Reputation: 65
Inserting a PID in the Linux Hash-Table
Currently I'm working on a Linux-Kernel-Module, that can hide any normal Process. The hiding works fine, but I haven't found a way to unhide the process yet. First I delete the struct task_struct from the big list of task_structs inside the Kernel:
struct task_struct *p;
//Finding the correct task_struct
for_each_process(p)
if(p->pid == pid){
// Removing the task_struct
struct list_head *next = task->tasks.next;
struct list_head *prev = task->tasks.prev;
next->prev=prev;
prev->next=next;
}
But the task_struct is still traceable, because it's inside a hash_table containing every process' task_struct. In fact most of the PID-Lookup is performed by this hash-table. Removing the task-struct from there is a bit tricky:
struct pid *pid; //struct pid of the task_struct
//Deleting for every pid_namespace the pid_chain from the hash_list
for (i = 0; i <= pid->level; i++) {
struct upid *upid = pid->numbers + i;
hlist_del_rcu(&upid->pid_chain);
}
The Problem is to restore both structs: Inserting the task_struct back in the list of task_structs is easy, but I haven't found a way to restore the link in the hash-table. It's difficult, because the kernel doesn't expose the needed structures.
Inside the Kernel, it's done within this line:
hlist_add_head_rcu(&upid->pid_chain,&pid_hash[pid_hashfn(upid->nr, upid->ns)]);
pid_hashfn and pid_hash are defined as follows:
#define pid_hashfn(nr, ns) hash_long((unsigned long)nr + (unsigned long)ns, pidhash_shift)
static struct hlist_head *pid_hash;
And the struct I need to insert, is the pid_chain:
struct hlist_node pid_chain;
So my question is, how can I insert the pid_chain in the correct hash-list? Is there a way to obtain the reference to the hash-list-array, even if it's declared as static?
Or, maybe an uncommon idea: The hash-list is allocated via
pid_hash = alloc_large_system_hash("PID", sizeof(*pid_hash), 0, 18,HASH_EARLY | HASH_SMALL, &pidhash_shift, NULL,0, 4096);
So, if I could get the starting-position of the memory of the hash-list, could I scan the corresponding memoryspace for the pointer of my struct and then cast the surrounding memoryregion to struct of type struct hlist?
Thanks for your help. Every solution or idea is appreciated :)
Upvotes: 2
Views: 1112
Answers (2)
Reputation: 401
The pid_hash can be located in /proc/kallsyms and also is accesible programatically by kallsyms_lookup_name.
Upvotes: 1
Reputation: 121
There is a hash list available in sysmap file. you can check that once.
Upvotes: 1
Related Questions
- PID re-use, edge case?
- How to map pthread_t to pid (on Linux)
- Changing the process ID (PID) in Linux
- Understanding the PID hash table in the linux kernel
- PID file in linux
- PID hash table entries: 4096 (order: 12, 32768 bytes)?
- How Linux kernel allocate PID to a process and is there any way to force kernel to allocate a fixed PID to a process?
- Process ID exhaustion in Linux
- pid of the currently executing process
- About the pid of the process