process management involves more than just the allproc and zombproc lists, and as such, hiding a running process involves more than just manipulating the allproc list. For instance:

$ sudo kldload ./process_hiding.ko
System call loaded at offset 210.
$ ps
  PID  TT  STAT      TIME COMMAND
  521  v1  S      0:00.19 -bash (bash)
  524  v1  R+     0:00.03 ps
  519  v2  I      0:00.17 -bash (bash)
  520  v2  S+     0:00.25 top
$ perl -e '$p_comm = "top";' -e 'syscall(210, $p_comm);'
$ ps -p 520
  PID  TT  STAT      TIME COMMAND
  520  v2  S+     0:00.56 top

Notice how the hidden process (top) was found through its PID. Undoubtedly, I'm going to remedy this. But first, some background information on FreeBSD hash tables^[1] is required.

The hashinit Function

In FreeBSD, ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Hiding a Running Process Redux

The hashinit Function

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly