This is a POC in scanning /proc for hidden processes on linux systems without brute forcing the PID address space..
I was checking out this article and I
created a process hiding kernel module that hides a node js process called hidden.js
.
I realised that fs.readdirSync
found the hidden PID that was invisible to ps aux
or lsof -ni
during
my experimentation. This is way faster than iterating through the PID range but I'm not sure if its going
to catch every type of hidden processes or how it works yet.
I took inspiration from this tool from sandfly security that iterates the PID range looking for processes that are hidden.
npm i mzek-scanproc -g
create a kernel module and load it (see /notes).
$ cd ./notes
$ make
$ sudo mv libprocesshider.so /usr/local/lib/
$ echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
$ node hidden.js
extracted output showing the hidden PID
{
'/usr/bin/node',
'/home/monz/Desktop/experiments/scanproc/hidden.js'
],
execArgv: [],
pid: 19435,
ppid: 5363,
execPath: '/usr/bin/node',
debugPort: 9229,
argv0: 'node',
_preload_modules: [],
}
check for hidden PIDs
$ scanproc
<mzek-scanproc>
<mzek-scanproc>
found hidden PIDs [ 19435 ]
- does this work with any time of hidden process or just node?
- how does node's fs module detect the PID that is hidden from
ps
?
Leave an issue if you know how this works.