anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(ssh-capture): LD_PRELOAD shim to zero inotifywait argv

Browse Source 
The kmsg-watch (inotifywait) process was the last honest giveaway in
`ps aux` — its watch paths and event flags betrayed the honeypot. The
argv_zap.so shim hooks __libc_start_main, heap-copies argv for the real
main, then memsets the contiguous argv[1..] region to NUL so the kernel's
cmdline reader returns just argv[0].

gcc is installed and purged in the same Docker layer to keep the image
slim. The shim also calls prctl(PR_SET_NAME) so /proc/self/comm mirrors
the argv[0] disguise.
This commit is contained in:
anti
2026-04-18 01:52:30 -04:00
parent e356829234
commit f462835373
4 changed files with 100 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
templates/ssh/capture.sh
View File

@@ -253,8 +253,11 @@ _capture_one() {
}
# Main loop.
# LD_PRELOAD argv_zap.so blanks argv[1..] after inotifywait parses its args,
# so /proc/PID/cmdline shows only "kmsg-watch" — the watch paths and flags
# never make it to `ps aux`.
# shellcheck disable=SC2086
"$INOTIFY_BIN" -m -r -q \
LD_PRELOAD=/usr/lib/argv_zap.so "$INOTIFY_BIN" -m -r -q \
--event close_write --event moved_to \
--format '%w%f' \
$CAPTURE_WATCH_PATHS 2>/dev/null \