CN117891682A - Method and device for hiding process of Linux system, electronic equipment and storage medium - Google Patents
Method and device for hiding process of Linux system, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117891682A CN117891682A CN202311821873.4A CN202311821873A CN117891682A CN 117891682 A CN117891682 A CN 117891682A CN 202311821873 A CN202311821873 A CN 202311821873A CN 117891682 A CN117891682 A CN 117891682A
- Authority
- CN
- China
- Prior art keywords
- monitoring
- hiding
- fanotify
- linux system
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 243
- 230000008569 process Effects 0.000 title claims abstract description 198
- 238000003860 storage Methods 0.000 title claims abstract description 15
- 238000012544 monitoring process Methods 0.000 claims abstract description 56
- 230000000903 blocking effect Effects 0.000 claims description 13
- 230000026676 system process Effects 0.000 claims 1
- 238000001514 detection method Methods 0.000 abstract description 5
- 230000007246 mechanism Effects 0.000 description 18
- 230000004048 modification Effects 0.000 description 7
- 238000012986 modification Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000013459 approach Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 101000609957 Homo sapiens PTB-containing, cubilin and LRP1-interacting protein Proteins 0.000 description 2
- 102100039157 PTB-containing, cubilin and LRP1-interacting protein Human genes 0.000 description 2
- 230000004075 alteration Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005215 recombination Methods 0.000 description 1
- 230000006798 recombination Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
- G06F11/3072—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the disclosure discloses a method, a device, electronic equipment and a storage medium for hiding a process in a Linux system, and relates to the technical field of computer system information security. The method for hiding the process by the Linux system comprises the following steps: establishing an information channel between a kernel layer and an application layer according to a Connector monitoring program, and acquiring process information of a process code containing a target process; monitoring operation events of a file directory corresponding to the process code in the Procfs file system by utilizing Fanotify monitoring program; according to the access authority of the operation event, the operation event is released or blocked, so that the problems of safety, performance and easiness in detection in the prior art can be solved, and the higher privacy protection requirement is met.
Description
Technical Field
The disclosure relates to the technical field of computer system information security, in particular to a method, a device, electronic equipment and a storage medium for hiding a process in a Linux system.
Background
In the field of information security of domestic operating systems, a process hiding technology is a key security and privacy protection technology, and in order to prevent some key processes from being forcedly ended or perceived, it is required to hide and protect key processes or all processes in the software system, that is, the key processes cannot be queried in tools such as a task manager.
The existing process hiding method is endless, but more or less has various problems:
① Modifying the process name: one of the most common methods is to modify the name of a process so that it is not easily identified in the process list. However, this approach is easily detected because other monitoring tools can check for changes in process names.
② Hiding process file system information: another common approach is to hide the file system information of a process from view in the file system by modifying the operating system kernel. However, this approach requires modifications to the file system, requires privileged rights, and still presents a certain risk.
③ Using a kernel module: some techniques rely on loading custom kernel modules to modify or hide process information at the kernel level. However, this requires modifications to the operating system kernel, which may lead to instability and security problems for the system.
In summary, prior art approaches to hiding processes involve modifying kernel mechanisms that may cause instability of the system or require privileged rights, which may foster misuse and malicious use; and some methods may affect system performance, cause excessive resource occupation or cause low process hiding efficiency, and are easy to detect when facing advanced detection tools and methods, so that privacy and security performance cannot be guaranteed.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a method for hiding a process in a Linux system, which can solve the security, performance and easy detection problems in the prior art, and meet the higher privacy protection requirements.
In a first aspect, an embodiment of the present disclosure provides a method for hiding a process in a Linux system, which adopts the following technical scheme: establishing an information channel between a kernel layer and an application layer according to a Connector monitoring program, and acquiring process information of a process code containing a target process; monitoring operation events of a file directory corresponding to the process code in the Procfs file system by utilizing Fanotify monitoring program; and releasing or blocking the operation event according to the access authority of the operation event.
In a second aspect, an embodiment of the present disclosure further provides a device for hiding a process in a Linux system, which adopts the following technical scheme: the monitoring module is used for establishing an information channel between the kernel layer and the application layer according to a Connector monitoring program and acquiring process information of a process code containing a target process; the monitoring module is used for monitoring operation events of a file directory corresponding to the process code in the Procfs file system by utilizing Fanotify monitoring programs; and the execution module is used for releasing or blocking the operation event according to the access authority of the operation event.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, which adopts the following technical scheme:
the electronic device includes:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform any of the methods of hiding processes in a Linux system described above.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium storing computer instructions for causing a computer to perform a method of hiding a process of any one of the Linux systems described above.
The method for hiding the process of the linux system provided by the embodiment of the disclosure is a process hiding method based on the combination of the connector, fanotify of the linux system and the procfs virtual file system, the process information of the target process to be hidden is obtained in real time by utilizing a connector mechanism, the directory of the target process in the procfs virtual file system is directly monitored by utilizing the fanotify mechanism, finally, the process hiding is realized by blocking an operation event without access rights, the functions of real-time monitoring and hiding can be provided for all processes of the system, the modification of a kernel is not involved, the privilege rights are not required to be set, the security and the efficiency of process hiding can be effectively improved, and the detection risk is reduced.
The foregoing description is only an overview of the disclosed technology, and may be implemented in accordance with the disclosure of the present disclosure, so that the above-mentioned and other objects, features and advantages of the present disclosure can be more clearly understood, and the following detailed description of the preferred embodiments is given with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
FIG. 1 is a flowchart illustrating an example of a method for hiding a process in a Linux system according to an embodiment of the disclosure;
FIG. 2 is a flowchart illustrating a second example of a method for hiding a process in a Linux system in an embodiment of the disclosure;
FIG. 3 is a schematic block diagram of an apparatus for hiding a process in a Linux system according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
It should be appreciated that the following specific embodiments of the disclosure are described in order to provide a better understanding of the present disclosure, and that other advantages and effects will be apparent to those skilled in the art from the present disclosure. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the disclosure by way of illustration, and only the components related to the disclosure are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
Linux is generally considered as a set of operating systems, which is actually a generic term of a series of operating systems developed on the basis of Linux kernels, and kernels of the Linux operating systems are open-source and are commonly maintained and improved by a global developer community, so that a variety of hardware architectures can be supported from personal computers to servers and embedded devices, and various kernel mechanisms are provided for users, and can be configured and modified according to the requirements of the users, for example:
The Connector mechanism:
The Connector is used as a process event Connector (namely a subsequent Connector monitoring program), is a communication mode provided by the kernel of the Linux operating system, supports the information interaction between the kernel layer and the application layer, and can monitor the process event in real time.
Fanotify mechanism:
Fanotify is used as a file event monitor (namely a later Fanotify monitor program) and runs on an application layer, is an internal monitoring mechanism provided by a linux operating system, can realize monitoring of file operation events related to the file system, and can realize event management and control functions for specific events such as opening, reading and the like.
Procfs file system:
The Procfs file system is a virtual file system based on a memory, relevant information of all processes of the linux operating system is recorded in the virtual file system, and a user layer realizes visibility of the process information through procfs.
In the prior art, a Fanotify mechanism is mostly used for monitoring a file system of a disk to prevent program files focused by a user in the disk from being tampered, while a Procfs file system is a virtual file system based on a memory and used for dynamically recording process related files, which is different from the file system of the disk focused by the user, so that the file system cannot be conceivably monitored through a Fanotify mechanism, but under the concept architecture of a "a cutting file" in a linux operating system, the Procfs file system can be monitored by using the Fanotify mechanism basically; in this regard, the embodiment of the disclosure discloses that three combinations of a Connector mechanism, a Fanotify mechanism and a Procfs mechanism in a Linux system are used to implement real-time process hiding.
The embodiment of the disclosure discloses a method for hiding a process in a Linux system, specifically, as shown in fig. 1, fig. 1 is a flowchart example one of the method for hiding a process in a Linux system in the embodiment of the disclosure; the method for hiding the process in the Linux system comprises the following steps:
step S11, an information channel between a kernel layer and an application layer is established according to a Connector monitoring program, and process information of a process code containing a target process is obtained;
step S12, monitoring operation events of a file directory corresponding to the process code in the Procfs file system by utilizing Fanotify monitoring program;
and step S13, releasing or blocking the operation event according to the access authority of the operation event.
The method for hiding the process of the linux system provided by the embodiment of the disclosure is a process hiding method based on the combination of the connector, fanotify of the linux system and the procfs virtual file system, the process information of the target process to be hidden is obtained in real time by utilizing a connector mechanism, the directory of the target process in the procfs virtual file system is directly monitored by utilizing the fanotify mechanism, finally, the process hiding is realized by blocking the operation event without access rights, the functions of real-time monitoring and hiding can be provided for all processes of the system, the modification of a kernel is not involved, the privilege rights are not required to be set, the security and the efficiency of process hiding can be effectively improved, and the detection risk is reduced.
In step S11 in the embodiment of the present disclosure, an information channel between a kernel layer and an application layer is established according to a Connector monitor program, and process information including a process code of a target process is obtained;
For example: the Connector is used as a monitoring program, and target process information (such as a process name) to be hidden is configured in advance, so that a start-stop event and a process coding PID of the target process to be hidden can be obtained in real time when the monitoring task is executed.
Specifically, since the Connector monitor monitors all process start-stop events and information of the Linux system, a large number of non-target processes are involved, and the step S11 may further include: judging whether the current process of the Connector monitoring program is a target process needing to be hidden or not; if yes, process information is acquired; if not, neglecting.
The judging whether the current process is the target process needing to be hidden or not can be performed in a process name matching and identifying mode, namely, the process name of the current process event is matched by utilizing the process name of the pre-configured target process needing to be hidden; if the matching is successful, the target process needing to be hidden is found, and the start-stop event and PID of the target process are transmitted to fanotify monitoring program of the application layer; and if the matching fails, the non-target process of the current process is indicated, and then the non-target process is ignored.
The number of the target processes to be hidden in the pre-configuration may be one or more, which is not limited in the embodiment of the present disclosure; in addition, the configuration information can be directly written and configured in a Connector monitoring program; or the dynamic variable is set to be configured in the Connector monitoring program according to the user requirement, so as to meet the requirement of the user on dynamic change of the target process needing to be hidden.
In the embodiment of the disclosure, the process identification and information acquisition are performed by utilizing a Connector mechanism of the Linux system, no kernel modification is involved, and meanwhile, due to the fact that all processes in the Linux system are dynamically monitored in real time, omission of a target process needing to be hidden is avoided, and the state of the target process and the reliability and stability of information acquisition are ensured.
In step S12 in the embodiment of the present disclosure, an operation event of a file directory corresponding to the process code in the Procfs file system is monitored by using a Fanotify monitor;
For example: aiming at a target process of which the process codes into PID1, a Fanotify monitoring program can be utilized to monitor file operation events under the/proc/[ PID1] directory; after the monitoring trigger, the file operation event can be audited according to a pre-configured control strategy.
The Fanotify monitor receives the start-stop event and PID of the target process transmitted by the Connector monitor, and updates Fanotify the monitor list of the monitor according to the specific start-stop event.
Specifically, the startup and shutdown event of the target process transmitted by the Connector monitor program is generally "startup" or "shutdown", where the startup indicates that the target process has started to run, and the shutdown indicates that the target process has ended to run.
Therefore, when the start-stop event indicates that the target process is started, a file directory corresponding to the process code of the target process in the Procfs file system needs to be added to the monitoring list of the Fanotify monitoring program, so that the monitoring is performed by using a Fanotify mechanism;
When the start-stop event indicates that the target process is closed, a file directory corresponding to the process code in the Procfs file system can be removed from the monitoring list of the Fanotify monitoring program, and the monitoring of the directory is finished, so that the efficiency of a Fanotify mechanism is improved, and the influence on system performance resources is reduced.
In addition, since the process code is dynamically generated, when the target process is restarted, the restart is regarded as the closing of the target process, and the restart of the target process is performed, the process code is removed from the monitoring list corresponding to the directory in the Fanotify monitoring program when the target process is closed, and the updated process code corresponding to the process code is added to the monitoring list in the Fanotify monitoring program when the target process is restarted.
In step S13 in the embodiment of the present disclosure, the operation event is released or blocked according to the access right of the operation event.
Specifically, whether the visitor and/or the event type in the operation event has access rights or not can be judged according to the pre-configuration information; if yes, releasing the operation event; if not, blocking the operation event.
The preconfiguration information is an information list or database which can be similar to a black list and/or a white list, wherein the white list can be recorded with visitors and/or operation events with access rights set by a user, and the black list can be recorded with visitors and/or operation events without access rights set by the user, so that after the preconfiguration information is matched with the visitors and/or event types in the operation events, whether the visitor and/or operation events with access rights are provided can be judged.
In some embodiments, the preconfiguration information may be dynamically updated according to the PID or directory of the monitoring list in the Fanotify monitoring program, that is, when the monitoring list of the Fanotify monitoring program joins a new monitoring target, the preconfiguration information corresponding to the monitoring target is simultaneously retrieved; and after the monitoring target is removed from the monitoring list of the Fanotify monitoring program, the preconfiguration information corresponding to the monitoring target is deleted at the same time, so that the monitoring efficiency is further improved and the system performance is optimized.
In some embodiments, the fanotify monitor may be terminated to restore normal procfs file system state when the hidden target process is no longer needed.
As shown in fig. 2, fig. 2 is a second flowchart of a method for hiding a process in a Linux system in an embodiment of the disclosure. The method for hiding the process in the Linux system comprises the following steps:
initialization of the Connector monitor and Fanotify monitor, namely:
Step S20a, initializing a Connector monitoring program, configuring a process name of a target process to be hidden, performing real-time monitoring on the process name of the target process to be hidden, and transmitting relevant information of the target process, such as PID (proportion integration differentiation) and the like, to the Fanotify monitoring program when a start-stop event occurs to the target process.
Step S20b, initializing Fanotify a monitoring program, configuring a black-and-white list, wherein the task of the program receives the related information of the target process of the Connector monitoring program, updates the monitoring strategy according to the related information, and monitors the operation event of the target process on the procfs file system.
The initialization time sequence of the Connector monitor program and Fanotify monitor program in the embodiment of the present disclosure is not limited; but theoretically Fanotify monitors should be enabled before the Connector monitors.
Step S21, when the Connector monitoring program monitors that the start-stop event occurs in the target process, process information of the target process is transmitted to the Fanotify monitoring program;
Step S22, fanotify the monitoring program judges the process event, if the target process is instructed to start, the step S23 is entered; if the target process is indicated to be closed, the step S24 is entered;
S23, adding the/proc/[ pid ] catalogue into a monitoring list of Fanotify monitoring programs;
step S24, removing Fanotify the monitoring list of the monitoring program from the proc/[ pid ] catalog;
The steps S21-S24 are to update the monitoring list in Fanotify monitoring programs by using the Connector monitoring program, and serve as a basis for monitoring by the subsequent Fanotify monitoring program, and since the update of the monitoring list belongs to dynamic real-time update, the update can be mutually independent to a certain extent with the monitoring task of the subsequent Fanotify monitoring program.
Step S25, monitoring the monitoring list by utilizing Fanotify monitoring programs;
Step S26, judging that the visitor is a blacklist or a whitelist when a file operation event on a catalog in the monitoring list is monitored; if the white list is the white list, the step S27 is entered; if the list is the blacklist, the step S28 is entered;
Step S27, releasing the operation event, namely hiding the target process for the visitor in the white list;
and S28, blocking the operation event, namely hiding the target process for the visitor in the blacklist.
The embodiment of the disclosure also discloses a device 100 for hiding a process in a Linux system, which can be used for implementing a method for hiding a process in a Linux system in the embodiment of the disclosure, and comprises the following steps: the monitoring module 101 is configured to establish an information channel between a kernel layer and an application layer according to a Connector monitoring program, and obtain process information including a process code of a target process; the monitoring module 102 is configured to monitor, by using Fanotify monitoring programs, an operation event of a file directory corresponding to the process code in the Procfs file system; and the execution module 103 is used for releasing or blocking the operation event according to the access right of the operation event.
In some embodiments of the present disclosure, the process information further includes: and the start-stop event of the target process.
In some embodiments of the present disclosure, the device for hiding a process in a Linux system may further include: and the adding module 104 is configured to add a file directory corresponding to the process code in the Procfs file system to the monitoring list of the Fanotify monitoring program when the start-stop event indicates that the target process is started.
In some embodiments of the present disclosure, the device for hiding a process in a Linux system may further include: and the removing module 105 is configured to remove, when the start-stop event indicates that the target process is closed, a file directory corresponding to the process code in the Procfs file system from the monitoring list of the Fanotify monitoring program.
In some embodiments of the present disclosure, the device for hiding a process in a Linux system may further include: the identifying module 106 is configured to determine whether a current process of the Connector monitor program is a target process that needs to be hidden; if yes, acquiring the process information; if not, neglecting.
In some embodiments of the present disclosure, the execution module is configured to determine, according to preconfiguration information, whether a visitor and/or an event type in the operation event has access rights; if yes, releasing the operation event; if not, blocking the operation event.
An electronic device according to an embodiment of the present disclosure includes a memory and a processor. The memory is for storing non-transitory computer readable instructions. In particular, the memory may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like.
The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the electronic device to perform the desired functions. In one embodiment of the present disclosure, the processor is configured to execute the computer readable instructions stored in the memory, so that the electronic device performs all or part of the steps of a method for hiding a process in a Linux system according to each embodiment of the present disclosure.
It should be understood by those skilled in the art that, in order to solve the technical problem of how to obtain a good user experience effect, the present embodiment may also include well-known structures such as a communication bus, an interface, and the like, and these well-known structures are also included in the protection scope of the present disclosure.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure. A schematic diagram of an electronic device suitable for use in implementing embodiments of the present disclosure is shown. The electronic device shown in fig. 4 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 4, the electronic device may include a processor (e.g., a central processing unit, a graphic processor, etc.) that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage device into a Random Access Memory (RAM). In the RAM, various programs and data required for the operation of the electronic device are also stored. The processor, ROM and RAM are connected to each other by a bus. An input/output (I/O) interface is also connected to the bus.
In general, the following devices may be connected to the I/O interface: input means including, for example, sensors or visual information gathering devices; output devices including, for example, display screens and the like; storage devices including, for example, magnetic tape, hard disk, etc.; a communication device. The communication means may allow the electronic device to communicate wirelessly or by wire with other devices, such as edge computing devices, to exchange data. While fig. 4 shows an electronic device having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via a communication device, or installed from a storage device, or installed from ROM. All or part of the steps of a method for hiding a process in a Linux system of an embodiment of the present disclosure are performed when the computer program is executed by a processor.
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
A computer-readable storage medium according to an embodiment of the present disclosure has stored thereon non-transitory computer-readable instructions. When executed by a processor, perform all or part of the steps of a method of hiding a process in a Linux system of embodiments of the present disclosure described above.
The computer-readable storage medium described above includes, but is not limited to: optical storage media (e.g., CD-ROM and DVD), magneto-optical storage media (e.g., MO), magnetic storage media (e.g., magnetic tape or removable hard disk), media with built-in rewritable non-volatile memory (e.g., memory card), and media with built-in ROM (e.g., ROM cartridge).
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
The basic principles of the present disclosure have been described above in connection with specific embodiments, but it should be noted that the advantages, benefits, effects, etc. mentioned in the present disclosure are merely examples and not limiting, and these advantages, benefits, effects, etc. are not to be considered as necessarily possessed by the various embodiments of the present disclosure. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, since the disclosure is not necessarily limited to practice with the specific details described.
In this disclosure, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the block diagrams of devices, apparatuses, devices, systems involved in this disclosure are merely illustrative examples and are not intended to require or implicate that connections, arrangements, configurations must be made in the manner shown in the block diagrams. As will be appreciated by one of skill in the art, the devices, apparatuses, devices, systems may be connected, arranged, configured in any manner. Words such as "including," "comprising," "having," and the like are words of openness and mean "including but not limited to," and are used interchangeably therewith. The terms "or" and "as used herein refer to and are used interchangeably with the term" and/or "unless the context clearly indicates otherwise. The term "such as" as used herein refers to, and is used interchangeably with, the phrase "such as, but not limited to.
In addition, as used herein, the use of "or" in the recitation of items beginning with "at least one" indicates a separate recitation, such that recitation of "at least one of A, B or C" means a or B or C, or AB or AC or BC, or ABC (i.e., a and B and C), for example. Furthermore, the term "exemplary" does not mean that the described example is preferred or better than other examples.
It is also noted that in the systems and methods of the present disclosure, components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered equivalent to the present disclosure.
Various changes, substitutions, and alterations are possible to the techniques described herein without departing from the teachings of the techniques defined by the appended claims. Furthermore, the scope of the claims of the present disclosure is not limited to the particular aspects of the process, machine, manufacture, composition of matter, means, methods and acts described above. The processes, machines, manufacture, compositions of matter, means, methods, or acts, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or acts.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of the disclosure to the form disclosed herein. Although a number of example aspects and embodiments have been discussed above, a person of ordinary skill in the art will recognize certain variations, modifications, alterations, additions, and subcombinations thereof.
Claims (10)
1. A method for hiding a process in a Linux system, comprising:
establishing an information channel between a kernel layer and an application layer according to a Connector monitoring program, and acquiring process information of a process code containing a target process;
monitoring operation events of a file directory corresponding to the process code in the Procfs file system by utilizing Fanotify monitoring program;
And releasing or blocking the operation event according to the access authority of the operation event.
2. The method for hiding a process in a Linux system according to claim 1, wherein the process information further includes: a start-stop event of the target process;
And when the start-stop event indicates that the target process is started, adding a file directory corresponding to the process code in the Procfs file system to a monitoring list of the Fanotify monitoring program.
3. The method of claim 2, wherein when the start-stop event indicates that a target process is closed, a file directory in Procfs file system corresponding to the process code is removed from the monitored list of the Fanotify monitor.
4. The method for hiding a process in a Linux system according to claim 1, further comprising, before acquiring the process information:
judging whether the current process of the Connector monitoring program is a target process needing to be hidden or not;
If yes, acquiring the process information; if not, neglecting.
5. The method for hiding a process in a Linux system according to claim 1, wherein said releasing or blocking said operation event according to an access right of said operation event comprises:
judging whether a visitor and/or an event type in the operation event has access rights or not according to the pre-configuration information;
If yes, releasing the operation event; if not, blocking the operation event.
6. A device for hiding a process in a Linux system, comprising:
the monitoring module is used for establishing an information channel between the kernel layer and the application layer according to a Connector monitoring program and acquiring process information of a process code containing a target process;
The monitoring module is used for monitoring operation events of a file directory corresponding to the process code in the Procfs file system by utilizing Fanotify monitoring programs;
and the execution module is used for releasing or blocking the operation event according to the access authority of the operation event.
7. The Linux system process hiding apparatus according to claim 6, wherein said process information further comprises: a start-stop event of the target process;
the device for hiding the process in the Linux system further comprises:
And the adding module is used for adding a file directory corresponding to the process code in the Procfs file system into the monitoring list of the Fanotify monitoring program when the start-stop event indicates the start of the target process.
8. The apparatus for hiding a process of a Linux system of claim 7, further comprising:
And the removing module is used for removing the file directory corresponding to the process code in the Procfs file system from the monitoring list of the Fanotify monitoring program when the start-stop event indicates that the target process is closed.
9. An electronic device, the electronic device comprising: yY+231915P
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of hiding a process of a Linux system according to any one of claims 1-5.
10. A computer readable storage medium storing computer instructions for causing a computer to perform the method of hiding a process of a Linux system according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311821873.4A CN117891682A (en) | 2023-12-27 | 2023-12-27 | Method and device for hiding process of Linux system, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311821873.4A CN117891682A (en) | 2023-12-27 | 2023-12-27 | Method and device for hiding process of Linux system, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117891682A true CN117891682A (en) | 2024-04-16 |
Family
ID=90643768
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311821873.4A Pending CN117891682A (en) | 2023-12-27 | 2023-12-27 | Method and device for hiding process of Linux system, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117891682A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118364495A (en) * | 2024-06-19 | 2024-07-19 | 北京辰信领创信息技术有限公司 | Real-time access control method and computer device based on Linux application layer |
-
2023
- 2023-12-27 CN CN202311821873.4A patent/CN117891682A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118364495A (en) * | 2024-06-19 | 2024-07-19 | 北京辰信领创信息技术有限公司 | Real-time access control method and computer device based on Linux application layer |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107463369B (en) | Access device control method and device for virtual desktop | |
| US20200250302A1 (en) | Security control method and computer system | |
| KR101928127B1 (en) | Selective file access for applications | |
| CN102667794B (en) | The method and system of unauthorized update is avoided for the protection of operating system | |
| CN117891682A (en) | Method and device for hiding process of Linux system, electronic equipment and storage medium | |
| US11762987B2 (en) | Systems and methods for hardening security systems using data randomization | |
| DE112011105687T5 (en) | Using Option ROM Memory | |
| US20200026859A1 (en) | Methods and systems for system call reduction | |
| KR20220083838A (en) | Method and apparatus for creating a mirror image file, and a computer-readable storage medium | |
| CN108763951A (en) | A kind of guard method of data and device | |
| CN103077345A (en) | Software authorization method and system based on virtual machine | |
| CN115374481B (en) | Data desensitization processing method and device, storage medium and electronic equipment | |
| CN102043662A (en) | Data modification method for multiple operation systems | |
| CN107908957B (en) | Safe operation management method and system of intelligent terminal | |
| CN114595462A (en) | Data processing method and device | |
| CN115186269A (en) | Vulnerability mining method and device, storage medium and electronic equipment | |
| CN110750805B (en) | Application program access control method and device, electronic equipment and readable storage medium | |
| CN114253579A (en) | Software updating method, device and medium based on white list mechanism | |
| CN113779562A (en) | Zero trust based computer virus protection method, device, equipment and medium | |
| CN111353150B (en) | Trusted boot method, trusted boot device, electronic equipment and readable storage medium | |
| CN115964725A (en) | Data protection method and device | |
| CN115688092A (en) | Terminal weak control method and device, electronic equipment and storage medium | |
| CN114861160A (en) | Method, device, equipment and storage medium for improving non-administrator account authority | |
| CN114547632B (en) | Information protection method, device, equipment and storage medium | |
| CN115391783A (en) | Method and equipment for remotely starting computer by client and cloud desktop client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |