Hi,
I am a kernel newbie. To better understand the proc filesystem implementation and how the kernel root kits work, I am trying to modify the fs/proc code to hide a pid to be displayed under /proc. I have created a system call to pass a flag(to task struct for that process), to temporarily hide a process to be displayed. The next step as I understand would be to modify the proc fs code so that when I scan the task list to display /proc/<pid> entries, it should check my flag and not display a directory for that pid if the flag is set.

Now, my problem is, I am not able to figure out how/where the proc fs scans the task structure list in order to display /proc/<pid> entry. Does somebody have any suggestions to me? Any help will be greatly appriciated.

This is the first time I am modifying the kernel and also adding new modules to the kernel. Please excuse if the question is very trivial..

Thanks a lot,
Nisha

"The processes' directories (...) are added dynamically, and presented to the VFS layer if readdir (...) is called." (Palmers) But rootkit study, even if thwarted by recent kernel developments, really isn't a suitable topic for Linuxquestions.org.