List running hidden processes after libprocesshider

Question

I make a project in Python3 for Raspberry Pi 4 I use few cli applications that. In ps/htop/top I wanted to hide the command line used on it due to some security concerns. I tried libprocesshider and its hiding entire process from the process table. And no /proc/ generated. This seems much better for our client.

But I couldn't check IsProcessRuning() to kill the previous instance and start a new one. Is there any other clue to list the running process without /proc/ ?

Similar question is found here, but no proper answer yet. List running processes without procfs

libprocesshider https://github.com/gianlucaborello/libprocesshider/blob/master/processhider.c https://sysdig.com/blog/hiding-linux-processes-for-fun-and-profit/

score 0 · Accepted Answer · answered Mar 13 '22 at 20:34

0

libprocesshider just loads special version of readdir(), which doesn't list specified entries in /proc. To list all enties you can:

Bind mount procfs somewhere else and read process info from there.
Load original versions of readdir() using dlopen()/dlsym().
Use readdir syscall directly. For reference see readdir() implementation from your libc.

answered Mar 13 '22 at 20:34

Anton Leontiev

785

Thanks Anton Leontive, I will try your suggestions soon. – gaamaa Mar 14 '22 at 06:30
You are a Super Man !

Load original versions of readdir()

This tip helped me with ctypes in python. Thanks again...
– gaamaa Mar 14 '22 at 12:11
Glad to hear it helps. You can accept an answer by click on big gray check button on its left side. – Anton Leontiev Mar 16 '22 at 17:52
I think SE must improve its web gui. Till now I couldn't search Accept button and Closed/Solved button on the page. – gaamaa Mar 17 '22 at 01:33
Ok finally I found the Accept button is the Tick mark icon. Done ! – gaamaa Mar 17 '22 at 01:34

List running hidden processes after libprocesshider

1 Answers1