
How to write a rootkit without really trying - ingve
https://blog.trailofbits.com/2019/01/17/how-to-write-a-rootkit-without-really-trying/
======
woodruffw
Author here. Happy to answer any questions.

~~~
exrook
Are you aware that this can be done without elevated privileges using
seccomp(2)[0] and ptrace(2)[1] using SECCOMP_RET_TRACE? (or with ptrace alone
using PTRACE_SYSEMU) Although the ptrace API can be daunting and I believe
it's somewhat involved to do anything besides changing values returned by the
call, however the upside (or downside) is you don't need to learn any kernel
programming. I wish these APIs were more accessible as I feel there's a lot of
potential to use them in creative ways.

EDIT: Just noticed your mention at the bottom of the post, feel free to
disregard this

[0][http://man7.org/linux/man-
pages/man2/ptrace.2.html](http://man7.org/linux/man-pages/man2/ptrace.2.html)

[1][http://man7.org/linux/man-
pages/man2/seccomp.2.html](http://man7.org/linux/man-
pages/man2/seccomp.2.html)

~~~
woodruffw
Yup! I looked into implementing KRF[1] with ptrace originally, but ultimately
went the kernel module route for a few different reasons:

1\. I was more familiar with the relevant kernel APIs/techniques

2\. ptrace adds a 2x (3x?) overhead to each syscall and works on inferior
processes only

3\. I want KRF to eventually fault ptrace(2) itself!

[1]: [https://github.com/trailofbits/krf](https://github.com/trailofbits/krf)

------
catern
>eBPF can’t intercept syscalls

Perhaps soon it will be able to, though! See the "seccomp trap to userspace"
patches.

