• Stars
    star
    166
  • Rank 227,748 (Top 5 %)
  • Language
    C
  • Created about 1 year ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Zaps arguments and environment from the process list

Privacy for your command line options

A Linux tool to hide from "ps"

Download:

curl -fL -o zapper https://github.com/hackerschoice/zapper/releases/latest/download/zapper-linux-$(uname -m) && \
chmod 755 zapper && \
./zapper -h

Example: Show only 'nmap', but without the command options:

./zapper nmap -sCV -F -Pn scanme.nmap.org
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
                     will not show

Example: Replace the current shell with a hidden tmux/shell. Hide all sub processes (-f), take on the name of some kernel process (-a) and hide all command line options:

exec ./zapper -f -a'[kworker/1:2-cgroup_destroy]' tmux

Screenshot 2023-10-04 at 12 06 39

showing 6 hidden processes: tmux, bash, nmap, sleep, ps, grep


  1. Does not require root
  2. Works also on static binaries (e.g. GoLang binaries)
  3. Zaps the environment (/proc/<PID>/environ) as well
  4. Does not rely on LD_PRELOAD= or libc.
  5. Uses ptrace() to manipulate the Elf Auxiliary Table
  6. Only 00.1% overhead.
  7. Stops the admin from seeing or spying on your processes.
  8. Starts a process under any process id (-n <pid>)

Compile:

git clone https://github.com/hackerschoice/zapper.git
cd zapper
make

Screenshot 2023-10-04 at 08 10 19


How it works:

  • It uses ptrace() to manipulates the stack's Elf-Aux-Table.
  • Zapper intercepts when the Kernel passes the command-options to the program (during SYS_execve()): It moves the orignal command-options to a new memory location and then destroyes the old memory location. From the perspective of the Kernel (and procps), the command-options cease to exist. Finally, zapper fixes the pointers in the progam's Aux-Table and hands execution back to the program (PTRACE_CONTINUE). Thereafter, the program is tracked for any further calls to fork() or execve() [to do the same all over again].
  • Almost zero performance impact by using some neat ptrace-features: Tracing only execve() and fork() events (but not any other syscall).
  • The -n <pid> trick (to start a program under any pid) is a gimmick: Linux assigns a new pid to every new thread in sequential order, up until the largest possible pid of 4,194,304 (2^22). Thereafter, it starts again at pid 300 (or 1, depending on the environment). Zapper iterates over all 2^22 possible pids (within a few seconds) until the target pid-1 is encountered: Zapper forks 8+ processes, each calling clone((int (*)(void *))exit, ..). Directly jumping into exit() and setting CLONE_VM is the fastest way to iterate through all available PIDs.

More Repositories

1

thc-tips-tricks-hacks-cheat-sheet

Various tips & tricks
Shell
3,129
star
2

gsocket

Connect like there is no firewall. Securely.
C
1,504
star
3

THC-Archive

All releases of the security research group (a.k.a. hackers) The Hacker's Choice
HTML
685
star
4

thc-tesla-powerwall2-hack

TESLA PowerWall 2 Security Shenanigans
457
star
5

segfault

Shell
356
star
6

ssh-key-backdoor

Shell
328
star
7

hackshell

Make BASH stealthy and hacker friendly with lots of bash functions
Shell
187
star
8

bpfhacks

eBPF hacks
171
star
9

CVE-2021-26855

PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github
Python
61
star
10

ttyinject

Get root via TTY / TIOCSTI stuffing
C
61
star
11

thc-btc-rng-bruteforce

C
49
star
12

memexec

Circumventing "noexec" mount flag to execute arbitrary linux binaries by ptrace-less process injection
Assembly
47
star
13

ssh-it

Self replicating and automatically spreading SSH worm that recovers login credentials
C
41
star
14

erfs

Shell
37
star
15

thc-arpmitm

ARP Man-in-the-Middle tool
C
27
star
16

thc-rut

THC "R U There" network discovery tool
Objective-C
26
star
17

gsocket-relay

Global Socket Server
C
24
star
18

gs-transfer

Secure File Transfer via Global Socket Bounce Network
C
24
star
19

dsniff

C
24
star
20

docker-thc-hacker

Docker environment for hackers
Shell
14
star
21

iran-ssh-proxy

Docker Server Side for the Iran Proxy
Shell
13
star
22

binary

Binary and Static Releases
13
star
23

hackerschoice.github.io

The Hacker's Choice
13
star
24

kb

The Hacker's Choice Knowledge Base & Articles
11
star
25

cryptostorm

CrytptoStorm.is WireGuard docker container
Shell
7
star
26

docker-erfs-server

Shell
7
star
27

thc-art

Artistic work by THC
6
star
28

gsocket.io

Web pages for gsocket.io
5
star
29

mail

A Free Mail Forwarding Service
Perl
3
star
30

dnsgw

Go
3
star
31

thc-freezer-monitor

Raspberry Pi + MQTT + ThingSpeak + IFTTT
Python
1
star