Add prefix-based process hiding

[jgru]

Dear m0nad,

this PR adds the capability to hide processes whose comm-field starts with the string MAGIC_PREFIX.

Thanks already in advance for considering this PR.

Best regards jgru

[m0nad]

Hi @jgru

Thanks for your contribution. But I've some objections:

1 - The objective of Diamorphine is not to be a full-featured rootkit. Instead, it is only to reproduce the Heroin rootkit made by Runar Jensen back in the '90s[1], therefore the name. Nevertheless, this would be a minor change that I'd probably be ok with it.

2 - I did some tests, and it seems like - at least on Ubuntu 20.04 with kernel 5.11.0-44-generic - the tasks->comm doesn't come with the full process name when the file/process name is too big, failing to make the process invisible. E.g. for the for a filename diamorphine_secret_test the content from tasks->comm was diamorphine_sec, making the process visible.

Let me know what do you think about it, and feel free to keep your fork with the modification for anyone who wants this feature :)

[1] https://web.archive.org/web/20140701183221/https://www.thc.org/papers/LKM_HACKING.html#A-b

[jgru]

Hi @m0nad,

thanks for your reply. First of all, I really like the idea of making a up-to-date version of Runar Jensen's Heroin rootkit. Thanks for providing it. Secondly, you are complete right. task->comm is limited to 16 bytes. I thought it is nevertheless valuable. To read the full command line of a process, a bunch of more code would be needed I think. Therefore, I'll just keep it in my fork. Feel free to close this PR.

Thank you!