<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Rootkits on Prepakis Georgios | Kernelstub | Security Researcher</title><link>https://blog.kernelstub.dev/tags/rootkits/</link><description>Recent content in Rootkits on Prepakis Georgios | Kernelstub | Security Researcher</description><generator>Hugo</generator><language>en-US</language><lastBuildDate>Fri, 04 Oct 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://blog.kernelstub.dev/tags/rootkits/index.xml" rel="self" type="application/rss+xml"/><item><title>Domain Generation Algorithms and Automatic Domain Registration in C2</title><link>https://blog.kernelstub.dev/posts/domain-generation-algorithms-and-automatic-domain-registration-in-c2/</link><pubDate>Fri, 04 Oct 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/domain-generation-algorithms-and-automatic-domain-registration-in-c2/</guid><description>&lt;h2 id="what-is-a-domain-generation-algorithm-dga"&gt;What Is a Domain Generation Algorithm (DGA)?&lt;/h2&gt;
&lt;p&gt;If you&amp;rsquo;re running a botnet, you have a problem: your infected hosts need a way to phone home, but the moment defenders find your command and control (C2) domain, they blocklist it, sinkhole it, or hand it to a takedown request, and your whole fleet goes dark at once. A single hardcoded IP or domain baked into your malware is a single point of failure, and it&amp;rsquo;s the first thing an incident responder goes looking for when they pull apart a sample in a sandbox.&lt;/p&gt;</description></item><item><title>Custom Linux Kernel Hooks with eBPF</title><link>https://blog.kernelstub.dev/posts/custom-linux-kernel-hooks-with-ebpf/</link><pubDate>Wed, 02 Oct 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/custom-linux-kernel-hooks-with-ebpf/</guid><description>&lt;h2 id="understanding-ebpf"&gt;Understanding eBPF&lt;/h2&gt;
&lt;h3 id="what-is-ebpf"&gt;What is eBPF?&lt;/h3&gt;
&lt;p&gt;If you&amp;rsquo;ve ever wanted to peek inside a running Linux kernel without recompiling it, patching it, or crossing your fingers and loading a sketchy out-of-tree module, eBPF is probably the tool you were looking for. The name is short for &amp;ldquo;extended Berkeley Packet Filter,&amp;rdquo; which is a bit of a historical accident: the original BPF, from the late 1980s, was a tiny virtual machine built to do one job, deciding whether a network packet matched a filter (think &lt;code&gt;tcpdump&lt;/code&gt;). It was small, fast, and deliberately dumb, which made it safe to run inside the kernel.&lt;/p&gt;</description></item><item><title>Introduction to Windows Syscalls</title><link>https://blog.kernelstub.dev/posts/introduction-to-windows-syscalls/</link><pubDate>Tue, 17 Sep 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/introduction-to-windows-syscalls/</guid><description>&lt;h2 id="what-are-system-calls-really"&gt;What Are System Calls, Really?&lt;/h2&gt;
&lt;p&gt;Every time your program does something that touches the outside world, opening a file, allocating memory, talking to the network, waiting on another thread, it&amp;rsquo;s asking the operating system to do that work on its behalf. Your program doesn&amp;rsquo;t get to poke the disk controller or the network card directly. It can&amp;rsquo;t, by design. The CPU itself enforces this separation through privilege rings: user-mode code (ring 3 on x86/x64) runs with a restricted set of permissions, while the kernel (ring 0) runs with full access to hardware and memory. A system call is the formal, controlled doorway between those two worlds.&lt;/p&gt;</description></item><item><title>Hooking `getdents64` to Hide Directories in Linux</title><link>https://blog.kernelstub.dev/posts/hooking-getdents64-to-hide-directories-in-linux/</link><pubDate>Wed, 05 Jun 2024 00:00:00 +0000</pubDate><guid>https://blog.kernelstub.dev/posts/hooking-getdents64-to-hide-directories-in-linux/</guid><description>&lt;h2 id="why-directory-hiding-even-works"&gt;Why Directory Hiding Even Works&lt;/h2&gt;
&lt;p&gt;Every time you run &lt;code&gt;ls&lt;/code&gt; in a terminal, or a graphical file manager draws a folder icon, something has to ask the kernel &amp;ldquo;what&amp;rsquo;s in this directory?&amp;rdquo; On Linux that question gets answered by the &lt;code&gt;getdents64&lt;/code&gt; syscall (the modern replacement for the older &lt;code&gt;getdents&lt;/code&gt;). The C library wraps it up neatly, but underneath, every single directory listing you have ever seen on a Linux box came from a userspace program calling into the kernel and getting back a buffer full of &lt;code&gt;linux_dirent64&lt;/code&gt; structures, one per file or subdirectory.&lt;/p&gt;</description></item></channel></rss>