This project aims to demonstrate a way to hide a process identifier (PID) to a user abusing of a system call.
It is inspired by the work of Pathtofile about bad BPF programs behaviour.
If you're looking for a deep dive into this project, you can find the two related articles on the ACCEIS blog.
You can find the first article and the second.
- Kernel v5.7 or higher
- golang v1.21 (not tested on lower versions)
- clang v16 or higher(depending on your OS, LLVM may be needed)
- libbpf v1.3.0 or higher
If you manually install the package in a debian/ubuntu based repository, notice that libbpf is not up to date in the "apt" repositories. So you may have problems compiling the program.
If you are on archlinux you can simply run
sudo pacman -S llvm clang libbpf goIf you want a simple way to try this tool, you can use the provided Dockerfile
Build the image first
docker buildx build -t hide-pid .You need to run the docker in privileged mod in order to inject the program in the kernel
docker run --rm --privileged -v /sys/kernel/debug:/sys/kernel/debug:rw hide-pid <PID|DIR>You can build the project using the following command
makeAnd then you can run the program in sudo
sudo ./bin/hide-pid 1337
# 2024/02/09 18:59:48 Waiting for events..
# 2024/02/09 18:59:53 Hiding "1337" for process "ps" (pid: 29939)The eBPF code is under GPL licence. The Go code is under MIT licence.