Acceis / eBPF-hide-PID

This tool have the power to hide any PID/directory in the Linux kernel

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

eBPF hide PID

This project aims to demonstrate a way to hide a process identifier (PID) to a user abusing of a system call.

It is inspired by the work of Pathtofile about bad BPF programs behaviour.

If you're looking for a deep dive into this project, you can find the related articles on the ACCEIS blog.

Dependencies

  • Kernel v5.7 or higher
  • golang v1.21 (not tested on lower versions)
  • clang v16 or higher(depending on your OS, LLVM may be needed)
  • libbpf v1.3.0 or higher

If you manually install the package in a debian/ubuntu based repository, notice that libbpf is not up to date in the "apt" repositories. So you may have problems compiling the program.

For ArchLinux

If you are on archlinux you can simply run

sudo pacman -S llvm clang libbpf go

Run in Docker

If you want a simple way to try this tool, you can use the provided Dockerfile

Build the image first

docker buildx build -t hide-pid .

You need to run the docker in privileged mod in order to inject the program in the kernel

docker run --rm --privileged -v /sys/kernel/debug:/sys/kernel/debug:rw hide-pid <PID|DIR>

Manual installation

You can build the project using the following command

make

And then you can run the program in sudo

sudo ./bin/hide-pid 1337
# 2024/02/09 18:59:48 Waiting for events..
# 2024/02/09 18:59:53 Hiding "1337" for process "ps" (pid: 29939)

Licence

The eBPF code is under GPL licence. The Go code is under MIT licence.

About

This tool have the power to hide any PID/directory in the Linux kernel

License:MIT License


Languages

Language:C 48.9%Language:Go 44.4%Language:Makefile 3.5%Language:Dockerfile 2.2%Language:Shell 1.0%