1. What is a rooktit?
A rootkit is malware whose main objective and purpose is to maintain persistence within a system, remain completely hidden, hide processes, hide directories, etc., in order to avoid detection.
This makes its detection very complex, and its mitigation even more complex, since one of the main objectives of a rootkit is to remain hidden.
A rootkit, it changes the system’s default behavior to what it wants.
1.1 What is a kernel? Userland and kernel land differences
The kernel is the core of the operating system, responsible for managing system resources and facilitating communication between hardware and software. It operates at the lowest layer of the system, for example components that operate in kernel land include the kernel itself, device drivers and kernel modules (which we call Loadable Kernel Module, short for LKM).
On the other hand, the userland or userspace is the layer where user programs and applications are executed. This is the part of the OS that interacts with the user, including browsers, text editors, games, common programs that the user uses, etc.
1.2 What is a system call?
System calls (syscalls) are fundamental in OS, they allow running processes to request services from the kernel
These services include operations such as file management, inter-process communication, process creation and management, among others.
A very practical example is when we write code in C, a simple hello world, if we analyze it with strace for example, you will notice that it uses sys_write to be able to write Hello world.
root@infect:~# cat hello.c ; ls hello
#include <stdio.h>
int main() {
printf("Hello, World!\n");
return 0;
}
hello
root@infect:~# strace ./hello 2>&1 | grep write
write(1, "Hello, World!\n", 14Hello, World!
root@infect:~#
