Awesome-Mirrors
/
awesome-linux-rootkits
mirror of https://github.com/milabs/awesome-linux-rootkits.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update reptile.md

This commit is contained in:
Ilya V. Matveychikov 2018-07-02 20:17:31 +04:00 committed by GitHub
parent 30806e974b
commit 7c30b030b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
details/reptile.md
View File

@ -10,15 +10,15 @@ https://github.com/f0rb1dd3n/Reptile
## Persistency
Boot-time module loading using OS-specific startup files:
- /etc/modules
- /etc/rc.modules
- /etc/modules (debian/ubuntu)
- /etc/rc.modules (redhat/centos/fedora)
## Detection evasion
Rootkit is trying to evade from detection by:
- hiding of own files
- hiding of kernel module by unlinking from `module_list`
- hiding files by name
- tampering contents of startup files while reading
- hiding kernel module by unlinking from `module_list`
## Management interface
@ -30,19 +30,19 @@ Implemented via `kill(2)` by hooking `sys_call_table[__NR_kill]` entry. Supporte
## Altering system (library) behaviour
Hooking of system calls by patching syscall-handlers in `sys_call_table[]`.
To write to read-only page `CR0/WP` technique used (x86-only).
Hooking of system calls by patching syscall-handlers in `sys_call_table[]`:
- to write to read-only page `CR0/WP` technique used (x86-only)
## Hiding (tampering) of file contents
Filtering of file content while reading by hooking:
- `sys_call_table[__NR_read]`.
- `sys_call_table[__NR_read]`
## Hiding of files and directories
Filtering of directory entries by hoocking:
- `sys_call_table[__NR_getdents]`, `sys_call_table[__NR_getdents64]`
- `sys_call_table[__NR_getdents]`
- `sys_call_table[__NR_getdents64]`
## Hiding of processes and process trees