Awesome-Mirrors
/
awesome-linux-rootkits
mirror of https://github.com/milabs/awesome-linux-rootkits.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update rkduck.md

This commit is contained in:
Ilya V. Matveychikov 2018-07-04 00:40:46 +04:00 committed by GitHub
parent 4ef5de8bd5
commit 68f41e6771
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
details/rkduck.md
View File

@ -6,7 +6,33 @@ https://github.com/QuokkaLight/rkduck
- x86, x86_64
- Linux kernel 4.x
- Debian/Ubuntu, RHEL/CentOS/Fedora
## Persistency
Boot-time module loading using OS-specific startup files:
- /etc/modules (debian/ubuntu)
- https://github.com/linux-rootkits/rkduck/blob/master/forever.sh#L29
- /etc/rc.modules (redhat/centos/fedora)
- https://github.com/linux-rootkits/rkduck/blob/master/forever.sh#L32
Rootkit module runs `forever.sh` helper script at the moment of module unloading:
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/duck.c#L47
## Detection evasion
Rootkit is trying to evade from detection by:
- hiding rootkit files by name
## Management interface
Implemented via in-kernel `netlink` server (`NETLINK_USER`) :
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L142
Supported commands are:
- hiding/unhiding files
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L22
- hiding/unhiding processes
- https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L32
...