Closed alichtman closed 5 years ago
I think this resource is a great place to start, it uses the prefix hiding technique and the files arent viewable in file manager or by using ls. https://0x00sec.org/t/hiding-with-a-linux-rootkit/4532
Yep, so just hook the getdents
syscall and replace it with our own implementation.
Look in section 5.2.1.3. (Virtual File System Deceptive Interpreters) of "A Taxonomy of Software Deceptive Interpretation in the Linux Operating System"