пятница, 15 октября 2021 г.

blinding sysmon for linux

 Let`s see which tracepoints it using: sudo ./lkmem -d -c -t ~/krnl/curr ~/krnl/System.map-5.11.0-37-generic  __tracepoint_sched_process_e...
понедельник, 11 октября 2021 г.

BPF iterators

Sure I could not get past the hype topic of BPF (overvalued mechanism to allow you just run your buggy code in kernel with low performance a...
понедельник, 4 октября 2021 г.

security hooks in linux kernel

This mechanism was  inspired  by NSA. As described all hooks stored in huge struct security_hooks_list , but it`s format is different in eac...
воскресенье, 3 октября 2021 г.

what linux hiding

disclaimer there is no doubt that the list below is incomplete, inaccurate etc - it`s just what very average programmer can find during two ...
вторник, 28 сентября 2021 г.

PoC to hide kprobes list

as you may know list of kprobes  has mapping on /sys in file /sys/kernel/debug/kprobes/list. And now when I have working filesystem notific...
воскресенье, 26 сентября 2021 г.

filesystem notifications in linux kernel

disclaimer Filesystems are the most complex part of any OS. I am not a specialist in linux filesystems and even don`t commit the code to lin...
суббота, 18 сентября 2021 г.

linux kernel uprobes

Lets consider another spying mechanism in linux kernel - uprobes . They also insert int3 but this time in user-mode and can be used for exa...