Hiding processes, files and folders in Linux using kernel module (for kernel version 2.4).

Every operating system has main part called kernel. It is responsible for interactions between software and hardware, memory management and other low-level operations.

In Linux, it is possible to load kernel modules dynamically, to enhance capabilities of operating system (for example, by loading device driver into memory to enable use of it's device).

Kernel modules can be written by user, compiled, then loaded and unloaded. Adding/changing functionality of the kernel is possible via modifying sys_call_table data structure (it contains pointers to system functions, which are used by user programs).

How to hide process or file or folder from user? Solution is to modify sys_call_table, to replace a getdents64(unsigned int fd, struct dirent64 *mydir, unsigned int count) function with our implementation (that will call original version, then modify data structure returned by it). This function is used to list files/folders, replacing it will cause files/folders to be hidden from user. Processes are listed in /proc folder, they are listed by ps command, that uses getdents system function (exact name can be found using strace ps command; strace uses ptrace system call to trace system calls and debug processes).

No comments:

Post a Comment