4. Simple Rootkit Design - lv1
• You can cheat the user
• Replace the command used to get resource status
• ls / ps / top / …etc
• You DID NOT exactly tamper the tool, only cheat the user
4
8. • All of the previous tool are reply the unusual response
• Color / syntax missing
• Layout not match
• … etc
• We NEED to keep mysterious and unknown
8
9. Useful Rootkit Design - lv3
• Understand how ls work - ls will call …
• opendir
• readdir
• … etc
• You can trace by strace / dtruss / …etc
9
12. But still can find the clue on the system
• The extra library on configure / environment
• Still can find out the file / folder
If I direct using dlopen / dlsym like the rootkit do …
12
13. Robust Rootkit design - lv4
• Tamper from the kernel-level
• Directly replace the response as deeper as possible
• You will never find the rootkit if the response comes
from rootkit
13