File Hiding
To remedy this problem, let's hide trojan_hello so that it doesn't appear on the filesystem. This can be accomplished by hooking the getdirentries system call. This call is responsible for listing (i.e., returning) a directory's contents, and it is implemented in the file /sys/kern/vfs_syscalls.c as follows.
Note
Take a look at this code and try to discern some structure in it. If you don't understand all of it, don't worry. An explanation of the getdirentries system call appears after this listing.
int getdirentries(td, uap) struct thread *td; register struct getdirentries_args /* { int fd; char *buf; u_int count; long *basep; } */ *uap; { struct vnode *vp; struct file *fp; struct uio auio; struct iovec aiov; int vfslocked; long loff; ...Get Designing BSD Rootkits now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
