2014-02-18 20:10 GMT+01:00 Dmitrij D. Czarkoff <[email protected]>: > Giancarlo Razzolini said: >> ........... What we are discussing is if it is possible, using >> LD_PRELOAD, to inject code on the execution of any given programs, and >> to be able to hide the fact that the machine has a rootkit installed >> using this method. > > So you think that placing rootkit in LD_PRELOAD hides it? I would wonder > about your definition of revealing then.
No, this can't be so easily hidden. You can compare used syscalls with addresses directly from libc.so (path) using dlsym() and RTLD_NEXT, but this crazy method of checking. The easiest way to prevent LD_PRELOAD hooks is static linking.
