You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 3_RootkitTechniques/3.3_set_root/README.md
+2
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,8 @@
4
4
5
5
> Updated to use [ftrace](https://www.kernel.org/doc/html/latest/trace/ftrace.html) instead of directly modifying kernel memory
6
6
7
+
> There is now a blog post explaining this module in more detail! Check it out [here](https://xcellerator.github.io/posts/linux_rootkits_03/)!
8
+
7
9
Similar to [Section 3.2](../3.2_kill_signalling/), we can abuse hooking `sys_kill` to trigger a function that gives root to any process that sends a `64` signal to a process (as before, signal `64` is normally unused).
8
10
9
11
According to [credentials.rst](https://github.com/torvalds/linux/blob/master/Documentation/security/credentials.rst#altering-credentials), we can only modify the `cred` struct of our own process, and not that of any other process. This means that we can't give an already running process root privileges unless we send the `64` signal from that process! Quite a clever security feature!
0 commit comments