Is it possible to hide the process?

Question

Is it possible to hide the process?

yaoh3i opened this issue 3 years ago · 1 comments

Surprising ideas! I have a question. General rootkits can hide specific processes and prevent them from being detected by commands such as ps. Is this possible for ebpfkit?

Answer 1 · 2021-08-06T07:22:13.000Z

Hey there,

Yes, if you have a look here, you'll see that we hide the pid of the rootkit from the proc file system. If you wanted to hide a file, or the process binary itself, you could simply do what we do to hide the binary of the rootkit here.

We haven't made this feature configurable because we didn't need to do it for our research (we just wanted to show that it was possible).

I hope this helps !