Lately I’ve been thinking about Stephan Berger’s recent blog post on hiding Linux processes with bind mounts. Bottom line here is that if you have an evil process you want to hide, use a bind mount to mount a different directory on top of the /proc/PID directory for the evil process.
In the original article, Stephan uses a nearly empty directory to overlay the original /proc/PID directory for the process he is hiding. I started thinking about how I could write a tool that would populate a more realistic looking spoofed directory. But after doing some prototypes and running into annoying complexities I realized there is a much easier approach.
Why try and make my own spoofed directory when I can simply use an existing /proc/PID directory from some other process? If you look at typical Linux ps output, there are lots of process entries that would hide our evil process quite well:
root@LAB:~# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jul23 ? 00:00:12 /sbin/init
root 2 0 0 Jul23 ? 00:00:00 [kthreadd]
root 3 2 0 Jul23 ? 00:00:00 [rcu_gp]
root 4 2 0 Jul23 ? 00:00:00 [rcu_par_gp]
[...]
root 73 2 0 Jul23 ? 00:00:00 [irq/24-pciehp]
root 74 2 0 Jul23 ? 00:00:00 [irq/25-pciehp]
root 75 2 0 Jul23 ? 00:00:00 [irq/26-pciehp]
root 76 2 0 Jul23 ? 00:00:00 [irq/27-pciehp]
root 77 2 0 Jul23 ? 00:00:00 [irq/28-pciehp]
root 78 2 0 Jul23 ? 00:00:00 [irq/29-pciehp]
root 79 2 0 Jul23 ? 00:00:00 [irq/30-pciehp]These process entries with low PIDs and process names in square brackets (“[somename]“) are spontaneous processes. They aren’t running executables in the traditional sense– you won’t find a binary in your operating system called kthreadd for example. Instead, these are essentially kernel code dressed up to look like a process so administrators can monitor various subsystems using familiar tools like ps.
From our perspective, however, they’re a bunch of processes that administrators generally ignore and which have names that vary only slightly from one another. They’re perfect for hiding our evil processes:
root@LAB:~# ps -ef | grep myevilprocess
root 4867 1 0 Jul23 pts/0 00:00:16 myevilprocess
root@LAB:~# mount -B /proc/78 /proc/4867
root@LAB:~# ps -ef | grep 4867Our evil process is now completely hidden. If somebody were to look closely at the ps output, they would discover there are now two entries for PID 78:
root@LAB:~# ps -ef | awk '$2 == 78'
root 78 2 0 Jul23 ? 00:00:00 [irq/29-pciehp]
root 78 2 0 Jul23 ? 00:00:00 [irq/29-pciehp]My guess is that nobody is going to notice this unless they are specifically looking for this technique. And if they are aware of this technique, there’s a much simpler way of detecting it which Stephan notes in his original article:
root@LAB:~# cat /proc/mounts | grep /proc
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=424 0 0
proc /proc/4867 proc rw,nosuid,nodev,noexec,relatime 0 0The last line above is a dead giveaway that something hinky is going on.
We can refine Stephan’s approach:
root@LAB:~# cat /proc/*/mounts | awk '$2 ~ /^\/proc\/[0-9]*($|\/)/ { print $2 }' | sort -ur
/proc/4867Just to be thorough, I’m dumping the content of all /proc/*/mount entries (/proc/mounts is a link to /proc/self/mounts) and looking for ones where the mount point is a /proc/PID directory or one of its subdirectories. The “sort -ur” at the end gives us one instance of each unique mount point.
But why the “-r” option? I want to use my output to programmatically unmount the bind mounted directories. I was worried about somebody doing a bind mount on top of a bind mount:
root@LAB:~# mount -B /proc/79/fd /proc/4867/fd
root@LAB:~# cat /proc/*/mounts | awk '$2 ~ /^\/proc\/[0-9]*($|\/)/ { print $2 }' | sort -ur
/proc/78/fd
/proc/4867/fd
/proc/4867
root@LAB:~# cat /proc/*/mounts | awk '$2 ~ /^\/proc\/[0-9]*($|\/)/ { print $2 }' | sort -ur |
while read dir; do umount $dir; done
umount: /proc/4867/fd: not mounted.
root@LAB:~# ps -ef | grep myevilprocess
root 4867 1 0 Jul23 pts/0 00:00:16 myevilprocessWhile I think this scenario is extremely unlikely, using “sort -ur” means that the mount points are returned in the proper order to be unmounted. And once the bind mounts are umounted, we can see the evil process again.
Note that we do get an error here. /proc/78 is mounted on top of /proc/4867. So when we unmount /proc/78/fd we are also taking care of the spoofed path /proc/4867/fd. When our while loop gets to the entry for /proc/4867/fd, the umount command errors out.
Possible weird corner cases aside, let’s try and provide our analyst with some additional information:
root@LAB:~# function procbindmounts {
cat /proc/*/mounts | awk '$2 ~ /^\/proc\/[0-9]*($|\/)/ { print $2 }' | sort -ur |
while read dir; do
echo ===== POSSIBLE PROCESS HIDING $dir
echo -ne Overlay:\\t
cut -d' ' -f1-7 $dir/stat
umount $dir
echo -ne Hidden:\\t\\t
cut -d' ' -f1-7 $dir/stat
done
}
root@LAB:~# mount -B /proc/78 /proc/4867
root@LAB:~# procbindmounts
===== POSSIBLE PROCESS HIDING /proc/4867
Overlay: 78 (irq/29-pciehp) S 2 0 0 0
Hidden: 4867 (myevilprocess) S 1 4867 4759 34816Thanks Stephan for getting my creative juices flowing. This is a fun technique for all you red teamers out there, and a good trick for all you blue team analysts.
Righteous IT 
[…] Article URL: https://righteousit.com/2024/07/24/hiding-linux-processes-with-bind-mounts/ […]
Hello
is not this trick giving some false positive ? I tried it on Ubuntu 22.04 and Debian Bookwork and it returned a regular DBus service – loginuid:
cat /proc//mounts | awk ‘$2 ~ /^/proc/[0-9]($|/)/ { print $2 }’ | sort -ur
/proc/484/loginuid
Ugh. This is an artifact of the pam_loginuid module. I am just shaking my head at this silliness. Anyway, you can safely ignore these, they’re “expected”.
[…] Hal Pomeranz at ‘Righteous IT’Hiding Linux Processes with Bind Mounts […]