How can the Linux kernel use inline hook to achieve process hiding?

2 years ago
Sophia Anderson
2 minutes

In the Linux kernel, the technique of inline hook can be used to hide processes. Inline hook is a technology that dynamically modifies function code, allowing custom code to be inserted before or after the function is executed.

Here are the steps to implement hidden processes:

  1. Identify the functions that need to be modified to hide a process. Typically, the functions that need to be modified to hide a process are the show and readdir functions in the sysfs_ops structure, which handle file reading operations in the /sys/kernel/sched_hide and /proc directories.
  2. Utilize kernel debugging tools such as kprobe or kretprobe to locate the addresses of these two functions. You can insert a breakpoint at the beginning of the function, then check the address of the breakpoint in the kernel debugger.
  3. Utilize kernel modules to modify the code of these two functions. Within the kernel module, use the inline hook technology to replace the code of the show and readdir functions. You can utilize some of the functions provided by the kernel, such as kallsyms_lookup_name, to obtain the address of the functions.
  4. In the replacement code, you can check the process’s name or PID, and then decide whether to hide it. There are many ways to hide a process, such as modifying the contents of a file so the process is not visible when the file is read, or altering the task_struct structure of the process so it is not discovered during process traversal.
  5. Compile a kernel module and load it into the system. For example, compile the kernel module using the make command and load it into the kernel using the insmod command.
  6. Verify if the hidden process is successful by using the ps command or other process viewing tools to check if the hidden process is visible.

It is important to note that modifying kernel code is very risky and may result in system instability or unavailability. Before performing such an operation, be sure to back up important data and understand the risks of the changes being made.

bannerAds