-
Notifications
You must be signed in to change notification settings - Fork 1
chainload
(For example kmatryoshka used in reptile)
In order to provide an extra layer of obfuscation an LKM may chain load (aka "stacked load") additional code in module_init or otherwise perform actions before returning a non zero status to indicate module loading has failed. For example a first stage loader may decrypt a whole additional LKM module and load it from within the kernel.
See kmatryohshka for a full example.
In the case of kmatryoshka it calls do_init_module with the decoded second stage so a kprobe there will catch it but this technique is more versatile and further thought should be given.
Home
Techniques
LKM
--> kallsyms
--> Module Hiding
--> cr0 modification
--> sys_call_table patching
--> Chain loading
--> Function hooking
--> Hidden network traffic
--> binfmt handler
Rootkits
LKM
--> Reptile LKM
--> Diamorphine LKM
--> lilyofthevalley LKM
--> puszek-rootkit LKM
--> rkduck LKM
--> Suterusu LKM
--> Sutekh LKM
LD_PRELOAD
--> Beurk LD_PRELOAD
--> Jynx2 LD_PRELOAD