1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/sched.h>
#include <linux/sched/signal.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/fs.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Biswa Kalyan Bhuyan");
MODULE_DESCRIPTION("PID Hiding Demo");
MODULE_VERSION("0.1");
// PID to examine
static unsigned int target_pid = 0;
module_param(target_pid, uint, 0644);
MODULE_PARM_DESC(target_pid, "Process ID to examine");
// Function to examine a process
static void examine_process(unsigned int pid)
{
struct task_struct *task;
printk(KERN_INFO "PID Demo: Searching for PID %u\n", pid);
for_each_process(task) {
if (task->pid == pid) {
printk(KERN_INFO "PID Demo: Found process %u (%s)\n",
task->pid, task->comm);
if (task->parent) {
printk(KERN_INFO "PID Demo: Parent process is %u (%s)\n",
task->parent->pid, task->parent->comm);
}
printk(KERN_INFO "PID Demo: Process UID: %u, GID: %u\n",
task->cred->uid.val, task->cred->gid.val);
return;
}
}
printk(KERN_INFO "PID Demo: Process %u not found\n", pid);
}
// Explain how a real process hider works
static void explain_hiding(void)
{
printk(KERN_INFO "PID Demo: How process hiding works:\n");
printk(KERN_INFO "PID Demo: 1. Process listings come from /proc directory\n");
printk(KERN_INFO "PID Demo: 2. Each process has a directory in /proc named by its PID\n");
printk(KERN_INFO "PID Demo: 3. Commands like ps, top read /proc to get the process list\n");
printk(KERN_INFO "PID Demo: 4. To hide a process, hook the iterate_shared() function that reads /proc\n");
printk(KERN_INFO "PID Demo: 5. Filter out directory entries matching the target PID\n");
printk(KERN_INFO "PID Demo: 6. This makes the process invisible to ps, top and other tools\n");
}
// Module initialization
static int __init pid_demo_init(void)
{
printk(KERN_INFO "PID Demo: Module loaded\n");
if (target_pid == 0) {
printk(KERN_INFO "PID Demo: No target PID specified. Use: insmod pid_demo.ko target_pid=<pid>\n");
return 0;
}
// Examine the specified process
examine_process(target_pid);
// Explain hiding technique
explain_hiding();
printk(KERN_INFO "PID Demo: This module is for hiding the PID's\n");
return 0;
}
// Module cleanup
static void __exit pid_demo_exit(void)
{
printk(KERN_INFO "PID Demo: Module unloaded\n");
}
module_init(pid_demo_init);
module_exit(pid_demo_exit);
|
