Simple process hiding kernel patch

2 Jan, 2009  Debian Linux, Security, Technical

I have updated the process hiding kernel patch described in my previous post. The following patch was created for a vanilla kernel 2.6.27.10 from kernel.org. You should be able to patch also future kernel versions as it is a super simple single-line patch. Just modify one line in the proc_pid_instantiate method of fs/proc/base.c.

diff -U8 -r linux-2.6.27.10/fs/proc/base.c linux-2.6.27.10-prochide/fs/proc/base.c
--- linux-2.6.27.10/fs/proc/base.c      2008-12-18 18:13:59.000000000 +0100
+++ linux-2.6.27.10-prochide/fs/proc/base.c     2008-12-21 04:09:32.000000000 +0100
@@ -2642,17 +2642,17 @@
 {
        struct dentry *error = ERR_PTR(-ENOENT);
        struct inode *inode;
 
        inode = proc_pid_make_inode(dir->i_sb, task);
        if (!inode)
                goto out;
 
-       inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
        inode->i_op = &proc_tgid_base_inode_operations;
        inode->i_fop = &proc_tgid_base_operations;
        inode->i_flags|=S_IMMUTABLE;
 
        inode->i_nlink = 2 + pid_entry_count_dirs(tgid_base_stuff,
                ARRAY_SIZE(tgid_base_stuff));
 
        dentry->d_op = &pid_dentry_operations;

All menu configuration options have been stripped from this patch. This is the dimpliest way to accomplish process hiding in a modern Linux System. No need of further explanation.

current patch: prochide-simple-patch_2.6.27.10.diff

Leave a comment

Name: (Required)

eMail: (Required)

Website:

Comment: