Differences between version 3 and previous revision of RootKit.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 3 | Last edited on Tuesday, November 15, 2005 11:30:28 am | by zcat(1) | Revert |
Older page: | version 2 | Last edited on Monday, November 14, 2005 8:43:26 pm | by zcat(1) | Revert |
@@ -1,8 +1,8 @@
["Most people I think don't even know what a rootkit is, so why should they care about it?"|http://zcat.wired.net.nz/files/rootkit.mp3]- Thomas Hesse, President of Sony's Global Digital Business
-A rootkit is a patch or series of patches applied to your OperatingSystem to hide the presence of files and processes which are not supposed to be there.
+A rootkit is a patch or series of patches applied to your OperatingSystem to hide the presence of files and processes which are (from the user or sysadmin's perspective)
not supposed to be there.
-Early rootkits involved replacing all
the system binaries (ls, ps, who) with modified versions which would filter the 'hidden' information from their normal
output. These days it's usually done by loading a kernel module which filters the hidden files and processes from low-level system calls.
+Early rootkits involved replacing many of
the system binaries (ls, ps, who, top
) with modified versions which would filter the 'hidden' information from their output. These days it's usually done by loading a kernel module which filters the hidden files and processes from low-level system calls.
(a kernel hacker might be able to explain this better :)