Download:
curl -fL -o zapper https://github.com/hackerschoice/zapper/releases/latest/download/zapper-linux-$(uname -m) && \
chmod 755 zapper && \
./zapper -h
Example: Show only 'nmap', but without the command options:
./zapper nmap -sCV -F -Pn scanme.nmap.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^
will not show
Example: Replace the current shell with a hidden tmux/shell. Hide all sub processes (-f
), take on the name of some kernel process (-a
) and hide all command line options:
exec ./zapper -f -a'[kworker/1:2-cgroup_destroy]' tmux
showing 6 hidden processes: tmux, bash, nmap, sleep, ps, grep
- Does not require root
- Works also on static binaries (e.g. GoLang binaries)
- Zaps the environment (/proc/<PID>/environ) as well
- Does not rely on LD_PRELOAD= or libc.
- Uses ptrace() to manipulate the Elf Auxiliary Table
- Only 00.1% overhead.
- Stops the admin from seeing or spying on your processes.
- Starts a process under any process id (
-n <pid>
)
Compile:
git clone https://github.com/hackerschoice/zapper.git
cd zapper
make
How it works:
- It uses ptrace() to manipulates the stack's Elf-Aux-Table.
- Zapper intercepts when the Kernel passes the command-options to the program (during SYS_execve()): It moves the orignal command-options to a new memory location and then destroyes the old memory location. From the perspective of the Kernel (and procps), the command-options cease to exist. Finally, zapper fixes the pointers in the progam's Aux-Table and hands execution back to the program (PTRACE_CONTINUE). Thereafter, the program is tracked for any further calls to fork() or execve() [to do the same all over again].
- Almost zero performance impact by using some neat ptrace-features: Tracing only execve() and fork() events (but not any other syscall).
- The
-n <pid>
trick (to start a program under any pid) is a gimmick: Linux assigns a new pid to every new thread in sequential order, up until the largest possible pid of 4,194,304 (2^22). Thereafter, it starts again at pid 300 (or 1, depending on the environment). Zapper iterates over all 2^22 possible pids (within a few seconds) until the target pid-1 is encountered: Zapper forks 8+ processes, each callingclone((int (*)(void *))exit, ..)
. Directly jumping intoexit()
and settingCLONE_VM
is the fastest way to iterate through all available PIDs.