Is it possible to 'hide' a process from the listing of `ps` or `top` on Linux

linux top process ps

Solution 1:

Well, you have a couple of options here. Taking the easy way out would be to swap the ps and top programs out with modified versions that hide what it is you want to hide.

The alternative would be to run your code embedded in an existing process, or write a wrapper-script around your code with an innocuous name.

In some versions of PS, you can modify it by changing argv[], but not sure if that works for top, and not sure if it works in linux (It's mainly a BSD convention).

It all depends, on exactly what you are looking to achieve by doing this?

Solution 2:

According to kernel patch http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=0499680a42141d86417a8fbaa8c8db806bea1201, you can use the hidepid option for the proc filesystem:

hidepid=0 (default) means the old behavior - anybody may read all world-readable /proc/PID/* files.

hidepid=1 means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users. As permission checking done in proc_pid_permission() and files' permissions are left untouched, programs expecting specific files' modes are not confused.

hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other users. It doesn't mean that it hides whether a process exists (it can be learned by other means, e.g. by kill -0 $PID), but it hides process' euid and egid. It compicates intruder's task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.

gid=XXX defines a group that will be able to gather all processes' info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.

You are not able to control the visibility on process level however you can ensure that your users can see their own processes only.

In case you have kernel version greater than 3.3 you can make a try with the following command:

 
mount /proc -o remount,hidepid=2

Solution 3:

The option described in this link worked for me. In that link, the author is hiding a process called evil_script.py.

I'm pasting the content here just in case the link goes down:

  1. First, create a file named processhider.c with the content found in this link: processhider.c

  2. Compile the code with:

    gcc -Wall -fPIC -shared -o libprocesshider.so processhider.c -ldl

  3. Move the library with:

    sudo mv libprocesshider.so /usr/local/lib/

  4. Tell the dynamic linker to use it:

    echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload

That is it. If you now run ps faux you won't see any process called evil_script.py.

Related

Complete wiping of hard drive - shred, wipe or dd?
How Does a VPN Manage Local IP Addresses
Is there a way of uploading to box.com storage via the command line?
Chrome instances move to same virtual desktop after sleep or hibernate in Windows 10
Can Robocopy monitor files on a time increment of less than one minute?
Can a website see/know my MAC address even if I use a VPN? [duplicate]
How to disable Spotlight in Snow Leopard?
Explain why .bash_logout won't run commands?
Why are things like Gnome Terminal called "Terminal Emulators" instead of just "Terminals"?
Reverse Touchpad 4-Finger Swipe
Alternative to PuTTY Connection Manager? [closed]
how to use codefolding feature of notepad++ for normal text documents