Do both lsmod and /proc/modules use the same mechanism to retrieve modules?

Question

I can get a list of modules using either lsmod or cat /proc/modules. Do the two approaches use the same mechanism to retrieve the modules? I want to know this as we could use it to find some hidden malicious modules.

Answer 1

They are both reading the same kernel interface to produce the list. However, a rootkit may alter lsmod to hide modules but there are myriad ways to read /proc/modules that would be near impossible for a rootkit to modify all of them.

If you're doing something programatic it doesn't really matter which one you use, but lsmod is much more human readable.

Update: To include examples.

cat /proc/modules
more /proc/modules
less /proc/modules
view /proc/modules
uniq /proc/moduels
uniq < /proc/modules
grep . /proc/modules
grep . < /proc/modules
awk '{print}' /proc/modules
awk '{print}' < /proc/modules
sed 's/(.)/$1/' < /proc/modules
echo "$(</proc/modules)"
perl -p -e ";" < /proc/modules
nc -l 11111 & nc localhost 11111 < /proc/modules

Etc., etc., etc. Anything that can read text can display the contents. These are just a few that I thought of in under a minute. If I thought about it I could come up with some really esoteric ways.

Answer 2

If the rootkit works at the kernel level (as a module for instance), you can not rely on the info provided by /proc/modules. Furthermore, you can not rely on lsmod either as it pretty-prints /proc/modules.

Answer 3

We could look up the source code, but if you are lazy like me:

sudo strace lsmod |& grep -E '(proc|sys)'

Shows interesting hits such as:

open("/proc/modules", O_RDONLY|O_CLOEXEC) = 3
open("/sys/module/ipt_MASQUERADE/refcnt", O_RDONLY|O_CLOEXEC) = 3

so we may guess that most of the info comes from /proc/modules and /sys/module/*.