2

I am starting to develop kernel modules and I wonder about all methods to know which modules are running in order to remove them (include modules that they are hide).

E.g. The following module has two lines in order to hide him. (It is a typical rootkit development trick)

#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>

MODULE_LICENSE("GPL");
int example_init(void);
void example_exit(void);
module_init(example_init);
module_exit(example_exit);

int example_init(void) {
    list_del_init(&__this_module.list);         // Deletes entry from list and reinitialize it
    kobject_del(&THIS_MODULE->mkobj.kobj);      // Unlink kobject from hierarchy 
    printk("Example: module loaded\n");
    return 0;
}

void example_exit(void) {
   printk("Example: module removed\n");
}

When a module is loaded you can see the information with dmesg, lsmod, modinfo, modprobe, /proc/modules, /sys/module or /proc/kallsyms

My question is if exist ways to know (and remove) this module? obviusly, rmmod doesn't work because this module doesn't appear in /proc/modules list.

sinkmanu
  • 1,034
  • 1
  • 12
  • 24
  • If you find such a trick in Linux kernel source tree, feel free to send a patch and correct this – Mali Feb 21 '18 at 15:13
  • I think the OP wants a way how to detect such modules running,like if you are implementing some rootkit detecting software, and you have your own kernel module loaded, how can you find a hidden one or ensure there is none? – sheikh_anton Feb 22 '18 at 13:32
  • Exactly @coredump, that's the point. – sinkmanu Feb 22 '18 at 14:16
  • Had you checked what is under */sys/modules/...*? – 0andriy May 12 '18 at 18:57

0 Answers0