From e938899b434f3cca5c743914b049f7a53ace20ca Mon Sep 17 00:00:00 2001 From: "Ilya V. Matveychikov" Date: Wed, 4 Jul 2018 13:40:34 +0400 Subject: [PATCH] Update rkduck.md --- details/rkduck.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/details/rkduck.md b/details/rkduck.md index 7f0bd3b..440dea0 100644 --- a/details/rkduck.md +++ b/details/rkduck.md @@ -35,4 +35,25 @@ Supported commands are: - hiding/unhiding processes - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/crumbs_serv.c#L32 -... +## Altering system behaviour + +Hooking of system calls by patching syscall-handlers in `sys_call_table[]`: + - hook `sys_call_table[__NR_write]` (disabled) + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/duck.c#L17 + - hook `file->f_op->iterate` for `/` and `/proc` dentries + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/duck.c#L25 + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/duck.c#L29 + - netfilter `NF_INET_PRE_ROUTING/NF_IP_PRI_FIRST` hook used for catching `ICMP` packets + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/backdoor.c#L454 + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/backdoor.c#L379 + + ## Hiding of files and directories + + Filtering of directory entries: + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L323 (vfs_hide_file) + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L346 (vfs_unhide_file) + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L97 (vfs_hijacked_iterate) + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L59 (vfs_hijacked_filldir) + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L157 (vfs_hijacked_proc_iterate) + - https://github.com/linux-rootkits/rkduck/blob/master/rkduck/vfs.c#L78 (vfs_hijacked_proc_filldir) +