You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 3_RootkitTechniques/3.4_hiding_directories/README.md
+2
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,8 @@
4
4
5
5
> Updated to use [ftrace](https://www.kernel.org/doc/html/latest/trace/ftrace.html) instead of directly modifying kernel memory
6
6
7
+
> There is now a blog post explaining this module in a lot more detail. You can check it out [here](https://xcellerator.github.io/posts/linux_rootkits_06/).
8
+
7
9
> Sadly, this module is a lot bigger when we use ftrace. The reason is that we end up repeating the hook function *four* times - two copies each of both `sys_getdents` and `sys_getdents64`, using both the `pt_regs` struct and the old-fashioned function declaration (for kernel versions <4.17 - looking at you Ubuntu 16.04...)
8
10
9
11
This is probably the most complicated syscall hook yet. As far as the kernel module goes, the structure is the same as the others in this section - we find the syscall table, and then hook a syscall with our own replacement, in this case, we hook `sys_getdents64`.
0 commit comments