This tool have the power to hide any PID/directory in the Linux kernel
MIT License
This project aims to demonstrate a way to hide a process identifier (PID) to a user abusing of a system call.
It is inspired by the work of Pathtofile about bad BPF programs behaviour.
If you're looking for a deep dive into this project, you can find the two related articles on the ACCEIS blog. You can find the first article and the second.
If you manually install the package in a debian/ubuntu based repository, notice that libbpf is not up to date in the "apt" repositories. So you may have problems compiling the program.
If you are on archlinux you can simply run
sudo pacman -S llvm clang libbpf go
If you want a simple way to try this tool, you can use the provided Dockerfile
Build the image first
docker buildx build -t hide-pid .
You need to run the docker in privileged mod in order to inject the program in the kernel
docker run --rm --privileged -v /sys/kernel/debug:/sys/kernel/debug:rw hide-pid <PID|DIR>
You can build the project using the following command
make
And then you can run the program in sudo
sudo ./bin/hide-pid 1337
# 2024/02/09 18:59:48 Waiting for events..
# 2024/02/09 18:59:53 Hiding "1337" for process "ps" (pid: 29939)
The eBPF code is under GPL licence. The Go code is under MIT licence.