Adrishya is a Linux kernel module that leverages advanced kernel hooking techniques, specifically using ftrace (the Linux kernel's function tracer) to hook into the mkdir system call. The module is designed to block directory creation attempts in a Linux environment by intercepting and modifying the behavior of the system call responsible for creating directories. This capability is useful for security purposes, such as preventing unauthorized directories from being created on a system.
The module also demonstrates how kernel hooks, credential manipulation, and ftrace-based hooking can be combined for both monitoring and controlling system behavior in a highly efficient and stealthy manner.
For the latest version of the project, please switch to the appropriate branch based on the architecture:
- If the architecture supports x86_64, switch to the tcp branch.
- If the architecture supports arm64, switch to the arm branch.
flowchart TD
subgraph "User Space"
A[User Program] -..->|mkdir syscall| B[VFS Layer]
subgraph "Kernel Space"
B -..->|Call| C["__x64_sys_mkdir"]
subgraph "Normal Flow"
C -->|Original Call| D[Regular mkdir\nprocessing]
D -->|Success| E[Directory Created]
subgraph "Hooked Flow"
C -.->|Intercept| F["hook_mkdir"]
F -->|1| G[Copy Path from\nUser Space]
G -->|2| H[Log Attempt]
H -.->|3| I[Return -EACCES\nBlock Creation]
subgraph "Hook Installation"
K[Module Load] -.->|1| L[Resolve\n__x64_sys_mkdir\nAddress]
L -.->|2| M[Setup ftrace ops]
M -.->|3| N[Install Hook]
N -.->|4| F
classDef userspace fill:#f9f,stroke:#333,stroke-width:2px,color:#000;
classDef kernel fill:#bbf,stroke:#333,stroke-width:2px,color:#000;
classDef hook fill:#fda,stroke:#333,stroke-width:2px,color:#000;
classDef block fill:#faa,stroke:#333,stroke-width:2px,color:#000;
classDef installation fill:#dfd,stroke:#333,stroke-width:2px,color:#000;
class A userspace;
class B,C,D kernel;
class F,G hook;
class I block;
class K,L,M,N installation;
only work for x86_64
To check architecture of linux os type
uname -m
check for sycall
cat /proc/kallsyms | grep sys_mkdir
in my case
ffffffff90babf40 T __x64_sys_mkdir
1.clone the repository
git clone
2. navigate the directory
cd Adrishya/
3. generate required files by
sudo make
insert the batchfile by
sudo insmod Adrishya.ko
now try to make directory in new bash session
mkdir test
mkdir: cannot create directory ‘test’: Permission denied
dmesg | tail -n 5
[ 5195.072954] mkdir_monitor: Loaded
[ 5215.531106] Directory creation blocked: test
Check out my blog post about the project: here