├── Makefile ├── README.md └── process_list.c /Makefile: -------------------------------------------------------------------------------- 1 | obj-m :=process_list.o 2 | KDIR := /lib/modules/$(shell uname -r)/build 3 | PWD := $(shell pwd) 4 | default: 5 | $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules 6 | install: 7 | rmmod process_list.ko 2>1& > /dev/null;insmod process_list.ko 8 | clean: 9 | rm -f *.mod.c *.ko *.o 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

# Xt9 Anti Rootkit www.xtiger.net

#############install################

unzip process_list.zip;cd process_list;make;make install

####################################

suse10:~ # sleep 12345&

[1] 4091

suse10:~ # sleep 54321&

[2] 4098

suse10:~/tl/adore-ng # insmod adore-ng.ko

suse10:~/tl/adore-ng # ./ava i 4091

Checking for adore 0.12 or higher ...

Adore 1.56 installed. Good luck.

Made PID 4091 invisible.

suse10:~/tl/adore-ng # vi

suse10:~/tl/adore-ng # cd ~/programme/del_task_4_hide/

suse10:~/programme/del_task_4_hide # insmod delp.ko

suse10:~/programme/process_list_proc # make;make install

suse10:~/programme/process_list_proc # cat /proc/ps_list

--= Xt9 - Anti - Rootkit =--

beta v0.11 by xti9er

[4091] sleep [may be hiddened by vfs_readdir hook]

[4098] sleep [may be hiddened by REMOVE_LINKS]

2 | -------------------------------------------------------------------------------- /process_list.c: -------------------------------------------------------------------------------- 1 | //by xti9er @ 2015.6.19 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | 14 | #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0) 15 | #define ITERATE_NAME readdir 16 | #define READ_PROC_PROTO char *buffer, char **start, off_t off,int count, int *eof, void *data 17 | #else 18 | #define ITERATE_NAME iterate 19 | #define READ_PROC_PROTO struct file* file, char* buffer, size_t count, loff_t* offset 20 | #endif 21 | 22 | static struct file_operations proc_file_ops; 23 | 24 | static unsigned short int read_flag; 25 | 26 | void *get_vfs_readdir ( const char *path ) 27 | { 28 | void *ret; 29 | struct file *filep; 30 | 31 | if ( (filep = filp_open(path, O_RDONLY, 0)) == NULL ) 32 | return NULL; 33 | if(!IS_ERR(filep)){ 34 | if ((ret = filep->f_op->ITERATE_NAME)==NULL) 35 | return NULL; 36 | filp_close(filep, 0); 37 | return ret; 38 | } 39 | else{ 40 | return NULL; 41 | } 42 | } 43 | 44 | struct task_struct *x_find_task_by_pid(pid_t nr) 45 | { 46 | #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27) 47 | return find_task_by_pid(nr); 48 | #else 49 | struct pid *pid; 50 | struct task_struct *ts = NULL; 51 | pid = find_get_pid(nr); 52 | if(pid) { 53 | ts = pid_task(pid,PIDTYPE_PID); 54 | put_pid(pid); 55 | } 56 | return ts; 57 | #endif 58 | } 59 | 60 | int find_task_list(pid_t nr){ 61 | struct task_struct *task_list; 62 | char path[64]="\0"; 63 | for_each_process(task_list) { 64 | if(task_list->pid==nr){ 65 | strcpy(path,"/proc/"); 66 | sprintf(path,"%s%d",path,nr); 67 | 68 | if(get_vfs_readdir(path)){ 69 | return nr; 70 | } 71 | else{ 72 | return -1; 73 | } 74 | } 75 | } 76 | 77 | return 0; 78 | } 79 | 80 | int read_proc(READ_PROC_PROTO) 81 | { 82 | int len=0; 83 | pid_t p=1; 84 | 85 | struct task_struct *t; 86 | 87 | if(read_flag) 88 | read_flag = 0; 89 | else { 90 | read_flag = 1; 91 | return 0; 92 | } 93 | len += sprintf(buffer+len, "\t\t\t--= Xt9 - Anti - Rootkit =--\n\t\t\tbeta v0.11\tby xti9er\n"); 94 | 95 | 96 | while(p< PID_MAX_LIMIT ){ 97 | 98 | if(t=x_find_task_by_pid(p)){ 99 | 100 | if(t->tgid!=p) //thread id 101 | goto N; 102 | 103 | int p_flag=find_task_list(p); 104 | 105 | if(!x_find_task_by_pid(p)){ //when the process is stopped 106 | // printk("skip %d\n",p); 107 | goto N; 108 | } 109 | 110 | if(p_flag==-1){ 111 | len += sprintf(buffer+len, "[%d] %s\t[may be hiddened by vfs_readdir hook]\n",t->pid,t->comm); 112 | printk("[%d] %s\t[maybe hiddened by vfs_readdir hook]\n",t->pid,t->comm); 113 | } 114 | else if(p_flag==0){ 115 | len += sprintf(buffer+len, "[%d] %s\t[may be hiddened by REMOVE_LINKS]\n",t->pid,t->comm); 116 | printk("[%d] %s\t[maybe hiddened by REMOVE_LINKS]\n",t->pid,t->comm); 117 | } 118 | else{ 119 | //printk("\n"); 120 | // len += sprintf(buffer+len, "[%d] (%d)\n",t->pid,p_flag); 121 | } 122 | } 123 | 124 | /* 125 | else{ 126 | printk("[%d] failed\n",i); 127 | } 128 | */ 129 | N: 130 | p++; 131 | } 132 | return len; 133 | } 134 | 135 | int functn_init (void) { 136 | 137 | #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 10, 0) 138 | create_proc_read_entry("ps_list",0,NULL,read_proc,NULL); 139 | #else 140 | proc_create("ps_list",0,NULL,&proc_file_ops); 141 | proc_file_ops.read=read_proc; 142 | #endif 143 | 144 | read_flag = 1; 145 | return 0; 146 | } 147 | 148 | void functn_cleanup(void) { 149 | remove_proc_entry("ps_list",NULL); 150 | } 151 | MODULE_AUTHOR("xti9er"); 152 | MODULE_LICENSE("GPL"); 153 | module_init(functn_init); 154 | module_exit(functn_cleanup); 155 | --------------------------------------------------------------------------------