Hacker News new | past | comments | ask | show | jobs | submit login
Basics of Making a Rootkit – From syscall to hook (d0hnuts.com)
338 points by maxt on Dec 25, 2016 | hide | past | favorite | 20 comments

I found the suterusu rootkit to be feature-full and very well written. It covers all sorts of things a rootkit would do: https://github.com/mncoppola/suterusu

I never wrote kernel code before, but within 24 hours I was able to write a 'whitekit' that installs and hides as a rootkit and reports on sneaky behavior in dmesg:


Fun stuff!

Maybe I'm just getting better at C, but this was particularly well written and easy to follow.

How can be sure that syscall table has exactly same address for every system ? (void*)0xffffffff81601680;

You can't, you need to look it up in (IIRC) /boot/System.map

Here's the function used to find the syscall table address in x86-64 [1] from the suterusu rootkit. The code base also includes find functions for x86 [2], amd64 [3], and ARM [4].

[1] https://github.com/mncoppola/suterusu/blob/master/main.c#L12...

[2] https://github.com/mncoppola/suterusu/blob/master/main.c#L10...

[3] https://github.com/mncoppola/suterusu/blob/master/main.c#L15...

[4] https://github.com/mncoppola/suterusu/blob/master/main.c#L17...

I looked into doing this a while ago and came across something that you cant change the syscall table without recompiling the kernel to allow it. I didn't realize a work a round was so trivial.

>I will not be explaining too much in detail about the code sections as I have left comments that should help. By doing this it encourages the reader to research more and learn more.

I find it so weird to talk about the reader like I am not the reader.

And as a matter of fact, no, it doesnt.

Submitted two days ago:


with (AFAICT) the exact same URL. Why didn't the dupe detector catch this?

Per your comment, I wrote a Chrome extension that creates links to other HN submissions pointing to the same URL. Hovering over the links provides additional details.

This provides similar functionality as the 'past' link in a submission's subtitle, but shows the duplicates automatically.

Here's the extension:


Here's the source code:


No comments, only very few upvotes, then the dupe detector only blocks for a short time AFAIK.

Heh, whaddya know. I thought the dupe timeout was weeks or months but apparently it's <2 days. I wonder what the actual value is.

Here's what dang said a year ago: https://news.ycombinator.com/item?id=10223645

>> We've adjusted the dupe detector to reject fewer URLs. If a story hasn't had significant attention in about the last year, reposts are ok. That's been the policy for a while, but we've brought the software closer to it. It will still reject reposts for a few hours, though, to avoid stampedes. Allowing reposts is a way of giving high-quality stories multiple chances at making the front page. Please do this tastefully and don't overdo it.

>> When reposting, please don't delete the earlier post. Deletion is for things that shouldn't have been posted in the first place, such as if you regret having said something publicly.

>> When a story is a duplicate—that is, has had significant attention on HN in the last year or so—it's helpful to post a comment linking to the previous major thread, so users and/or moderators can flag the dupe. In addition, when a URL isn't the best source for a given story, it's helpful to post a better URL in the thread. We often see those and change the posts to use them.

Here's a recent comment about what might count as significant attention: https://news.ycombinator.com/item?id=13110615#13141500

> jsnell's correct, and I'll add that reposts are ok on HN if an article hasn't had significant attention yet. 23 points and no comments (which a previous submission had) would normally count as significant attention, but we sometimes relax the criteria when an article is substantive and seems likely to interest the community.

> When we put stories in the second-chance pool (described at https://news.ycombinator.com/item?id=11662380 and earlier posts linked from there), we try to pick the original submission as the one that reaps the benefit.

The guidelines ask that these type of questions are sent to them rather than posted in threads. But I feel guilty about saying (no matter how politely) "email the mods". It feels like I'm dumping work on them.

I think the point is that the timeout is not a fixed value but more of an algorithm. No traction, shorter timeout. Other factors probably come into play. HN works in mysterious ways.

Submissions without comment can be resubmitted pretty much any time; otherwise I believe it is a year or moderator intervention.

Maybe so people don't spam a link, hoping more people see it. At least that's my guess.

(edit: i'm an idiot)

I hate memes too, but give this article a go. It's pretty good.

Ugh I hate being wrong (and realising I'm impatient and surly). Thanks for the nudge in the right direction, it was nice after all.

Whatever it was, thanks for fixing it.

I moaned about the meme image as an opener :)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact