Hacker News new | ask | show | jobs
by awaythrow999 701 days ago
Interesting but

>> My guess is that nobody is going to notice this unless they are specifically looking for this technique.

But having two identical PIDs is a pretty weak cloak. Even more so when reducing terminal clutter e.g. run "ps | grep procname" ... anyone not completely asleep is bound to notice it.
1 comments
theteapot 700 days ago
Did we read the same article? What two identical PIDs? The process doesn't show up in ps so doesn't show up in "ps | grep ..." either.
link
Sophira 700 days ago
> Did we read the same article?

Probably you read the article that was linked from this article, which does indeed make the process completely vanish, but leaves a suspicious empty /proc directory.

This article 'solves' the problem of an empty directory by simply bind-mounting another process instead - but that causes ps to output a duplicate line (including process ID) for the other process, in lieu of the process being hidden.

link
theteapot 699 days ago
Yeah I did, oops :). I agree new approach isn't really any better.
link
jaimehrubiks 700 days ago
Probably yes, because in the op's article it's using a bind mount from another kernel thread and it does show up in ps twice
link