
Vlany – Linux LD_PRELOAD rootkit - necessity
https://github.com/mempodippy/vlany
======
XaYdEk
'If you're reading this, then you'll probably end up in an owner shell at some
point' ... Am I that transparent ?

~~~
mempodippy
Yes. :)

------
captainmuon
I was wondering the other day if you could use something like this for good.
For example, you could create something like FUSE that creates virtual file
systems entirely in userspace - useful if your admin won't install additional
kernel modules, or if you are on WSL (Windows Subsystem for Linux). This
rootkit seems to be systemwide (requiring root) though?

I read somewhere that it is probably impossible to redirect everything via
LD_PRELOAD, because with GCC + glib many system calls get inlined, and there
is no place to hook into. You just have ASM syscalls in your executable that
AFAIK you cannot redirect easily. I wonder how they did it.

Of course my thoughts quickly turned to the pranks you could play (with a
purely non-root rootkit)... put an `export LD_PRELOAD=...` in someones
`.profile`, and make the rootkit hide itself and that line when someone tries
to view `.profile` :-)

~~~
wyldfire
I used this trick to make a library for simulating system failure conditions
[1]. It's great for testing how your system will behave in the face of
hiccups.

[1]
[https://github.com/androm3da/libfaultinj](https://github.com/androm3da/libfaultinj)

