Re: Non registering shell

> I have a question I hope somebody will be able to answer. I am looking

You mean you want to be able to run commands from a 'magic' shell and have those commands invisible from ps, top, lsof, etc?

No, this is not possible. The kernel keeps track of all running processes. (If it didn't, it wouldn't be able to give them access to system calls, CPU, etc.) The kernel is where process reporting programs such as ps, top, lsof, and friends get their information from. You cannot have a shell that 'outfoxes' the kernel.

You can modify the kernel to not report processes if you

• have a loadable kernel module that intercepts process listing accesses and hides certain processes from the list
• modfify the process reporting structure, such as the /proc filesystem, to hide these processes

Now someone could determine that a process did exist by using 'kill' and noting when a non-existant process id returned a 'permission denied' instead of 'no such process' depending on how the kernel was modified.

One other method could be that you write a shell that modifies the argv[0] of each child. So instead of calling         

        "/bin/cat" "cat" "arg1" "arg2" "arg3" ...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

you call

        "/bin/cat" "sh" "arg1" "arg2" "arg3" ...

to make cat think it's name is 'sh', and the process list will show 'sh' as well.[1] You'll still have an entry in ps (and the arguments may indicate something is wierd if you saw "sh / -name foo -exec something {} ;" in ps output, since that's clearly 'find' syntax) but it won't be immediately obvious if a user just does a ps for process name, not args.

However this will cause problems for any program that actually checks argv[0] - for example gzip, gunzip, and zcat are usually the same file (hardlinks) and it uses argv[0] to determine how it should behave.

The other solution would be to backdoor all your process reporting tools and hope no one brings along a pristine copy.

So your options are:

• modify kernel very effective
• modify ps/top/etc somewhat effective
• new shell that fudges pretty lame and will break argv[0] of children some functionality

Now if you were talking about more mundane things like not leaving a .history file around, that's trivial. Reset the appropriate env variables (HISTFILE and/or HISTSAVE for example) and they won't log. To be 'immune' from syslog, use programs that don't send syslogs, or you could LD_PRELOAD a library that defined openlog, syslog, and closelog to null functions.

[1] Depending on your OS, you may still be able to learn the real

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

    process name. In Linux, for example, /proc/PID/exe will be     a symlink to the real /bin/cat executable. /proc/PID/stat*     will point out other helpful info too.

--
Brian Hatch                  Why do "fat chance"
   Systems and                and "slim chance"
   Security Engineer          mean the same thing?
www.hackinglinuxexposed.com

Every message PGP signed