> it is actually possible for a running process to change the symbolic link to exe

> requires munmap'ing pages of memory marked as executable and then invoking specific system calls in order to bypass some protections

> will describe how with sample code in a subsequent post on this site

I'm really curious now. Does anyone here know anything about this?

I assume he's talking about:

    prctl(PR_SET_MM, PR_SET_MM_EXE_FILE, fd, 0, 0)

Regarding the munmapping stuff, if you read the code for "replace_mm_exe_file" in the kernel source code, it should make sense.

Thanks for the pointers!!

https://www.man7.org/linux/man-pages/man2/PR_SET_MM_EXE_FILE...

https://github.com/torvalds/linux/blob/master/kernel/fork.c#...

  /* Forbid mm->exe_file change if old file still mapped. */

I suppose before doing this the process must copy its own process image to another location and jump there. Otherwise it will end up crashing due to segmentation violation when the next instructions are fetched by the processor since the code is no longer in memory.

Linux passes the process a pointer to the program header table via the auxiliary vector. Given that pointer it's possible to reach every page in the process's memory image¸ and likely also the ELF header itself. I suppose it's just a matter of mapping in new pages, copying all the data over and unmapping the original ones.

Maybe Linux should keep a copy of the process's initial state and expose that in procfs as well.

Perhaps one simple way would be moving its own executable and putting a different executable in its path. The idea is that under Linux you can change things in the filesystem but the running process is keeping the old state. This way you can delete files but the process still has access to the file as long as it runs. This is exploited by log rotating: move the current log file and put a new log file in its place. Then when the service restarts it switches to the new log file, but not before.

Didn't try it out.

It's obviously not that, as the article mentions, if you delete yourself, the /proc/$pid/exec link becomes:

    /proc/5868/exe -> '/home/user/main (deleted)'

Since the author in the article acknowledged that, it seems clear to me that they weren't talking about deleting the exe, but instead something to do with PR_SET_MM_EXE_FILE.

This is a real Linux hacker article. I use lxc and now I know how they changed the process names. Thanks.

### pseudo ### a couple days ago hiding irc ddos perl bot process was required modified string length only in a simple way like a >"/usr/local/apache/bin/httpd -DSSL" . " " x 100 which has allowed critical info to be displayed(?) out of visible tty/stdout