Linux kernel module: re-hijacking the iterate function of the virtual filesystem
Question
A popular way of hiding the processes from the user is to hijack the iterate function for the /proc directory. This can be done as follows:
struct file *filep = filp_open("/proc", O_RDONLY, 0));
filep->f_op->iterate = p // We swap the pointer with our hacked iterate
I am working on a detection method, where I would like to restore the original iterate function (assuming it has already been hijacked). Is there some way to find the original iterate function which is used for the /proc directory?
2 answers
solution1
1 2015-09-15 07:17:37
You can try a heuristic approach. The address of the original function will be in the same general area as the other proc functions, while the address of the hijacker function will be noticeably different. Then you parse the machine code of the hijacker function. The hijacker function will have to branch to the original function before it returns, so you look at all the branch instructions and check which one would fit to the other original addresses.
solution2
0 2015-10-29 21:08:15
I assume you know which version of the kernel you are using?
Just copy that version of the function into your module and override the iterate pointer with your copy's address.
This should be functionally equivalent, though there is no telling what other evils the rouge module might have unleashed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.