Awesome-Mirrors
/
awesome-linux-rootkits
mirror of https://github.com/milabs/awesome-linux-rootkits.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update README.md

This commit is contained in:
Ilya V. Matveychikov 2018-07-02 14:26:08 +04:00 committed by GitHub
parent 6cec0399c4
commit 083a00df40
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -9,6 +9,7 @@ Environment:
Core capabilities:
- Persistency
- Management interface
- Altering system (library) behaviour
Stealth capabilities:
- Detection evasion
@ -24,7 +25,7 @@ Hiding stuff capabilities:
Additional functions:
- Keylogger
- Backdoor/shell
- Gain priveleges
- Gaining priveleges
## :see_no_evil: user mode rootkits
@ -67,6 +68,7 @@ Additional functions:
| Environment | 2.6.x/3.x/4.x (x86) | `sys_call_table` search method is x86-only |
| Persistency | /etc/modules or /etc/rc.modules | Boot-time module loading using OS-specific startup files. |
| Management interface | `kill(2)` | `sys_call_table[__NR_kill]` |
| Altering system (library) behaviour | Hooking of system calls | `sys_call_table` patching using `CR0/WP` |
| Hiding (tampering) of file contents | Filtering while reading | `sys_call_table[__NR_read]` |
| Hiding of files and directories | Filtering of directory entries | `sys_call_table[__NR_getdents]` `sys_call_table[__NR_getdents64]` |
| Hiding of processes and process trees | Filtering of `/proc` | Filtering PID-like numeric entries while listing `/proc`. Hidden tasks are marked using `task->flags \| 0x10000000`. Not able to hide all threads and children of hidden (parent) process. |