100 Days of YARA – Day 50: libprocesshider

I have encountered libprocesshider being used in the wild. This is a userland rootkit that abuses LD_PRELOAD to hide processes.

https://github.com/gianlucaborello/libprocesshider

This library is simple; under 100 lines of C code. This rule matched on a malicious libprocesshider library found on a honeypot system.

rule libprocesshider
{
	meta:
		description = "libprocesshider userland rootkit"

	strings:
		$ = "%d (%[^)]s"
		$ = "/proc/self/fd/%d"
		$ = "/proc/%s/stat"
		$ = "dlsym"

	condition:
		all of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 50: libprocesshider

  1. Pingback: Week 07 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s