How to Find The List of Processes Using a Particular Kernel Module

Make a system call to get list of processes

Why would you implement a system call for this? You don't want to add a syscall to the existing Linux API. This is the primary Linux interface to userspace and nobody touches syscalls except top kernel developers who know what they do.

If you want to get a list of processes and their parameters and real-time statuses, use /proc. Every directory that's an integer in there is an existing process ID and contains a bunch of useful dynamic files which ps, top and others use to print their output.

If you want to get a list of processes within the kernel (e.g. within a module), you should know that the processes are kept internally as a doubly linked list that starts with the init process (symbol init_task in the kernel). You should use macros defined in include/linux/sched.h to get processes. Here's an example:

#include <linux/module.h>
#include <linux/printk.h>
#include <linux/sched.h>

static int __init ex_init(void)
{
    struct task_struct *task;

    for_each_process(task)
        pr_info("%s [%d]\n", task->comm, task->pid);

    return 0;
}

static void __exit ex_fini(void)
{
}

module_init(ex_init);
module_exit(ex_fini);

This should be okay to gather information. However, don't change anything in there unless you really know what you're doing (which will require a bit more reading).

Access scheduled instructions of process in kernel module

I'm guessing this is a follow on from your last question. You are correct that through a task_struct you can get access to a processes program counter (also called instruction pointer on x86). I will answer for x86 as you indicated that you are interested in finding instructions specific to that instruction set.

You should have a look in the file arch/x86/include/asm/processor.h. It contains quite a few helper macros and functions so you don't have to reinvent the wheel. One of the ones that is most likely to be of interest to you is task_pt_regs(task). This macro will give you all of the register values associated with a given task. These values are contained in a struct pt_regs. You can see the definition of this struct in arch/x86/include/asm/ptrace.h. The member that you are interested in is unsigned long ip.

You now have a memory address that points to the next instruction to be executed by the process. This will need to be converted to a physical address to be usable to you though. That is a topic for another question though.

One brief note, to answer the question in your comment. Instructions are not stored in some data structure like a linked list. They are simply in a sequence one after another with all of their operands. You should think about it more like a binary file that can be parsed by the processor.

How to monitor process creation and statistics using kernel module

What you're describing sounds eerily like the Linux process accounting system, which already exists in the kernel. If it isn't an exact fit, your best bet will be to consider extending it, rather than building something entirely new.

Another existing system to look at will be the process events connector, which can be used to notify userspace processes when other processes are created and exit.

printing number of processes in kernel module

If anyone is still looking how to do this, I solved this sometime ago, Here is the solution.
This works for debian Linux 3.16 version. If you want to take look at the code which is here.

https://github.com/st0rmi/rootkit_programming/blob/master/assignment01/assignment01_mod.c

---

Related Topics