-
Notifications
You must be signed in to change notification settings - Fork 195
Home
blank edited this page Nov 24, 2016
·
20 revisions
vlany is a ring-3 (userland) rootkit which uses the LD_PRELOAD feature to make sure it loads before any shared library and therefore is able to hide from regular users and system administrators efficiently. Its main focus is being stealthy and efficient, giving various tools for the user to use. It's being actively developed here on GitHub and is a completely open source for anyone to use and edit.
###Features
- Process hiding
- User hiding
- Network hiding
- LXC container
- Anti-Debug
- Anti-Forensics
- Persistent (re)installation & Anti-Detection
- Dynamic linker modifications
- Backdoors
- vlany-exclusive commands
- http://haxelion.eu/article/LD_NOT_PRELOADED_FOR_REAL/
- https://www.youtube.com/watch?v=oYgmwwlcLc0 (probably one of my favourite)
- https://www.youtube.com/watch?v=cTETqvEn_EM (game hacking related, but still indirectly explains how LD_PRELOAD would work to hook other functions)
- http://volatility-labs.blogspot.co.uk/2012/09/movp-24-analyzing-jynx-rootkit-and.html
- https://www.reddit.com/r/linuxadmin/comments/23vhtd/anyone_seeing_weird_ssh_user_accepted_logs/
- Mac OS X (Darwin) equivalent of LD_PRELOAD trickery