Gui774ume
commented
3 years ago Hey there,
Yes, if you have a look here, you'll see that we hide the pid of the rootkit from the proc file system. If you wanted to hide a file, or the process binary itself, you could simply do what we do to hide the binary of the rootkit here.
We haven't made this feature configurable because we didn't need to do it for our research (we just wanted to show that it was possible).
I hope this helps !
Surprising ideas! I have a question. General rootkits can hide specific processes and prevent them from being detected by commands such as ps. Is this possible for ebpfkit?