[LI] Hiding LKM's -- Beta-test

[Vimal Mathew <vml@xxxxxxxxxxxxx>]

Hi,
	I needed to hide a kernel module I wrote from the "lsmod" or "cat /proc/modules" output. The techniques suggested by Phrack(www.phrack.com) did not work as expected. Going through the sources (/usr/src/linux/kernel/module.c) in my kernel 2.2.13, I came across "struct module kernel_module" and "struct module *module_list=&kernel_module". With these two structures, I came up with a new method to hide my modules. Try adding the following lines to your init_module()...

init_module()
{
    /*  EBX stores address of (struct module) for current module.
        Read Phrack.
     */
    register struct module *mp asm("%ebx");
    struct module *tmp=mp, **modlist;

    /*  New modules are added as 1st element of linklist(stack implementation).
        Parse the module link-list till the end.
     */

    while (tmp->next) tmp=tmp->next;

    /*  "tmp" now points to the kernel_module symbol,
        the next symbol being module_list, the pointer
        to the start of the list.
        Refer /usr/src/linux/kernel/module.c
        Tested on kernel 2.2.13
     */
         modlist = (struct module **)(tmp + 1);

    /*  Modify modlist only if it *really* is pointing to
        start of link list.
     */

    if (*modlist==mp)
        *modlist = mp->next;
..............
.......
}


Could the kernel-hackers out there please test if this method works on other kernels also, or if there are any bugs in this method. Suggestions, better methods are welcome....

--vml,
Model Engg. College
--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.