5 comments

[ 3.2 ms ] story [ 23.2 ms ] thread
'If you're reading this, then you'll probably end up in an owner shell at some point' ... Am I that transparent ?
I was wondering the other day if you could use something like this for good. For example, you could create something like FUSE that creates virtual file systems entirely in userspace - useful if your admin won't install additional kernel modules, or if you are on WSL (Windows Subsystem for Linux). This rootkit seems to be systemwide (requiring root) though?

I read somewhere that it is probably impossible to redirect everything via LD_PRELOAD, because with GCC + glib many system calls get inlined, and there is no place to hook into. You just have ASM syscalls in your executable that AFAIK you cannot redirect easily. I wonder how they did it.

Of course my thoughts quickly turned to the pranks you could play (with a purely non-root rootkit)... put an `export LD_PRELOAD=...` in someones `.profile`, and make the rootkit hide itself and that line when someone tries to view `.profile` :-)

Similar stuff is used for good for ages, for example in Valgrind or in `fakeroot` used to build packages in Debian.