I was wondering the other day if you could use something like this for good. For example, you could create something like FUSE that creates virtual file systems entirely in userspace - useful if your admin won't install additional kernel modules, or if you are on WSL (Windows Subsystem for Linux). This rootkit seems to be systemwide (requiring root) though?
I read somewhere that it is probably impossible to redirect everything via LD_PRELOAD, because with GCC + glib many system calls get inlined, and there is no place to hook into. You just have ASM syscalls in your executable that AFAIK you cannot redirect easily. I wonder how they did it.
Of course my thoughts quickly turned to the pranks you could play (with a purely non-root rootkit)... put an `export LD_PRELOAD=...` in someones `.profile`, and make the rootkit hide itself and that line when someone tries to view `.profile` :-)
I used this trick to make a library for simulating system failure conditions [1]. It's great for testing how your system will behave in the face of hiccups.
5 comments
[ 3.2 ms ] story [ 23.2 ms ] threadI read somewhere that it is probably impossible to redirect everything via LD_PRELOAD, because with GCC + glib many system calls get inlined, and there is no place to hook into. You just have ASM syscalls in your executable that AFAIK you cannot redirect easily. I wonder how they did it.
Of course my thoughts quickly turned to the pranks you could play (with a purely non-root rootkit)... put an `export LD_PRELOAD=...` in someones `.profile`, and make the rootkit hide itself and that line when someone tries to view `.profile` :-)
[1] https://github.com/androm3da/libfaultinj