Update reptile.md

details/reptile.md

@@ -7,8 +7,8 @@ https://github.com/f0rb1dd3n/Reptile
 
 ## Environment
 
+- x86, x86_64
 - Linux kernel 2.6.x/3.x/4.x
-- x86 (`sys_call_table` search method is x86-only)
 
 ## Persistency
 
@@ -16,46 +16,71 @@ Boot-time module loading using OS-specific startup files:
  - /etc/modules (debian/ubuntu)
  - /etc/rc.modules (redhat/centos/fedora)
 
+https://github.com/linux-rootkits/Reptile/blob/master/setup.sh#L296
+
 ## Detection evasion
 
 Rootkit is trying to evade from detection by:
  - hiding files by name
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L575
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L619
  - tampering contents of startup files while reading
- - hiding kernel module by unlinking from `module_list`
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L638
+ - hiding kernel module by unlinking from `modules`-list
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L145
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L157
 
 ## Management interface
 
-Implemented via `kill(2)` by hooking `sys_call_table[__NR_kill]` entry. Supported commands are:
+Implemented via `kill(2)` by hooking `sys_call_table[__NR_kill]` entry:
+ - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L509
+ 
+ Supported commands are:
  - hiding/unhiding processes
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L518
  - hiding/unhiding rootkit's module
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L514
  - enabling/disabling of tampering file content function
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L524
  - gaining root priveleges to calling process
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L528
 
 ## Altering system behaviour
 
 Hooking of system calls by patching syscall-handlers in `sys_call_table[]`:
  - to write to read-only page `CR0/WP` technique used (x86-only)
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L681
  - netfilter hook (`NF_IP_PRI_FIRST`)
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L356
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L687
 
 ## Hiding (tampering) of file contents
 
 Filtering of file content while reading:
  - hook `sys_call_table[__NR_read]`
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L638
 
 ## Hiding of files and directories
 
 Filtering of directory entries:
  - hook `sys_call_table[__NR_getdents]`
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L594
  - hook `sys_call_table[__NR_getdents64]`
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L550
 
 ## Hiding of processes and process trees
 
 Filtering PID-like numeric entries while listing `/proc`:
  - getdents/getdents64 hook used
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L619
  - hidden tasks are marked using `task->flags` (bit `0x10000000`)
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L189
 
 ## Backdoor/shell
 
 Reverse shell spawning by port-knocking-like technique:
  - magic packet with token used (`ICMP/UDP/TCP`)
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L356
  - spawning root-shell connection to remote host
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L328
+   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L210