1 files changed, 86 insertions, 0 deletions

diff --git a/pid_demo.c b/pid_demo.c
new file mode 100644
index 0000000..1698e54
--- /dev/null
+++ b/pid_demo.c
@@ -0,0 +1,86 @@
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/sched.h>
+#include <linux/sched/signal.h>
+#include <linux/proc_fs.h>
+#include <linux/seq_file.h>
+#include <linux/fs.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Biswa Kalyan Bhuyan");
+MODULE_DESCRIPTION("PID Hiding Demo");
+MODULE_VERSION("0.1");
+
+// PID to examine
+static unsigned int target_pid = 0;
+module_param(target_pid, uint, 0644);
+MODULE_PARM_DESC(target_pid, "Process ID to examine");
+
+// Function to examine a process
+static void examine_process(unsigned int pid)
+{
+    struct task_struct *task;
+    
+    printk(KERN_INFO "PID Demo: Searching for PID %u\n", pid);
+    
+    for_each_process(task) {
+        if (task->pid == pid) {
+            printk(KERN_INFO "PID Demo: Found process %u (%s)\n", 
+                   task->pid, task->comm);
+            
+            if (task->parent) {
+                printk(KERN_INFO "PID Demo: Parent process is %u (%s)\n", 
+                       task->parent->pid, task->parent->comm);
+            }
+            
+            printk(KERN_INFO "PID Demo: Process UID: %u, GID: %u\n", 
+                   task->cred->uid.val, task->cred->gid.val);
+            return;
+        }
+    }
+    
+    printk(KERN_INFO "PID Demo: Process %u not found\n", pid);
+}
+
+// Explain how a real process hider works
+static void explain_hiding(void)
+{
+    printk(KERN_INFO "PID Demo: How process hiding works:\n");
+    printk(KERN_INFO "PID Demo: 1. Process listings come from /proc directory\n");
+    printk(KERN_INFO "PID Demo: 2. Each process has a directory in /proc named by its PID\n");
+    printk(KERN_INFO "PID Demo: 3. Commands like ps, top read /proc to get the process list\n");
+    printk(KERN_INFO "PID Demo: 4. To hide a process, hook the iterate_shared() function that reads /proc\n");
+    printk(KERN_INFO "PID Demo: 5. Filter out directory entries matching the target PID\n");
+    printk(KERN_INFO "PID Demo: 6. This makes the process invisible to ps, top and other tools\n");
+}
+
+// Module initialization
+static int __init pid_demo_init(void)
+{
+    printk(KERN_INFO "PID Demo: Module loaded\n");
+    
+    if (target_pid == 0) {
+        printk(KERN_INFO "PID Demo: No target PID specified. Use: insmod pid_demo.ko target_pid=<pid>\n");
+        return 0;
+    }
+    
+    // Examine the specified process
+    examine_process(target_pid);
+    
+    // Explain hiding technique
+    explain_hiding();
+    
+    printk(KERN_INFO "PID Demo: This module is for hiding the PID's\n");
+    
+    return 0;
+}
+
+// Module cleanup
+static void __exit pid_demo_exit(void)
+{
+    printk(KERN_INFO "PID Demo: Module unloaded\n");
+}
+
+module_init(pid_demo_init);
+module_exit(pid_demo_exit);