-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
artif: dump /etc/ld.so.preload with debugfs/xfs_db #280
Conversation
Add a new artifact to collect /etc/ld.so.preload. Although LD_PRELOAD rootkits may hide /etc/ld.so.preload, it can be read via debugfs.
Add a new artifact to dump /etc/ld.so.preload. If the file system where /etc is located is XFS, we need to use xfs_db instead of debugfs.
Refactor command options.
Merge debugfs.yaml and xfs_db.yaml into one file.
Any file can be dumped.
Fix problems detected by ShellCheck and a bug regarding tracking of symbolic links
This is cool, but I need some time for testing it. I will release UAC v3.0.0 and move this to 3.1.0. Thanks! |
Add collection of stat even if the file is hidden. Change the output file as any files that are written to disk that matches ld.so.preload is modified by the rootkit. Moved the condition from command to condition.
Before merging into develop, I had to do some small changes.
|
Change script name to linux_dump_etc_ld_so_preload.sh
Thanks for your detailed review. |
Add a new artifact to collect /etc/ld.so.preload.
Although LD_PRELOAD rootkits may hide /etc/ld.so.preload, it can be read via debugfs.