Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/acceis/ebpf-hide-pid
This tool have the power to hide any PID/directory in the Linux kernel
https://github.com/acceis/ebpf-hide-pid
cybersecurity ebpf getdents64
Last synced: 2 months ago
JSON representation
This tool have the power to hide any PID/directory in the Linux kernel
- Host: GitHub
- URL: https://github.com/acceis/ebpf-hide-pid
- Owner: Acceis
- License: mit
- Created: 2024-02-08T10:22:09.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2024-09-13T22:41:26.000Z (3 months ago)
- Last Synced: 2024-10-12T19:20:16.235Z (2 months ago)
- Topics: cybersecurity, ebpf, getdents64
- Language: C
- Homepage:
- Size: 27.3 KB
- Stars: 16
- Watchers: 2
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# eBPF hide PID
This project aims to demonstrate a way to hide a _process identifier_ (PID) to a user abusing of a system call.
It is inspired by the work of Pathtofile about [bad BPF programs behaviour](https://github.com/pathtofile/bad-bpf).
If you're looking for a deep dive into this project, you can find the two related articles on the [ACCEIS blog](https://www.acceis.fr/categorie/articles-techniques/). \
You can find the [first article](https://www.acceis.fr/ebpf-program-creation-in-practice-pid-concealment-part-1/) and [the second](https://www.acceis.fr/ebpf-in-practice-pid-concealment-part-2/).## Dependencies
- Kernel v5.7 or higher
- [golang](https://go.dev/doc/install) v1.21 (not tested on lower versions)
- [clang](https://clang.llvm.org/) v16 or higher(depending on your OS, LLVM may be needed)
- [libbpf](https://github.com/libbpf/libbpf) v1.3.0 or higher> If you manually install the package in a debian/ubuntu based repository, notice that _libbpf_ is not up to date in the "apt" repositories. So you may have problems compiling the program.
### For ArchLinux
If you are on archlinux you can simply run
```bash
sudo pacman -S llvm clang libbpf go
```## Run in Docker
If you want a simple way to try this tool, you can use the provided Dockerfile
Build the image first
```bash
docker buildx build -t hide-pid .
```You need to run the docker in privileged mod in order to inject the program in the kernel
```bash
docker run --rm --privileged -v /sys/kernel/debug:/sys/kernel/debug:rw hide-pid
```## Manual installation
You can build the project using the following command
```bash
make
```And then you can run the program in sudo
```bash
sudo ./bin/hide-pid 1337
# 2024/02/09 18:59:48 Waiting for events..
# 2024/02/09 18:59:53 Hiding "1337" for process "ps" (pid: 29939)
```## Licence
The eBPF code is under GPL licence.
The Go code is under MIT licence.