gianlucaborello / libprocesshider Goto Github PK

kali didn't work entirely
ps and lsof still can see the evil_script it really confuse me 。
which system do you use ? ..

Thanks!

Can we add multiple hidden processes?

Hello, first - this is an awesome technique, great idea and implementation.

Would you be open to adding a license for libprocesshider's use? Per GitHub's terms, without one, no one can legally reproduce or modify it.

Thanks!

Hi

Newbie here.

After following the steps within the guide on a Centos 64-bit system I am getting the error in the heading. May I kindly ask to be pointed in the right direction to resolve the error message?

Your solution seems working partially, but with fails in many conditions.

I tried -marm for Raspberry Pi 4 and still same issue
gcc -Wall -marm -fPIC -shared -o libprocesshider.so processhider.c -ldl

My ld.so.preload file lines: (First line is the default for all Rasp Pi)
/usr/lib/arm-linux-gnueabihf/libarmmem-${PLATFORM}.so
/usr/$LIB/libprocesshider.so

I placed the libprocesshider.so at /usr/lib/ and /usr/local/lib/ also, still same issue

First of all after these steps, my Pycharm does run at all and showing below error
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/$LIB/libprocesshider.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
Process finished with exit code 129

Please help me !

Yesterday my server was infected by what seems to be a crypto-miner or some other type of bandwidth hog. I found the following in /var/tmp/.11/:
-rwxr-xr-x 1 root root 20240 Oct 26 22:54 bash.sh
-rw-r--r-- 1 root root 4413086 Jan 5 23:34 enbash.tar
-rw-r--r-- 1 root root 6304805 Jan 5 23:34 enbio.tar
-rwxr-xr-x 1 root root 2359889 Nov 28 02:11 fkoths
drwxr-xr-x 2 root root 4096 Jan 7 22:27 ..lph

and ..lph contains Makefile, and processhider.c . Since your code enables this virus to function, I'm hoping you're aware of a safe workaround or method of un-hiding because obviously, I can't fix what I can't see.

Hi Gian, on ubuntu 18.04 x64 the process keep visible

$git clone https://github.com/gianlucaborello/libprocesshider.git
$make
gcc -Wall -fPIC -shared -o libprocesshider.so processhider.c -ldl
$echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
$sudo ps aux | grep evil
root 9149 6480 34 09:27 pts/1 00:00:16 python evil_script.py

Any sugestion to modify and test?

I found mistake in your code:

-        original_##readdir = dlsym(RTLD_NEXT, "readdir");               \
+        original_##readdir = dlsym(RTLD_NEXT, #readdir);                \

For dirent64 you should to get readdir64, not readdir

Can someone provide some guidance on what needs to be modified to hide from netstat?
Thank you.

请问在该程序中 如何修改cpu的使用率？

Hey, I tried this on Opensuse 13.2 (Kernel 4.8.6-7).
But the result is that the commands ps, top show nothing anymore. The lists are completely empty.
And the ls-Command doesn't work anymore (ls: cannot access : No such file or directory) until the ld.so.preload is removed.

Can you help me ?

Thanks
starflighter

@gianlucaborello Ciao gianluca , volevo solo domandarti se questa rep può avere problemi di compatibilità con altre distro , perchè attualmente ho testato su Ubuntu 17.10 ma il processo continua ad essere visibile .
Grazie