Process Hiding
Let’s talk about Proccess Hiding
so I was thinking about how to hide a process, a process that can maybe be used for malicious purpose 🤫 (mabye like keylogger or something). Let’s get to it.
The program
Ok so first create a simple program that outputs the pid so we can see how it looks. simple, right ?
1
2
3
4
5
6
7
8
9
#include <string.h>
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
printf("PID: %d\n", getpid());
for (;;);
return 0;
}
what do we get ?
great, we can that we have a program that it’s name is “hide”. But how do we change it ?
Well, you probably know that the first argv of the program is the name.
1
2
3
char *argv0 = argv[0];
printf("Argv: %p\n", argv0);
printf("Argv: %s\n", argv0);
here we simply we print the pointer of the first argv, as a pointer (%p) meaning where the program begins, and the string (%s).
now we do the following. Let’s add a for loop that will set all the argv’s to * (42 in ascii)
1
2
3
4
5
6
int i, len;
for( i = 0; i < argc; i++) {
printf("Argument %s\n", argv[i]);
len = strlen(argv[i]);
memset(argv[i], 42, len);
}
great !!! how our process is ** or whatever. What if we could change it to something even better like a known process? so that when an analyzer would look at the running process, he wouldn’t think there is anything wrong with “cron” right ?
1
2
3
4
5
6
for( i = 0; i < argc; i++) {
printf("Argument %s\n", argv[i]);
len = strlen(argv[i]);
memset(argv[i], 0, len);
}
strcpy(argv0, "cron");
set 0 for null.
Great! hope you enjoyed this POC.
This is a practical case for educational purposes only.