Adrishya(अदृश्य)

Introduction

Adrishya is a Linux kernel module that leverages advanced kernel hooking techniques, specifically using ftrace (the Linux kernel's function tracer) to hook into the mkdir system call. The module is designed to block directory creation attempts in a Linux environment by intercepting and modifying the behavior of the system call responsible for creating directories. This capability is useful for security purposes, such as preventing unauthorized directories from being created on a system. The module also demonstrates how kernel hooks, credential manipulation, and ftrace-based hooking can be combined for both monitoring and controlling system behavior in a highly efficient and stealthy manner.

NOTE

For the latest version of the project, please switch to the tcp branch.

Hook mkdir POC

flowchart TD
    subgraph "User Space"
        A[User Program] -..->|mkdir syscall| B[VFS Layer]
    end

    subgraph "Kernel Space"
        B -..->|Call| C["__x64_sys_mkdir"]
        
        subgraph "Normal Flow"
            C -->|Original Call| D[Regular mkdir\nprocessing]
            D -->|Success| E[Directory Created]
        end
        
        subgraph "Hooked Flow"
            C -.->|Intercept| F["hook_mkdir"]
            F -->|1| G[Copy Path from\nUser Space]
            G -->|2| H[Log Attempt]
            H -.->|3| I[Return -EACCES\nBlock Creation]
        end
    end

    subgraph "Hook Installation"
        K[Module Load] -.->|1| L[Resolve\n__x64_sys_mkdir\nAddress]
        L -.->|2| M[Setup ftrace ops]
        M -.->|3| N[Install Hook]
        N -.->|4| F
    end

    classDef userspace fill:#f9f,stroke:#333,stroke-width:2px,color:#000;
    classDef kernel fill:#bbf,stroke:#333,stroke-width:2px,color:#000;
    classDef hook fill:#fda,stroke:#333,stroke-width:2px,color:#000;
    classDef block fill:#faa,stroke:#333,stroke-width:2px,color:#000;
    classDef installation fill:#dfd,stroke:#333,stroke-width:2px,color:#000;

    class A userspace;
    class B,C,D kernel;
    class F,G hook;
    class I block;
    class K,L,M,N installation;

Loading

Caution

only work for x86_64
To check architecture of linux os type
uname -m

check for sycall
cat /proc/kallsyms | grep sys_mkdir

in my case
ffffffff90babf40 T __x64_sys_mkdir

Installation

1.clone the repository
git clone https://github.com/malefax/Adrishya.git

2. navigate the directory
cd Adrishya/

3. generate required files by
sudo make

Uses

insert the batchfile by
sudo insmod Adrishya.ko

now try to make directory in new bash session
mkdir test

Result

mkdir: cannot create directory ‘test’: Permission denied

Status

dmesg | tail -n 5
[ 5195.072954] mkdir_monitor: Loaded
[ 5215.531106] Directory creation blocked: test

Check out my blog post about the project: here