Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/acceis/ebpf-hide-pid

This tool have the power to hide any PID/directory in the Linux kernel
https://github.com/acceis/ebpf-hide-pid

cybersecurity ebpf getdents64

Last synced: 24 days ago
JSON representation

This tool have the power to hide any PID/directory in the Linux kernel

Host: GitHub
URL: https://github.com/acceis/ebpf-hide-pid
Owner: Acceis
License: mit
Created: 2024-02-08T10:22:09.000Z (9 months ago)
Default Branch: main
Last Pushed: 2024-09-13T22:41:26.000Z (about 2 months ago)
Last Synced: 2024-10-12T19:20:16.235Z (24 days ago)
Topics: cybersecurity, ebpf, getdents64
Language: C
Homepage:
Size: 27.3 KB
Stars: 16
Watchers: 2
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# eBPF hide PID

This project aims to demonstrate a way to hide a _process identifier_ (PID) to a user abusing of a system call.

It is inspired by the work of Pathtofile about [bad BPF programs behaviour](https://github.com/pathtofile/bad-bpf).

If you're looking for a deep dive into this project, you can find the two related articles on the [ACCEIS blog](https://www.acceis.fr/categorie/articles-techniques/). \
You can find the [first article](https://www.acceis.fr/ebpf-program-creation-in-practice-pid-concealment-part-1/) and [the second](https://www.acceis.fr/ebpf-in-practice-pid-concealment-part-2/).

## Dependencies

- Kernel v5.7 or higher
- [golang](https://go.dev/doc/install) v1.21 (not tested on lower versions)
- [clang](https://clang.llvm.org/) v16 or higher(depending on your OS, LLVM may be needed)
- [libbpf](https://github.com/libbpf/libbpf) v1.3.0 or higher

> If you manually install the package in a debian/ubuntu based repository, notice that _libbpf_ is not up to date in the "apt" repositories. So you may have problems compiling the program.

### For ArchLinux

If you are on archlinux you can simply run

```bash
sudo pacman -S llvm clang libbpf go
```

## Run in Docker

If you want a simple way to try this tool, you can use the provided Dockerfile

Build the image first

```bash
docker buildx build -t hide-pid .
```

You need to run the docker in privileged mod in order to inject the program in the kernel

```bash
docker run --rm --privileged -v /sys/kernel/debug:/sys/kernel/debug:rw hide-pid
```

## Manual installation

You can build the project using the following command

```bash
make
```

And then you can run the program in sudo

```bash
sudo ./bin/hide-pid 1337
# 2024/02/09 18:59:48 Waiting for events..
# 2024/02/09 18:59:53 Hiding "1337" for process "ps" (pid: 29939)
```

## Licence

The eBPF code is under GPL licence.
The Go code is under MIT licence.