
Basics of Making a Rootkit – From syscall to hook - maxt
https://d0hnuts.com/2016/12/21/basics-of-making-a-rootkit-from-syscall-to-hook/
======
matthewaveryusa
I found the suterusu rootkit to be feature-full and very well written. It
covers all sorts of things a rootkit would do:
[https://github.com/mncoppola/suterusu](https://github.com/mncoppola/suterusu)

I never wrote kernel code before, but within 24 hours I was able to write a
'whitekit' that installs and hides as a rootkit and reports on sneaky behavior
in dmesg:

[https://github.com/matthewaveryusa/whitekit/](https://github.com/matthewaveryusa/whitekit/)

Fun stuff!

------
x0
Maybe I'm just getting better at C, but this was particularly well written and
easy to follow.

------
m00dy
How can be sure that syscall table has exactly same address for every system ?
(void*)0xffffffff81601680;

~~~
x0
You can't, you need to look it up in (IIRC) /boot/System.map

------
tayo42
I looked into doing this a while ago and came across something that you cant
change the syscall table without recompiling the kernel to allow it. I didn't
realize a work a round was so trivial.

------
mememachine
>I will not be explaining too much in detail about the code sections as I have
left comments that should help. By doing this it encourages the reader to
research more and learn more.

I find it so weird to talk about the reader like I am not the reader.

And as a matter of fact, no, it doesnt.

------
lisper
Submitted two days ago:

[https://news.ycombinator.com/item?id=13243654](https://news.ycombinator.com/item?id=13243654)

with (AFAICT) the exact same URL. Why didn't the dupe detector catch this?

~~~
detaro
No comments, only very few upvotes, then the dupe detector only blocks for a
short time AFAIK.

~~~
lisper
Heh, whaddya know. I thought the dupe timeout was weeks or months but
apparently it's <2 days. I wonder what the actual value is.

~~~
DanBC
Here's what dang said a year ago:
[https://news.ycombinator.com/item?id=10223645](https://news.ycombinator.com/item?id=10223645)

>> We've adjusted the dupe detector to reject fewer URLs. If a story hasn't
had significant attention in about the last year, reposts are ok. That's been
the policy for a while, but we've brought the software closer to it. It will
still reject reposts for a few hours, though, to avoid stampedes. Allowing
reposts is a way of giving high-quality stories multiple chances at making the
front page. Please do this tastefully and don't overdo it.

>> When reposting, please don't delete the earlier post. Deletion is for
things that shouldn't have been posted in the first place, such as if you
regret having said something publicly.

>> When a story is a duplicate—that is, has had significant attention on HN in
the last year or so—it's helpful to post a comment linking to the previous
major thread, so users and/or moderators can flag the dupe. In addition, when
a URL isn't the best source for a given story, it's helpful to post a better
URL in the thread. We often see those and change the posts to use them.

Here's a recent comment about what might count as significant attention:
[https://news.ycombinator.com/item?id=13110615#13141500](https://news.ycombinator.com/item?id=13110615#13141500)

> jsnell's correct, and I'll add that reposts are ok on HN if an article
> hasn't had significant attention yet. 23 points and no comments (which a
> previous submission had) would normally count as significant attention, but
> we sometimes relax the criteria when an article is substantive and seems
> likely to interest the community.

> When we put stories in the second-chance pool (described at
> [https://news.ycombinator.com/item?id=11662380](https://news.ycombinator.com/item?id=11662380)
> and earlier posts linked from there), we try to pick the original submission
> as the one that reaps the benefit.

The guidelines ask that these type of questions are sent to them rather than
posted in threads. But I feel guilty about saying (no matter how politely)
"email the mods". It feels like I'm dumping work on them.

------
smcl
(edit: i'm an idiot)

~~~
x0
I hate memes too, but give this article a go. It's pretty good.

~~~
smcl
Ugh I hate being wrong (and realising I'm impatient and surly). Thanks for the
nudge in the right direction, it was nice after all.

~~~
brudgers
Whatever it was, thanks for fixing it.

~~~
smcl
I moaned about the meme image as an opener :)

