This is a POC in scanning /proc for hidden processes on linux systems without brute forcing the PID address space.. I was checking out this article and I created a process hiding kernel module that hides a node js process called hidden.js.

I realised that fs.readdirSync found the hidden PID that was invisible to ps aux or lsof -ni during my experimentation. This is way faster than iterating through the PID range but I'm not sure if its going to catch every type of hidden processes or how it works yet.

I took inspiration from this tool from sandfly security that iterates the PID range looking for processes that are hidden.

npm i mzek-scanproc -g

create a kernel module and load it (see /notes).

$ cd ./notes
$ make
$ sudo mv libprocesshider.so /usr/local/lib/
$ echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
$ node hidden.js

extracted output showing the hidden PID

{
 '/usr/bin/node',
    '/home/monz/Desktop/experiments/scanproc/hidden.js'
  ],
  execArgv: [],
  pid: 19435,
  ppid: 5363,
  execPath: '/usr/bin/node',
  debugPort: 9229,
  argv0: 'node',
  _preload_modules: [],
}

$ scanproc
<mzek-scanproc>
<mzek-scanproc>
found hidden PIDs  [ 19435 ]

• does this work with any time of hidden process or just node?
• how does node's fs module detect the PID that is hidden from ps?

Leave an issue if you know how this works.

• sysdig article
• libprocesshider
• sandfly-processdecloak