Update rkduck.md

2024-10-01 06:35:44 -04:00 · 2018-07-04 13:40:34 +04:00 · 2018-07-04 13:40:34 +04:00 · e938899b43
commit e938899b43
parent 68f41e6771
1 changed files with 22 additions and 1 deletions
--- a/details/rkduck.md
+++ b/details/rkduck.md
@ -35,4 +35,25 @@ Supported commands are:
 - hiding/unhiding processes
   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L32

-...
+## Altering system behaviour
+
+Hooking of system calls by patching syscall-handlers in `sys_call_table[]`:
+ - hook `sys_call_table[__NR_write]` (disabled)
+   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/duck.c#L17
+ - hook `file->f_op->iterate` for `/` and `/proc` dentries
+   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/duck.c#L25
+   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/duck.c#L29
+ - netfilter `NF_INET_PRE_ROUTING/NF_IP_PRI_FIRST` hook used for catching `ICMP` packets
+   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/backdoor.c#L454
+   - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/backdoor.c#L379
+ 
+ ## Hiding of files and directories
+ 
+ Filtering of directory entries:
+  - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L323 (vfs_hide_file)
+  - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L346 (vfs_unhide_file)
+  - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L97 (vfs_hijacked_iterate)
+    - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L59 (vfs_hijacked_filldir)
+  - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L157 (vfs_hijacked_proc_iterate)
+    - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L78 (vfs_hijacked_proc_filldir)
+