Using taskverse to see hidden processes
In the Linux kernel, there are a several ways to modify the kernel so that process hiding can work. Since this chapter is not meant to be an exegesis on all kernel rootkits, I will cover only the most commonly used method and then propose a way of detecting it, which is implemented in the taskverse program I made available in 2014.
In Linux, the process IDs are stored as directories within the /proc
filesystem; each directory contains a plethora of information about the process. The /bin/ps
program does a directory listing in /proc
to see which pids are currently running on the system. A directory listing in Linux (such as with ps
or ls
) uses the sys_getdents64
system call and the filldir64
kernel function. Many kernel rootkits hijack one of these functions (depending on the kernel version) and then insert some code that skips over the directory entry containing the d_name
of the hidden process. As a result, the /bin/ps
program is unable to find the...