0

I am currently working on an antiroot-kit for android as a student project. My task is to identify hidden files on the filesystem. Therefore, I want to read the contents of a directory in a kernel module to compare it with the contents of a directory an app might see in usermode (which is probably censored by a rootkit). I know that file IO is generally a bad idea in kernel mode but I think this might be an exception.

I used filp_open to open a file and get a struct file. With this I was able to get the inode and dentry structures of the file. I was not able to get the contents of a directory this way. I thought there must be a function for it.

I searched on stackoverflow and found the vfs_readdir function. The problem is that I have not understood how to use this function. What do I set for the filldir_t parameter and what do I set for the buffer? How do I retrieve the contents of a directory in a kernelmodule? Can somebody provide an example? I could not find an easy example on the internet and in the linux kernel.

Peter L.
  • 1,041
  • 2
  • 22
  • 26
hasnoroot
  • 33
  • 6
  • What makes you think that the VFS interface would be any more correct for the kernel than it would for userspace? –  Jan 22 '15 at 23:58
  • @duskwuff I found a sample rootkit which just messes with the syscalls to hide files. For the moment and this project, I just want to detect such modifications. This is only the first thing to check, I guess. – hasnoroot Jan 23 '15 at 00:06

0 Answers0