Linux kernel hacking: procfs

[CubanCorona]

I'm trying to modify procfs so that not all processes are shown.

I changed the get_pid_list() function in /fs/proc/base.c. To filter out the processes that I want to hide.

This works in the sense that ls /proc does not show the processes which I've chosen to filter. However, the last process shows up multiple times... one for each hidden process. For example, ls /proc will list several 652's. I've been looking for the cause for a while and haven't been able to find it. Any ideas?

 

[n0cmonkey]

Take a look at how some of the other rootkits out there work.

 

[CubanCorona]

Most of the rootkits I've seen deal with this on a copiled kernel. They don't really offer any insight into changing the actual source code.

 

[n0cmonkey]

Originally posted by: CubanCorona
Most of the rootkits I've seen deal with this on a copiled kernel. They don't really offer any insight into changing the actual source code.

They usually add a module that hides these things, and the source for that module might give you a clue as to how they work.

 

[drag]

Here is a examination of the lkm adore rootkit.

Here is some links to a few versions of the adore rootkit sourced (I beleive, haven't looked at them yet) link

Now be a nice guy and don't use this publicly aviable knowledge for evil.