Awesome-Mirrors
/
awesome-linux-rootkits
mirror of https://github.com/milabs/awesome-linux-rootkits.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update rkduck.md

This commit is contained in:
Ilya V. Matveychikov 2018-07-04 18:32:44 +04:00 committed by GitHub
parent 23c95e7c68
commit 63197cb654
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
details/rkduck.md
View File

@ -56,7 +56,13 @@ Hooking of system calls by patching syscall-handlers in `sys_call_table[]`:
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L59 (vfs_hijacked_filldir)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L157 (vfs_hijacked_proc_iterate)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L78 (vfs_hijacked_proc_filldir)
## Hiding of processes and process trees
Filtering PID-like numeric entries while listing `/proc`:
- based on hiding of files capabilty (vfs_hide_file)
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L30
## Keylogger
Keylogger is implemented using `register_keyboard_notifier()`: