A deep dive into a Linux process hiding technique using bind mounts to overlay /proc directories, making processes invisible to standard tools like ps. The article demonstrates the technique using a Sliver C2 beacon, explains how it exploits the /proc filesystem that tools rely on, and identifies forensic artifacts for detection including suspicious mount points in /proc/mounts, unusual directory permissions, and orphaned network connections in netstat. Includes strace analysis showing how ps reads from /proc/[pid]/stat, /proc/[pid]/status, and /proc/[pid]/cmdline to generate output.
Table of contents
IntroductionSetting the stageForensicsnetstatDiggin deeperBack againstrace (ps deep-dive)ConclusionSort: