LD_PRELOAD rootkit-style demo that intercepts readdir() to hide the current process from /proc directory listings. When preloaded, the library hides its own process ID from being visible in /proc when enumerating that directory.
- Hooks
readdir()viadlsym(RTLD_NEXT, "readdir"). - For each directory read, resolves the symlink
/proc/self/fd/{fd}to determine if we're reading/proc. - Gets the current process ID via
getpid(). - Skips entries that match the current process ID when scanning
/proc, making the process invisible in/proclistings. - Passes through all other entries unmodified.
cmake -S . -B build
cmake --build buildProduces build/libghost.so.
Preload the library into any program that enumerates /proc:
LD_PRELOAD=./libghost.so ls /procThe calling process will be hidden from the listing. Run from the build/ directory for relative path resolution.
- Only hides the process that has the library preloaded; other processes remain visible.
- Only affects
/procdirectory listings; other directories pass through normally. - Uses
_GNU_SOURCEforRTLD_NEXTand related functions; requires glibc. - Intended for educational/demonstration purposes only.