Linux – Do both lsmod and /proc/modules use the same mechanism to retrieve modules


I can get a list of modules using either lsmod or cat /proc/modules. Do the two approaches use the same mechanism to retrieve the modules? I want to know this as we could use it to find some hidden malicious modules.

Best Answer

They are both reading the same kernel interface to produce the list. However, a rootkit may alter lsmod to hide modules but there are myriad ways to read /proc/modules that would be near impossible for a rootkit to modify all of them.

If you're doing something programatic it doesn't really matter which one you use, but lsmod is much more human readable.

Update: To include examples.

cat /proc/modules
more /proc/modules
less /proc/modules
view /proc/modules
uniq /proc/moduels
uniq < /proc/modules
grep . /proc/modules
grep . < /proc/modules
awk '{print}' /proc/modules
awk '{print}' < /proc/modules
sed 's/(.)/$1/' < /proc/modules
echo "$(</proc/modules)"
perl -p -e ";" < /proc/modules
nc -l 11111 & nc localhost 11111 < /proc/modules

Etc., etc., etc. Anything that can read text can display the contents. These are just a few that I thought of in under a minute. If I thought about it I could come up with some really esoteric ways.