Linux: Hiding the process name from the process list

TL;DR

exec -a sleep /tmp/evil_cmd 60

How it works?

Let's say we have some kind of /tmp/evil_cmd script which we want to hide from the process list. For the sake of convenience, let's just copy the sleep binary:

cp /usr/bin/sleep /tmp/evil_cmd

If we try to run /tmp/evil_cmd directly and find it in the process list:

/tmp/evil_cmd 60 &
ps aux | grep evil_cmd

We should get something like this:

n        1369108  0.0  0.0   5464  1664 pts/2    S    23:26   0:00 /tmp/evil_cmd 60

Now it's important to understand is that /tmp/evil_cmd here is the zeroth argument (argv[0]) passed by the shell to the command, and this is by default the name of the command being executed.

Normally, this is pretty convenient default behavior, but we can control this zeroth argument by prepending our command with exec -a, i.e.:

exec -a sleep /tmp/evil_cmd 60 &
ps aux | grep evil_script

Now we won't be able to find evil_script in the process list anymore, just innocent-looking sleep 60:

n        1369769  0.0  0.0   5464  1664 pts/2    S    23:27   0:00 sleep 60

Note: exec -a will just change the zeroth argument, other arguments will still be visible in the process list. In cases where you want to also hide some of the other arguments, you can wrap them in your executable.

Ask me anything / Suggestions