A popular way of hiding the processes from the user is to hijack the iterate function for the /proc directory. This can be done as follows:
struct file *filep = filp_open("/proc", O_RDONLY, 0));
filep->f_op->iterate = p // We swap the pointer with our hacked iterate
I am working on a detection method, where I would like to restore the original iterate function (assuming it has already been hijacked). Is there some way to find the original iterate function which is used for the /proc directory?
You can try a heuristic approach. The address of the original function will be in the same general area as the other proc functions, while the address of the hijacker function will be noticeably different. Then you parse the machine code of the hijacker function. The hijacker function will have to branch to the original function before it returns, so you look at all the branch instructions and check which one would fit to the other original addresses.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With