1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/sched.h>
#include <linux/sched/signal.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/fs.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Biswa Kalyan Bhuyan");
MODULE_DESCRIPTION("PID Hider - Process hiding");
MODULE_VERSION("0.1");
// PID to hide from process listings
static unsigned int hidden_pid = 0;
module_param(hidden_pid, uint, 0644);
MODULE_PARM_DESC(hidden_pid, "Process ID to hide from listings");
// Function to find and report on a process
static void find_process(unsigned int pid)
{
struct task_struct *task;
printk(KERN_INFO "PID Hider: Searching for PID %u\n", pid);
for_each_process(task) {
if (task->pid == pid) {
printk(KERN_INFO "PID Hider: Found process %u (%s)\n",
task->pid, task->comm);
if (task->parent) {
printk(KERN_INFO "PID Hider: Parent process is %u (%s)\n",
task->parent->pid, task->parent->comm);
}
printk(KERN_INFO "PID Hider: Process UID: %u, GID: %u\n",
task->cred->uid.val, task->cred->gid.val);
return;
}
}
printk(KERN_INFO "PID Hider: Process %u not found\n", pid);
}
/*
* ----------------------------------------------------
* POC: How Process Hiding Works (Conceptual Overview)
* ----------------------------------------------------
*
* 1. Process listings in Linux come from iterating /proc directory
* 2. To hide a process, we hook the directory listing function (iterate_shared)
* 3. When the hook is called, we filter out entries for our target PID
* 4. This makes commands like ps, top, etc. unable to see the process
* 5. The process still runs normally, it just doesn't appear in listings
*
* Tools like ps get process lists by reading /proc, which contains
* a directory for each running process named by its PID. By filtering
* these directory entries, we can make a process invisible.
*/
static int __init pid_hider_init(void)
{
printk(KERN_INFO "PID Hider: Module loaded\n");
if (hidden_pid == 0) {
printk(KERN_INFO "PID Hider: No target PID specified. Use: insmod pid_hider.ko hidden_pid=<pid>\n");
return 0;
}
// Find the specified process
find_process(hidden_pid);
return 0;
}
static void __exit pid_hider_exit(void)
{
printk(KERN_INFO "PID Hider: Module unloaded\n");
if (hidden_pid > 0) {
printk(KERN_INFO "PID Hider: No longer hiding PID\n", hidden_pid);
}
}
module_init(pid_hider_init);
module_exit(pid_hider_exit);
|
