Developing a Linux Rootkit: kernel internals & subversive techniques

Presented at ToorCamp 2018, June 23, 2018, 3 p.m. (20 minutes)

Rootkits, the most pervasive of backdoors, are the final step in post-exploitation. This talk will tour the fundamentals of Linux kernel development and the anatomy of an LKM rootkits by building one from scratch. The talk will explore the blackhat techniques used to subvert the kernel, hook system calls, and hide from user space. We'll look at the effectiveness and strategies for rootkit detection and discuss the security implications that bridge user and kernel space.

Presenters:

• Marcus Hodges / meta   as Marcus Hodges
  As the Director of Research at Security Innovation, Marcus Hodges is a technical leader who is passionate about advancing the state of security. Marcus has a degree in Mathematics from the University of Washington and is a founding member of the Neg9 Capture the Flag (CTF) team.

Links:

• https://frab.toorcon.net/en/toorcamp2018/public/events/55.html

Similar Presentations:

• DEF CON 17 (2009) / Runtime Kernel Patching on Mac OS X
• HushCon Seattle 2018 / Developing a Linux Rootkit: Kernel Internals & Subversive Techniques
• THOTCON 0xA (2019) / Writing your own Linux Rootkit for fun and profit