Index
A
- .altinstructions
- .altinstructions patching
- .altinstr_replace
- adore
- advanced function-tracing software
- algorithm, for data segment infection
- algorithm, for PT_NOTE to PT_LOAD conversion infection method / Algorithm for PT_NOTE to PT_LOAD conversion infections
- algorithm, for reverse text infection / Algorithm for reverse text infection
- algorithm, for Silvio .text infection method
- analysis, of core file
- about / Analysis of the core file – the Azazel rootkit
- Azazel infected process, starting / Core file program headers
- core dump, obtaining / Core file program headers
- core file program headers / Core file program headers
- PT_NOTE segment / The PT_NOTE segment
- PT_LOAD segments / PT_LOAD segments and the downfalls of core files for forensics purposes
- core files for forensics purposes, downfalls / PT_LOAD segments and the downfalls of core files for forensics purposes
- core file, using with GDB for forensics / Using a core file with GDB for forensics
- anti-debugging, for binary protection / Anti-debugging for binary protection
- anti-exploitation, Maya
- about / Maya's anti-exploitation
- source code, of vuln.c / Maya's anti-exploitation
- example, of exploiting vuln.c / Example of exploiting vuln.c
- antivirus (AV) company / ELF virus engineering challenges
- arch/x86/include/asm/alternative.h
- auxiliary vector / The auxiliary vector
- AVU (Anti Virus Unix)
- Azazel
- about / Process infection tools
- reference link / Process infection tools
- Azazel userland rootkit, analyzing
- about / Analyzing the Azazel userland rootkit
- symbol table of host2, with process reconstruction / The symbol table of the host2 process reconstructed
- section header table of host2, with process reconstruction / The section header table of the host2 process reconstructed
- PLT/GOT, validating with ECFS / Validating the PLT/GOT with ECFS
- readecfs output, for PLT/GOT validation / The readecfs output for PLT/GOT validation
- Azazel userland rootkit detection / Azazel userland rootkit detection
B
- basic ltrace command
- about / Basic ltrace command
- binary protectors
- references / Other resources
- Bitlackeys Research
- reference link / ptrace and forensic analysis
- Blackhat
- Burneye
- about / Burneye by Scut – 2002
C
- .ctors, for anti-anti-debugging / Patching the .ctors/.init_array section
- .ctors/.dtors function pointers
- overwriting / Overwriting the .ctors/.dtors function pointers
- .ctors / .init_array section
- patching / Patching the .ctors/.init_array section
- call/pop technique / Identifying parasite code characteristics
- Cerberus ELF interface
- reference link / ERESI – The ELF reverse engineering system interface
- code injection, with ptrace / Code injection with ptrace
- code obfuscation technique
- about / The code obfuscation technique
- code_inject.c source code
- code_inject tool
- demonstrating / Demonstrating the code_inject tool
- complications, with string storage
- about / Complications with string storage
- solution / Solution
- control flow, infecting
- about / Infecting control flow
- direct PLT infection / Direct PLT infection
- function trampolines / Function trampolines
- .ctors/.dtors function pointers, overwriting / Overwriting the .ctors/.dtors function pointers
- global offset table poisoning / GOT – global offset table poisoning or PLT/GOT redirection
- PLT/GOT redirection / GOT – global offset table poisoning or PLT/GOT redirection
- function pointer overwrites / Function pointer overwrites
- control flow integrity, protecting
- about / Protecting control flow integrity
- attacks, based on ptrace / Attacks based on ptrace
- security vulnerability-based attacks / Security vulnerability-based attacks
- core handler
- ECFS, plugging into / Plugging ECFS into the core handler
D
- /dev/kmem
- about / Notes on /dev/kmem and /dev/mem
- /dev/mem
- about / Notes on /dev/kmem and /dev/mem, /dev/mem
- DacryFile
- data segment infections
- about / Data segment infections
- algorithm / Algorithm for data segment infection
- data structures
- infecting / Infecting data structures
- direct PLT infection
- about / Direct PLT infection
- Direct PLT infection
- about / Direct PLT infection
- disinfection program, for reverse text infection method
- reference link / Algorithm for reverse text infection
- DLL injection traces
- dynamic segment, checking for / Checking the dynamic segment for DLL injection traces
- DRR
- about / Debug register rootkits – DRR
- detecting / Detecting DRR
- dynamic segment
- about / The dynamic segment revisited
- DT_NEEDED / DT_NEEDED
- DT_SYMTAB / DT_SYMTAB
- DT_HASH / DT_HASH
- DT_STRTAB / DT_STRTAB
- DT_PLTGOT / DT_PLTGOT
- checking, for DLL injection traces / Checking the dynamic segment for DLL injection traces
- DynamoRIO / Anti-debugging for binary protection
E
- ECFS
- about / ECFS, What does a process look like?, Tools for detecting PLT/GOT hooks, The ECFS philosophy, K-ecfs – kernel ECFS
- reference link / ECFS, Tools for detecting PLT/GOT hooks
- history / History
- references / Getting started with ECFS, Learning more about ECFS
- plugging, into core handler / Plugging ECFS into the core handler
- used, for examining infected process / Examining an infected process using ECFS
- reference guide / The ECFS reference guide
- symbol table reconstruction / ECFS symbol table reconstruction
- section headers / ECFS section headers
- ECFS file
- using, as regular core file / Using an ECFS file as a regular core file
- ECFS snapshot
- capturing / Capturing and analyzing an ECFS snapshot
- analyzing / Capturing and analyzing an ECFS snapshot
- ECFS snapshots, without killing process
- ELF anti-debugging and packing techniques
- about / ELF anti-debugging and packing techniques
- PTRACE_TRACEME technique / The PTRACE_TRACEME technique
- SIGTRAP handler technique / The SIGTRAP handler technique
- /proc/self/status technique / The /proc/self/status technique
- code obfuscation technique / The code obfuscation technique
- string table transformation technique / The string table transformation technique
- ELF binary packers
- ELF binary protectors
- about / Existing ELF binary protectors
- DacryFile / DacryFile by the Grugq – 2001
- Burneye / Burneye by Scut – 2002
- Shiva / Shiva by Neil Mehta and Shawn Clowes – 2003
- Maya's Veil / Maya's Veil by Ryan O'Neill – 2014
- elfdemon
- about / Executable injections
- reference link / Executable injections
- elfdemon source code
- reference link / Simple examples aren't always so trivial
- ELF dynamic linking
- about / ELF dynamic linking
- auxiliary vector / The auxiliary vector
- ELF file types
- about / ELF file types
- ET_NONE / ELF file types
- ET_REL / ELF file types
- ET_EXEC / ELF file types
- ET_DYN / ELF file types
- ET_CORE / ELF file types
- ELF Parser
- coding / Coding an ELF Parser
- ELF program headers
- about / ELF program headers
- PT_LOAD / PT_LOAD
- PT_DYNAMIC / PT_DYNAMIC – Phdr for the dynamic segment
- PT_NOTE / PT_NOTE
- PT_INTERP / PT_INTERP
- PT_PHDR / PT_PHDR
- ELF relocations
- about / ELF relocations
- ELF runtime infection
- reference link / ptrace request types
- elfscure
- reference link / The string table transformation technique
- ELF section headers
- about / ELF section headers
- .text section / The .text section
- .rodata section / The .rodata section
- .plt section / The .plt section
- .data section / The .data section
- .bss section / The .bss section
- .got.plt section / The .got.plt section
- .dynsym section / The .dynsym section
- .dynstr section / The .dynstr section
- .rel.* section / The .rel.* section
- .hash section / The .hash section
- .symtab section / The .symtab section
- .strtab section / The .strtab section
- .shstrtab section / The .shstrtab section
- .ctors section / The .ctors and .dtors sections
- .dtors section / The .ctors and .dtors sections
- ELF symbols
- about / ELF symbols
- st_name / st_name
- st_value / st_value
- st_size / st_size
- st_other / st_other
- st_shndx / st_shndx
- st_info / st_info
- symbol types / Symbol types
- symbol bindings / Symbol bindings
- ELF virus detection
- ELF virus disinfection
- ELF virus engineering challenges
- about / ELF virus engineering challenges
- parasite code must be self-contained / Parasite code must be self-contained
- complications, with string storage / Complications with string storage
- legitimate space, finding to store parasite code / Finding legitimate space to store parasite code
- execution control flow, passing to parasite / Passing the execution control flow to the parasite
- ELF virus parasite infection methods
- about / ELF virus parasite infection methods
- Silvio padding infection method / The Silvio padding infection method
- reverse text infection / The reverse text infection
- data segment infections / Data segment infections
- ELF virus technology
- about / ELF virus technology
- Embedded ELF debugging
- reference link / ERESI – The ELF reverse engineering system interface
- emulated CPU inconsistencies
- detecting / Detecting emulated CPU inconsistencies
- emulation
- detecting, through syscall testing / Detecting emulation through syscall testing
- entry point modification
- Eresi
- ERESI project
- reference link / ERESI – The ELF reverse engineering system interface
- ET_DYN (shared object) injection / Injection methods
- ET_DYN injection
- detecting / Detecting the ET_DYN injection
- ET_DYN injection internals
- about / ET_DYN injection internals
- symbol for __libc_dlopen_mode, finding / Example – finding the symbol for __libc_dlopen_mode
- __libc_dlopen_mode shellcode, example / Code example – the __libc_dlopen_mode shellcode
- libc symbol resolution, example / Code example – libc symbol resolution
- x86_32 shellcode, to mmap() an ET_DYN object / Code example – the x86_32 shellcode to mmap() an ET_DYN object
- ET_REL (relocatable object) injection / Injection methods
- executable injections
- about / Executable injections
- executable memory mappings
- about / Executable memory mappings
- executable reconstruction
- challenges / Challenges for executable reconstruction
- execution control flow, passing to parasite
- about / Passing the execution control flow to the parasite
- solution / Solution
- explicit addend / ELF relocations
- Extended core file snapshot (ECFS)
F
- flags
- forms, of control flow hijacking
- detecting / Detecting other forms of control flow hijacking
- .ctors / .init_array section, patching / Patching the .ctors/.init_array section
- PLT/GOT hooks, detecting / Detecting PLT/GOT hooks
- function trampolines, detecting / Detecting function trampolines
- FreeBSD /dev/kmem
- about / FreeBSD /dev/kmem
- ftrace
- about / ftrace
- reference link / ftrace, Advanced function-tracing software
- function hijacking
- function pointer overwrites
- about / Function pointer overwrites
- function trampolines
G
- GDB
- about / GDB
- using, with /proc/kcore / /proc/kcore and GDB exploration
- Global Offset Table (GOT)
- about / The importance of ptrace
- Global offset table (GOT) / PT_DYNAMIC – Phdr for the dynamic segment, The .got.plt section
- global offset table poisoning / GOT – global offset table poisoning or PLT/GOT redirection
- GOT (global offset table) / Detecting PLT/GOT hooks
- GRKERNSEC_PROC_MEMMAP / What does a process look like?
H
- hidden processes
- viewing, taskverse used / Using taskverse to see hidden processes
- host process
- infecting / Infecting the host process
I
- IDA Pro
- about / IDA Pro
- illegitimate shared object loading
- implicit addends / ELF relocations
- incorrect GOT addresses
- identifying / Identifying incorrect GOT addresses
- indirect jmp
- example / An example with indirect jmp
- infected LKMs
- about / Infected LKMs – kernel drivers
- detecting / Detecting infected LKMs
- infected process
- examining, ECFS used / Examining an infected process using ECFS
- integrity, of syscall
- validating / An example of validating the integrity of a syscall
- interrupt handler patching
K
- k-ecfs
- about / K-ecfs – kernel ECFS
- kdress
- about / stock vmlinux has no symbols
- reference link / stock vmlinux has no symbols
- vmlinux, building with / Building a proper vmlinux with kdress
- kernel-ecfs file
- kernel code integrity
- verifying, textify used / Using textify to verify kernel code integrity
- Kernel Detective
- kernel function trampolines
- reference link / Detecting function trampolines
- about / Kernel function trampolines
- kernel hacking goodies
- about / Kernel hacking goodies
- general reverse engineering and debugging / General reverse engineering and debugging
- advanced kernel hacking/debugging interfaces / Papers mentioned in this chapter
- kernel infection techniques
- Kernel voodoo
- reference link / Papers mentioned in this chapter
- kprobe rootkits
- about / Kprobe rootkits
- detecting / Detecting kprobe rootkits
L
- LD_PRELOAD
- about / Injection methods
- finding, on stack / Finding LD_PRELOAD on the stack
- LD_PRELOAD environment variable
- LD_SHOW_AUXV environment variable
- legitimate shared object loading
- about / Legitimate shared object loading
- legitimate space, finding to store parasite code
- about / Finding legitimate space to store parasite code
- solution / Solution
- libecfs
- libecfs API
- about / The libecfs API and how to use it
- using / The libecfs API and how to use it
- reference link / The libecfs API and how to use it
- linker-related environment points
- about / Linker-related environment points
- LD_PRELOAD environment variable / The LD_PRELOAD environment variable
- LD_SHOW_AUXV environment variable / The LD_SHOW_AUXV environment variable
- linker scripts
- about / Linker scripts
- Linux ELF core files
- about / Linux ELF core files
- Linux kernel
- forensics / Linux kernel forensics and rootkits
- rootkits / Linux kernel forensics and rootkits
- Linux padding Virus
- reference link / Identifying parasite code characteristics
- Linux tools
- about / Linux tools
- GDB / GDB
- objdump from GNU Binutils / Objdump from GNU binutils
- Objcopy from GNU binutils / Objcopy from GNU binutils
- strace / strace
- ltrace / ltrace
- basic ltrace command / Basic ltrace command
- ftrace / ftrace
- readelf / readelf
- ERESI / ERESI – The ELF reverse engineering system interface
- Linux VMA Voodoo
- about / Tools for detecting PLT/GOT hooks
- reference link / Tools for detecting PLT/GOT hooks
- LKM files
- LKM infection
- reference link / Papers mentioned in this chapter
- Loadable Kernel Module (LKM)
- LPV virus
- about / The LPV virus
- download link / The LPV virus
- lpv virus
- reference link / Algorithm for the Silvio .text infection method
- ltrace
- about / ltrace
M
- Maya
- protection layers / Maya's protection layers, Layer 2, Layer 3
- nanomites / Maya's nanomites
- anti-exploitation / Maya's anti-exploitation
- Maya's Veil
- Maya-protected binaries
- downloading / Downloading Maya-protected binaries
- Mayas Veil
- reference link / The reverse text infection
N
- nanomites, Maya / Maya's nanomites
- NOTE segment infections
- reference link / PT_NOTE
O
- obfuscation methods
- about / Obfuscation methods
- Objcopy from GNU binutils
- about / Objcopy from GNU binutils
- objdump from GNU Binutils
- about / Objdump from GNU binutils
- Object copy (Objcopy)
- about / Objcopy from GNU binutils
- object dump (objdump)
- about / Objdump from GNU binutils
- object obfuscator (objobf)
- about / Burneye by Scut – 2002
P
- /proc/kcore
- about / /proc/kcore and GDB exploration
- GDB, using with / /proc/kcore and GDB exploration
- /proc/self/status technique
- about / The /proc/self/status technique
- packer
- Page Table Entry (PTE)
- parasite code
- extracting, with readecfs / Extracting parasite code with readecfs
- parasite code characteristics
- identifying / Identifying parasite code characteristics
- parasite code must be self-contained
- about / Parasite code must be self-contained
- solution / Solution
- PaX
- PaX mprotect restrictions
- reference link / Code example – the x86_32 shellcode to mmap() an ET_DYN object
- phalanx
- Phrack
- URL / Burneye by Scut – 2002
- PIC code (shellcode) injection / Injection methods
- Pin / Anti-debugging for binary protection
- PLT (procedure linkage table) / Detecting PLT/GOT hooks
- PLT/GOT / Learning about the PLT/GOT
- PLT/GOT hooks
- detecting / Detecting PLT/GOT hooks, Detecting PLT/GOT hooks
- truncated output, from readelf -S command / Truncated output from readelf -S command
- incorrect GOT addresses, identifying / Identifying incorrect GOT addresses
- PLT/GOT integrity
- about / PLT/GOT integrity
- PLT/GOT redirection / GOT – global offset table poisoning or PLT/GOT redirection
- position-independent code (PIC) / Solution
- Position-Independent Executable (PIE) / The section header analysis
- position independent code (PIC) / ELF file types, Identifying parasite code characteristics
- preload
- procedure linkage table (PLT) / The .plt section
- about / What to look for in the memory
- procedure prologue / Symbol bindings
- process
- about / What does a process look like?
- process-executable reconstruction
- challenges / Challenges for process-executable reconstruction
- process address space
- mapping out / Mapping out the process address space
- process cloaking
- about / Injection methods
- process image reconstruction
- about / Process image reconstruction – from the memory to the executable
- section header table, adding / Adding a section header table
- algorithm, for process / The algorithm for the process
- with Quenya, on 32-bit test environment / Process reconstruction with Quenya on a 32-bit test environment
- process infection techniques
- about / Process infection techniques
- process infection tools
- Azazel / Process infection tools
- Saruman / Process infection tools
- sshd_fucker (phrack .so injection paper) / Process infection tools
- process injection methods
- ET_DYN (shared object) injection / Injection methods
- ET_REL (relocatable object) injection / Injection methods
- PIC code (shellcode) injection / Injection methods
- process memory infection
- about / Process memory infection
- process memory layout
- example / What does a process look like?
- process necromancy, with ECFS
- about / Process necromancy with ECFS
- process register state
- program heap
- about / The program heap
- protected binaries
- identifying / Identifying protected binaries
- analyzing / Analyzing a protected binary
- protection layers, Maya / Maya's protection layers, Layer 2, Layer 3
- protector
- example / An example of a protector
- protector stubs
- PSE (Page size extension) / Identifying text segment padding infections
- ptrace
- about / The importance of ptrace
- forensic analysis / ptrace and forensic analysis
- code injection / Code injection with ptrace
- verification, for program tracking / Is your program being traced?
- ptrace-based debugger
- about / A simple ptrace-based debugger
- ptrace anti-debugging trick
- about / A ptrace anti-debugging trick
- ptrace debugger
- with process attach capabilities / A simple ptrace debugger with process attach capabilities
- ptrace requests
- about / ptrace requests
- ptrace request types
- about / ptrace request types
- PTRACE_ATTACH / ptrace request types
- PTRACE_TRACEME / ptrace request types
- PTRACE_PEEKTEXT /PTRACE_PEEKDATA/PTRACE_PEEKUSER / ptrace request types
- PTRACE_POKTEXT /PTRACE_POKEDATA/PTRACE_POKEUSER / ptrace request types
- PTRACE_GETREGS / ptrace request types
- PTRACE_SETREGS / ptrace request types
- PTRACE_CONT / ptrace request types
- PTRACE_DETACH / ptrace request types
- PTRACE_SYSCALL / ptrace request types
- PTRACE_SINGLESTEP / ptrace request types
- PTRACE_GETSIGINFO / ptrace request types
- PTRACE_SETSIGINFO / ptrace request types
- PTRACE_SETOPTIONS / ptrace request types
- PTRACE_TRACEME technique
- about / The PTRACE_TRACEME technique
- PT_NOTE to PT_LOAD conversion infection method
Q
- Quenya
R
- %rax register / Techniques for hijacking execution
- read+write+execute (RWX) / Solution
- readecfs
- about / readecfs
- parasite code, extracting with / Extracting parasite code with readecfs
- readelf command
- about / readelf
- regular core file
- ECFS file, using as / Using an ECFS file as a regular core file
- relative jmp
- example / An example with relative jmp
- relocatable code injection
- relocatable code injection-based binary patching
- remote code injection techniques
- about / Process memory viruses and rootkits – remote code injection techniques
- shared library injection / Shared library injection – .so injection/ET_DYN injection
- .so injection, with LD_PRELOAD / .so injection with LD_PRELOAD
- .so injection, with open()/mmap() shellcode / .so injection with open()/mmap() shellcode
- .so injection, with dlopen() shellcode / .so injection with dlopen() shellcode, Illustration 4.8 – C code invoking __libc_dlopen_mode()
- .so injection, with VDSO manipulation / .so injection with VDSO manipulation
- text segment code injections / Text segment code injections
- executable injections / Executable injections
- relocatable code injection / Relocatable code injection – the ET_REL injection
- resistance, to emulation
- about / Resistance to emulation
- emulation, detecting through syscall testing / Detecting emulation through syscall testing
- emulated CPU inconsistencies, detecting / Detecting emulated CPU inconsistencies
- timing delays, checking between certain instructions / Checking timing delays between certain instructions
- Retaliation
- ret instruction
- example / An example with the ret instruction
- Return-Oriented Programming (ROP) / Maya's anti-exploitation
- reverse text infection
- about / The reverse text infection
- algorithm / Algorithm for reverse text infection
- reverse text infection method
- reference link / Algorithm for reverse text infection
- reverse text padding infections
- identifying / Identifying reverse text padding infections
- runtime kernel kmem patching
- reference link / Papers mentioned in this chapter
S
- .so injection, with dlopen() shellcode
- .so injection, with LD_PRELOAD
- about / .so injection with LD_PRELOAD
- .so injection, with open()/mmap() shellcode
- .so injection, with VDSO manipulation
- .so injection detection
- principles / Heuristics for .so injection detection
- Saruman
- about / Process infection tools
- reference link / Process infection tools, Examining an infected process using ECFS
- Saruman virus
- section header analysis
- about / The section header analysis
- section headers, ECFS
- about / ECFS section headers
- ._TEXT / ECFS section headers
- ._DATA / ECFS section headers
- .stack / ECFS section headers
- .heap / ECFS section headers
- .bss / ECFS section headers
- .vdso / ECFS section headers
- .vsyscall / ECFS section headers
- .procfs.tgz / ECFS section headers
- .prstatus / ECFS section headers
- .fdinfo / ECFS section headers
- .siginfo / ECFS section headers
- .auxvector / ECFS section headers
- .exepath / ECFS section headers
- .personality / ECFS section headers
- .arglist / ECFS section headers
- security vulnerability-based attacks / Security vulnerability-based attacks
- shared library injection
- shared library mappings
- about / Shared library mappings
- shared object loading
- about / Shared object loading – legitimate or not?
- legitimate shared object loading / Legitimate shared object loading
- illegitimate shared object loading / Illegitimate shared object loading
- Shiva
- SIGABRT
- SIGSEGV
- SIGTRAP handler technique
- about / The SIGTRAP handler technique
- Silvio .text infection method
- algorithm / Algorithm for the Silvio .text infection method
- Silvio padding infection
- use cases / Use cases for the Silvio padding infection
- Silvio padding infection method
- Skeksi virus
- URL / Solution
- sshd_fucker (phrack .so injection paper)
- about / Process infection tools
- reference link / Process infection tools
- stack
- about / The stack, vdso, and vsyscall
- LD_PRELOAD, finding on / Finding LD_PRELOAD on the stack
- static keyword / Symbol bindings
- stock vmlinux
- no symbols / stock vmlinux has no symbols
- strace
- about / strace
- string table transformation technique
- strip
- about / stock vmlinux has no symbols
- stub
- stub mechanics
- symbol hijacking
- symbol table analysis
- about / The symbol table analysis
- symbol table reconstruction, ECFS / ECFS symbol table reconstruction
- syscall testing
- emulation, detecting through / Detecting emulation through syscall testing
- sys_call_table
- navigating, example / An example of navigating sys_call_table
- checking, textify used / An example of using textify to check sys_call_table
- sys_call_table modifications
- detecting / Detecting sys_call_table modifications
- sys_write
- hijacking, on 32-bit kernel / An example code for hijacking sys_write on a 32-bit kernel
T
- taskverse
- about / Linux kernel forensics and rootkits
- used, for viewing hidden processes / Using taskverse to see hidden processes
- taskverse techniques
- about / Taskverse techniques
- reference link / Taskverse techniques
- techniques, for hijacking execution
- PLT/GOT redirection / Techniques for hijacking execution
- inline function hooking / Techniques for hijacking execution
- .ctors, patching / Techniques for hijacking execution
- .dtors, patching / Techniques for hijacking execution
- VDSO, hijacking for syscall interception / Techniques for hijacking execution
- textify
- used, for verifying kernel code integrity / Using textify to verify kernel code integrity
- used, for checking sys_call_table / An example of using textify to check sys_call_table
- text padding infection, VX Heaven paper
- reference link / The Silvio padding infection method
- text segment code injections
- about / Text segment code injections
- text segment padding infection
- text segment padding infections
- identifying / Identifying text segment padding infections
- thread-local-storage (TLS) / The process register state and flags
- tools, for detecting PLT/GOT hooks
- Linux VMA Voodoo / Tools for detecting PLT/GOT hooks
- ECFS / Tools for detecting PLT/GOT hooks
- Volatility plt_hook / Tools for detecting PLT/GOT hooks
- tracee
- about / ptrace request types
- tracer
- about / ptrace request types
- tracer program
- using / Using the tracer program
U
- UPX
- use cases, for Silvio padding infection
- useful devices and files
- about / Useful devices and files
- /proc/<pid>/maps / /proc/<pid>/maps
- /proc/kcore / /proc/kcore
- /boot/System.map / /boot/System.map
- /proc/kallsyms / /proc/kallsyms
- /proc/iomem / /proc/iomem
- ECFS / ECFS
- userland exec
- about / Stub mechanics and the userland exec
- reference link / Stub mechanics and the userland exec
V
- VDSO
- about / The stack, vdso, and vsyscall
- manipulating / Manipulating VDSO to perform dirty work
- VFS function pointer
- validating / Detecting VFS layer rootkits
- VFS layer rootkits
- about / VFS layer rootkits
- detecting / Detecting VFS layer rootkits
- VMA Monitor
- reference link / History
- VMA Voodoo
- vmlinux
- building, with kdress / Building a proper vmlinux with kdress
- vmlinux patching
- Volatility plt_hook
- about / Tools for detecting PLT/GOT hooks
- reference link / Tools for detecting PLT/GOT hooks
- vsyscall
- about / The stack, vdso, and vsyscall