anti
f462835373
The kmsg-watch (inotifywait) process was the last honest giveaway in `ps aux` — its watch paths and event flags betrayed the honeypot. The argv_zap.so shim hooks __libc_start_main, heap-copies argv for the real main, then memsets the contiguous argv[1..] region to NUL so the kernel's cmdline reader returns just argv[0]. gcc is installed and purged in the same Docker layer to keep the image slim. The shim also calls prctl(PR_SET_NAME) so /proc/self/comm mirrors the argv[0] disguise.
4.5 KiB
4.5 KiB