Click here to Skip to main content
15,883,751 members
Search within:


Articles / Programming Languages / C
 

Driver to hide files in Linux OS

,
Rate me:
Please Sign up or sign in to vote.
4.44/5 (13 votes)
2 Sep 2012CPOL7 min read 44K   775   34  
Simple driver for Linux OS that performs hiding of the selected files from the system
 
#include <linux/fs.h>
#include <linux/namei.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/version.h>
#include <linux/list.h>
#include "device_file.h"


struct dentry* g_parent_dentry;
struct nameidata g_root_nd;
/*Number of inodes*/
unsigned long* g_inode_numbers;
int g_inode_count=0;

void** g_old_inode_pointer;
void** g_old_fop_pointer;
void** g_old_iop_pointer;

void** g_old_parent_inode_pointer;
void** g_old_parent_fop_pointer;

filldir_t real_filldir;


/***********************File parent OPERATIONS*****************************/
static struct file_operations new_parent_fop =
{
.owner=THIS_MODULE,
.readdir=parent_readdir,
};

static int new_filldir (void *buf, const char *name, int namelen, loff_t offset,u64 ux64, unsigned ino)
{
	unsigned int i=0;
	struct dentry* pDentry;
	struct qstr Current_Name;

	Current_Name.name=name;
	Current_Name.len=namelen;
	Current_Name.hash=full_name_hash (name, namelen);

	pDentry=d_lookup(g_parent_dentry, &Current_Name);
	
	if (pDentry!=NULL)
	{

		for(i=0; i<=g_inode_count-1; i++)
		{
			if (g_inode_numbers[i]==pDentry->d_inode->i_ino) 
			{
		
			return 0;

			}
		}
	}

	return real_filldir (buf, name, namelen, offset, ux64, ino);
}

int parent_readdir (struct file *file, void *dirent, filldir_t filldir)
{	
	g_parent_dentry = file->f_dentry;

	real_filldir = filldir;

	return g_root_nd.path.dentry->d_inode->i_fop->readdir(file, dirent, new_filldir);
}
/********************************FILE OPERATIONS*************************/
static struct file_operations new_fop =
{
	.owner=THIS_MODULE,
	.readdir=new_readdir,
	.release=new_release,
	.open=new_open,
	.read=new_read, 
	.write=new_write,
	.mmap=new_mmap,
};

int new_mmap (struct file * file, struct vm_area_struct * area)
{
	printk( KERN_ALERT "Entered in new_mmap\n");
	return -2;
}

ssize_t new_read (struct file *file1, char __user * u, size_t t, loff_t *ll)
{
	printk( KERN_ALERT "Entered in new_read\n");
	return -2;
}

ssize_t new_write (struct file * file1, const char __user * u, size_t t, loff_t *ll)
{
	printk( KERN_ALERT "Entered in new_write\n");
	return -2;
}

int new_release (struct inode * new_inode, struct file *file)
{
	printk( KERN_ALERT "Entered in new_release \n");
	return -2;
}

int new_flush (struct file *file, fl_owner_t id)
{
	printk( KERN_ALERT "Entered in new_flush \n");
	return -2;
}

int new_readdir (struct file *file, void *dirent, filldir_t filldir)
{
	printk( KERN_ALERT "Entered in new_readdir \n");
	return -2;
}

int new_open (struct inode * old_inode, struct file * old_file)
{
	printk( KERN_ALERT "Entered in new_open \n");
	return -2;
}

/********************************INODE OPERATIONS*************************/
static struct inode_operations new_iop =
{
	.getattr=new_getattr,
	.rmdir=new_rmdir,
};

int new_rmdir (struct inode *new_inode,struct dentry *new_dentry)
{
	printk( KERN_ALERT "Entered in new_rmdir \n");
	return -2;
}

int new_getattr (struct vfsmount *mnt, struct dentry * new_dentry, struct kstat * ks)
{
	printk( KERN_ALERT "Entered in new_getatr \n");
	return -2;
}

/*Allocate memmory for arrays*/
void allocate_memmory()
{
        g_old_inode_pointer=(void*)kmalloc(sizeof(void*),GFP_KERNEL);
        g_old_fop_pointer=(void*)kmalloc(sizeof(void*),GFP_KERNEL);
        g_old_iop_pointer=(void*)kmalloc(sizeof(void*),GFP_KERNEL);

        g_old_parent_inode_pointer=(void*)kmalloc(sizeof(void*),GFP_KERNEL);
        g_old_parent_fop_pointer=(void*)kmalloc(sizeof(void*),GFP_KERNEL);
           
        g_inode_numbers=(unsigned long*)kmalloc(sizeof(unsigned long),GFP_KERNEL);

}

void reallocate_memmory()
{
	/*Realloc memmory for inode number*/
	g_inode_numbers=(unsigned long*)krealloc(g_inode_numbers,sizeof(unsigned long*)*(g_inode_count+1), GFP_KERNEL);
	
	/*Realloc memmory for old pointers*/
	g_old_inode_pointer=(void*)krealloc(g_old_inode_pointer, sizeof(void*)*(g_inode_count+1),GFP_KERNEL);
	g_old_fop_pointer=(void*)krealloc(g_old_fop_pointer, sizeof(void*)*(g_inode_count+1),GFP_KERNEL);
	g_old_iop_pointer=(void*)krealloc(g_old_iop_pointer, sizeof(void*)*(g_inode_count+1),GFP_KERNEL);

  	g_old_parent_inode_pointer=(void*)krealloc(g_old_parent_inode_pointer, sizeof(void*)*(g_inode_count+1),GFP_KERNEL);
  	g_old_parent_fop_pointer=(void*)krealloc(g_old_parent_fop_pointer, sizeof(void*)*(g_inode_count+1),GFP_KERNEL);
}



/*Function for hook functions of specified file*/
unsigned long hook_functions(const char * file_path) 
{
	int error=0;
	struct nameidata nd;

	error = path_lookup ("/root", 0, &g_root_nd);

	if(error) 
	{
		printk( KERN_ALERT "Can't access root\n");

		return -1;
	}

	error = path_lookup (file_path, 0, &nd);

	if(error) 
	{
		printk( KERN_ALERT "Can't access file\n");

		return -1;
	}
	
	if (g_inode_count==0)
	{
		allocate_memmory();
	}

	if (g_inode_numbers==NULL)
	{
			
		printk( KERN_ALERT "Not enought memmory in buffer\n");

	return -1;

	}

	/************************Old pointers**********************************/
	/*Save pointers*/
	g_old_inode_pointer[g_inode_count]=nd.path.dentry->d_inode;
        g_old_fop_pointer[g_inode_count]=(void *)nd.path.dentry->d_inode->i_fop;
        g_old_iop_pointer[g_inode_count]=(void *)nd.path.dentry->d_inode->i_op;

 	g_old_parent_inode_pointer[g_inode_count]=nd.path.dentry->d_parent->d_inode;
        g_old_parent_fop_pointer[g_inode_count]=(void *)nd.path.dentry->d_parent->d_inode->i_fop;

	/*Save inode number*/
	g_inode_numbers[g_inode_count]=nd.path.dentry->d_inode->i_ino;
	g_inode_count=g_inode_count+1;

	reallocate_memmory();

	/*filldir hook*/
	nd.path.dentry->d_parent->d_inode->i_fop=&new_parent_fop;

	/* Hook of commands for file*/
	nd.path.dentry->d_inode->i_op=&new_iop;
	nd.path.dentry->d_inode->i_fop=&new_fop;

	return 0;
 }

/*Function for backup inode pointers of the specified file*/
unsigned long backup_functions()
{	
	int i=0;
	struct inode* pInode;
	struct inode* pParentInode;
		
	for (i=0; i<g_inode_count; i++)
	{
		pInode=g_old_inode_pointer[(g_inode_count-1)-i];
		pInode->i_fop=(void *)g_old_fop_pointer[(g_inode_count-1)-i];
		pInode->i_op=(void *)g_old_iop_pointer[(g_inode_count-1)-i];

		pParentInode=g_old_parent_inode_pointer[(g_inode_count-1)-i];
		pParentInode->i_fop=(void *)g_old_parent_fop_pointer[(g_inode_count-1)-i];
		
	}

	kfree(g_old_inode_pointer);
	kfree(g_old_fop_pointer);
	kfree(g_old_iop_pointer);

	kfree(g_old_parent_inode_pointer);
	kfree(g_old_parent_fop_pointer);

	kfree(g_inode_numbers);

	return 0;
}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Apriorit Inc
Chief Technology Officer Apriorit Inc.
United States United States
ApriorIT is a software research and development company specializing in cybersecurity and data management technology engineering. We work for a broad range of clients from Fortune 500 technology leaders to small innovative startups building unique solutions.

As Apriorit offers integrated research&development services for the software projects in such areas as endpoint security, network security, data security, embedded Systems, and virtualization, we have strong kernel and driver development skills, huge system programming expertise, and are reals fans of research projects.

Our specialty is reverse engineering, we apply it for security testing and security-related projects.

A separate department of Apriorit works on large-scale business SaaS solutions, handling tasks from business analysis, data architecture design, and web development to performance optimization and DevOps.

Official site: https://www.apriorit.com
Clutch profile: https://clutch.co/profile/apriorit
This is a Organisation

33 members

Written By
Semyon Boyko
Team Leader Apriorit
Ukraine Ukraine
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 22 Aug 2012

Article Copyright 2012 by Apriorit Inc, Semyon Boyko
Everything else Copyright © CodeProject, 1999-2024

Web02 2.8:2024-04-02:1