Process Concealment via Procfs Mounting

In Linux environments, process metadata is exposed via the /proc pseudo-filesystem. Standard monitoring utilities like ps, top, and htop retrieve system information by reading the subdirectories within /proc that correspond to specific Process IDs (PIDs). By utilizing the mount command with the --bind flag, an administrator can overlay a target PID directory with a different, often empty, directory. This effectively hides the process from userspace tools without terminating the process itself.

To implement this, first identify the PID of the process to be concealed. Then, create a dummy directory to serve as the mount point:

mkdir /tmp/.hidden_mask
mount --bind /tmp/.hidden_mask /proc/1234

After executing these commands, any utility attempting to read /proc/1234 will instead see the contents of /tmp/.hidden_mask. Since the expected process metadata (such as cmdline, status, or stat) is missing from the dumy directory, tools like ps will skip the PID in their output. To restore visibility, the directory can be unmounted:

umount /proc/1234

System Function Redirection using LD_PRELOAD

The LD_PRELOAD environment variable provides a mechanism to instruct the dynamic linker to load specific shared libraries before others. This capability allows for the interception of library calls. By crafting a custom shared object that overrides the readdir function from libc, it is possible to filter out specific directory entries, such as those representing a hidden process name or PID, when a program attempts to list the contents of /proc.

To deploy a library-based hider, follow these steps to compile and integrate the shared object:

1. Compile the C source code into a position-independent shared library:

gcc -shared -fPIC -o /usr/local/lib/proc_mask.so proc_mask.c -ldl

2. To ensure the library is loaded globally across all processes, append the path of the .so file to the /etc/ld.so.preload configuration file:

echo "/usr/local/lib/proc_mask.so" >> /etc/ld.so.preload

Once integrated, every time a process calls readdir to inspect /proc, the custom library will intercept the call. If the entry matches a predefined criteria (e.g., a specific process name), the library will skip that entry, ensuring it never reaches the calling application. This method is highly effective because it operates at the application-library interface, making the concealment transparent to standard system administration tools.