@report{ransomware_paloalto, institution = {Palo Alto Networks}, title = {Ransomware Threat Report 2022}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/2022-unit42-ransomware-threat-report-final.pdf} }, @report{ransomware_pwc, institution = {PricewaterhouseCoopers}, title = {Cyber Threats 2021: A year in Retrospect}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf} }, @report{rootkit_ptsecurity, institution = {Positive Technologies}, title = {Rootkits: evolution and detection methods}, date = {2021-11-03}, url = {https://www.ptsecurity.com/ww-en/analytics/rootkits-evolution-and-detection-methods/} }, @online{ebpf_linux318, indextitle={eBPF incorporation in the Linux Kernel 3.18}, date={2014-12-07}, url={https://kernelnewbies.org/Linux_3.18} }, @report{bvp47_report, institution = {Pangu Lab}, title = {Bvp47 Top-tier Backdoor of US NSA Equation Group}, date = {2022-02-23}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf} }, @report{bpfdoor_pwc, institution = {PricewaterhouseCoopers}, title = {Cyber Threats 2021: A year in Retrospect}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, pages = {37} }, @proceedings{ebpf_friends, institution = {Datadog}, author = {Guillaume Fournier, Sylvain Afchain}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf} }, @online{ebpf_friends_github, title={ebpfkit}, author = {Guillaume Fournier, Sylvain Afchain}, url={https://github.com/Gui774ume/ebpfkit} }, @online{ebpf_friends_blackhat, title={With Friends Like eBPF, Who Needs Enemies?}, author={Guillaume Fournier, Sylvain Baubeau}, date={2021-08-05}, url={https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-With-Friends-Like-EBPF-Who-Needs-Enemies.pdf} } @proceedings{evil_ebpf, institution = {NCC Group}, author = {Jeff Dileo}, organization= {DEFCON 27}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf} }, @online{evil_ebpf_github, institution = {NCC Group}, title = {Miscellaneous eBPF Tooling}, url={https://github.com/nccgroup/ebpf} } @proceedings{god_ebpf, institution={NCC Group}, author = {Jeff Dileo, Andy Olsen}, organization= {35C3}, eventtitle = {Kernel Tracing With eBPF Unlocking God Mode on Linux}, url = {https://berlin-ak.ftp.media.ccc.de/congress/2018/slides-pdf/35c3-9532-kernel_tracing_with_ebpf.pdf} } @online{bad_ebpf, author = {Pat Hogan}, organization= {DEFCON 27}, eventtitle = {Bad BPF - Warping reality using eBPF}, url = {https://www.youtube.com/watch?v=g6SKWT7sROQ} }, @online{bad_ebpf_github, author={Pat Hogan}, title={Bad BPF}, url={https://github.com/pathtofile/bad-bpf} } @online{ebpf_windows, title={eBPF incorporation in the Linux Kernel 3.18}, date={2014-12-07}, url={https://kernelnewbies.org/Linux_3.18} }, @online{ebpf_android, title={eBPF for Windows}, url={https://source.android.com/devices/architecture/kernel/bpf} }, @article{bpf_bsd_origin, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf} }, @article{bpf_bsd_origin_bpf_page1, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={1} }, @article{bpf_bsd_origin_bpf_page2, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={1} }, @article{bpf_bsd_origin_bpf_page5, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={5} }, @article{bpf_bsd_origin_bpf_page7, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={7} }, @article{bpf_bsd_origin_bpf_page8, title={The BSD Packet Filter: A New Architecture for User-level Packet Capture}, author={Steven McCanne, Van Jacobson}, institution={Lawrence Berkeley Laboratory}, date={1992-12-19}, url={https://www.tcpdump.org/papers/bpf-usenix93.pdf}, pages={8} }, @online{ebpf_history_opensource, title={An intro to using eBPF to filter packets in the Linux kernel}, date={2017-08-11}, url={https://opensource.com/article/17/9/intro-ebpf} }, @manual{ebpf_io, title={eBPF Documentation}, url={https://ebpf.io/what-is-ebpf/} }, @manual{ebpf_io_arch, title={eBPF Documentation: Loader and verification architecture}, url={https://ebpf.io/what-is-ebpf/#loader--verification-architecture} }, @manual{ebpf_io_verification, title={eBPF Documentation: Verification}, url={https://ebpf.io/what-is-ebpf/#verification} }, @manual{index_register, title={Index register}, url={https://gunkies.org/wiki/Index_register} } @online{bpf_organicprogrammer_analysis, title={Write a Linux packet sniffer from scratch: part two- BPF}, date={2022-03-28}, url={https://organicprogrammer.com/2022/03/28/how-to-implement-libpcap-on-linux-with-raw-socket-part2/} }, @manual{tcpdump_page, title={Tcpdump and Libpcap}, url={https://www.tcpdump.org} }, @manual{ebpf_funcs_by_ver, title={BPF features by Linux Kernel Version}, organization={iovisor}, url={https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md} }, @book{brendan_gregg_bpf_book, title={BPF performance tools}, author={Brendan Gregg}, url={https://www.oreilly.com/library/view/bpf-performance-tools/9780136588870/} }, @manual{ebpf_inst_set, title={eBPF instruction set}, url={https://www.kernel.org/doc/html/latest/bpf/instruction-set.html} }, @manual{8664_inst_set_specs, title={Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4}, author={Intel}, volume={2A}, pages={507}, urldate={2022-05-13}, url={https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html} }, @proceedings{ebpf_starovo_slides, title={BPF – in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, institution={PLUMgrid} }, @proceedings{ebpf_starovo_slides_page23, title={BPF – in-kernel virtual machine}, url={http://vger.kernel.org/netconf2015Starovoitov-bpf_collabsummit_2015feb20.pdf}, date={2015-02-20}, institution={PLUMgrid}, pages={23} }, @manual{ebpf_JIT, title={A JIT for packet filters}, url={https://lwn.net/Articles/437981/}, date={2011-04-12}, author={Jonathan Corbet} }, @proceedings{ebpf_JIT_demystify_page13, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={13} }, @proceedings{ebpf_JIT_demystify_page14, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={14} }, @proceedings{ebpf_JIT_demystify_page17-22, title={Demystify eBPF JIT Compiler}, url={https://www.netronome.com/media/documents/demystify-ebpf-jit-compiler.pdf}, institution={Netronome}, author={Jiong Wang}, date={2018-09-11}, pages={17-22} }, @book{brendan_gregg_bpf_book_bpf_vm, title={BPF performance tools}, author={Brendan Gregg}, url={https://learning.oreilly.com/library/view/bpf-performance-tools/9780136588870/ch02.xhtml#:-:text=With%20JIT%20compiled%20code%2C%20i,%20other%20native%20kernel%20code} }, @manual{jit_enable_setting, title={bpf\_jit\_enable}, url={https://sysctl-explorer.net/net/core/bpf_jit_enable/} }, @manual{ebpf_verifier_kerneldocs, title={eBPF verifier}, url={https://kernel.org/doc/html/latest/bpf/verifier.html} }, @online{ebpf_bounded_loops, title={Bounded loops in BPF for the 5.3 kernel}, url={https://lwn.net/Articles/794934/}, date={2019-06-30}, author={Marta Rybczynska} }, @manual{ebpf_maps_kernel, title={eBPF maps}, url={https://www.kernel.org/doc/html/latest/bpf/maps.html} }, @manual{ebpf_maps_rddocs, title={eBPF maps}, url={https://prototype-kernel.readthedocs.io/en/latest/bpf/ebpf_maps.html} }, @manual{bpf_syscall, title={bpf(2)- Linux manual page}, url={https://man7.org/linux/man-pages/man2/bpf.2.html} }, @manual{ebpf_helpers, title={bpf-helpers(7)- Linux manual page}, url={https://man7.org/linux/man-pages/man7/bpf-helpers.7.html} }, @online{xdp_gentle_intro, title={A Gentle Introduction to XDP}, date={2022-02-03}, url={https://www.seekret.io/blog/a-gentle-introduction-to-xdp/}, author={Daniel Lavie} }, @manual{xdp_manual, title={XDP actions}, url={https://prototype-kernel.readthedocs.io/en/latest/networking/XDP/implementation/xdp_actions.html} }, @online{tc_differences, title={tc/BPF and XDP/BPF}, url={https://liuhangbin.netlify.app/post/ebpf-and-xdp/}, date={2019-03-13}, author={Hangbin} }, @online{tc_direct_action, title={Understanding tc “direct action” mode for BPF}, url={https://qmonnet.github.io/whirl-offload/2020/04/11/tc-bpf-direct-action/}, date={2020-04-11}, author={Quentin Monnet} }, @online{tc_docs_complete, title={Traffic Control HOWTO}, url={http://linux-ip.net/articles/Traffic-Control-HOWTO/}, author={Martin A. Brown}, date={2006-10-01} }, @online{tc_ret_list_complete, title={Linux kernel source tree}, url={https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/pkt_cls.h}, indextitle={index : kernel/git/torvalds/linux.git} }, @manual{tp_kernel, title={Using the Linux Kernel Tracepoints}, url={https://www.kernel.org/doc/html/latest/trace/tracepoints.html}, author={Mathieu Desnoyers} }, @manual{kprobe_manual, title={Kernel Probes (Kprobes)}, author={Jim Keniston, Prasanna S Panchamukhi, Masami Hiramatsu}, url={https://www.kernel.org/doc/html/latest/trace/kprobes.html} }, @online{kallsyms_kernel, title={kallsyms: new /proc/kallmodsyms with builtin modules and symbol sizes}, author={Nick Alcock}, date={2021-06-06}, url={https://lwn.net/Articles/862021/} }, @online{bcc_github, title={BPF Compiler Collection (BCC)}, url={https://github.com/iovisor/bcc} }, @online{libbpf_upstream, title={BPF next kernel tree}, url={https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next} }, @online{libbpf_github, indextitle={libbpf GitHub}, url={https://github.com/libbpf/libbpf} }, @online{libbpf_core, title={BPF Portability and CO-RE}, url={https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html}, author={Andrii Nakryiko}, date={2020-02-19} }, @manual{ebpf_kernel_flags, title={Installing BCC: Kernel Configuration}, url={https://github.com/iovisor/bcc/blob/master/INSTALL.md} }, @manual{ubuntu_caps, title={capabilities - overview of Linux capabilities}, url={http://manpages.ubuntu.com/manpages/trusty/man7/capabilities.7.html} }, @proceedings{evil_ebpf_p9, institution = {NCC Group}, author = {Jeff Dileo}, organization= {DEFCON 27}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}, pages={9} }, @online{ebpf_caps_intro, title={[PATCH v7 bpf-next 1/3] bpf, capability: Introduce CAP\_BPF}, url={https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com/} }, @online{ebpf_caps_lwn, title={capability: introduce CAP\_BPF and CAP\_TRACING}, url={https://lwn.net/Articles/797807/} }, @online{unprivileged_ebpf, title={Reconsidering unprivileged BPF}, url={https://lwn.net/Articles/796328/} }, @online{cve_unpriv_ebpf, title={CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability}, url={https://www.openwall.com/lists/oss-security/2022/01/11/4} }, @online{unpriv_ebpf_ubuntu, title={Unprivileged eBPF disabled by default for Ubuntu 20.04 LTS, 18.04 LTS, 16.04 ESM}, url={https://discourse.ubuntu.com/t/unprivileged-ebpf-disabled-by-default-for-ubuntu-20-04-lts-18-04-lts-16-04-esm/27047} }, @online{unpriv_ebpf_redhat, title={CVE-2022-0002}, url={https://access.redhat.com/security/cve/cve-2021-4001} }, @online{unpriv_ebpf_suse, title={Security Hardening: Use of eBPF by unprivileged users has been disabled by default}, url={https://www.suse.com/support/kb/doc/?id=000020545} }, @manual{8664_params_abi, title={System V Application Binary Interface AMD64 Architecture Processor Supplement}, author={H.J. Lu et al.}, pages={148}, date={2018-01-28}, url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf} }, @proceedings{ebpf_friends_p15, institution = {Datadog}, author = {Guillaume Fournier, Sylvain Afchainthe}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}, pages={15} }, @online{ebpf_override_return, title={BPF-based error injection for the kernel}, url={https://lwn.net/Articles/740146/} }, @online{code_kernel_open, indextitle={Linux kernel source code}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/open.c#L1192} }, @online{code_kernel_syscall, indextitle={Linux kernel source code}, url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/syscalls.h#L233} }, @online{fault_injection, title={Injecting faults into the kernel}, url={https://lwn.net/Articles/209257/}, date={2006-11-04} }, @online{mem_page_arch, title={Memory Management 101: Introduction to Memory Management in Linux}, url={https://events19.linuxfoundation.org/wp-content/uploads/2017/12/MM-101-Introduction-to-Linux-Memory-Management-Christoph-Lameter-Jump-Trading-LLC-1.pdf}, date={2017-12-01}, author={Christopher Lameter}, organization={The Linux Foundation Open Source Summit}, institution={Jump Trading LLC} }, @online{page_faults, title={Understanding page faults and memory swap-in/outs}, url={https://scoutapm.com/blog/understanding-page-faults-and-memory-swap-in-outs-when-should-you-worry}, date={2019-08-19}, author={Doug Breaker} }, @online{mem_arch_proc, title={Stack-based Buffer Overflow - Part 1}, url={https://h3xduck.github.io/exploit/2021/05/23/stackbufferoverflow-part1.html}, date={2021-05-23}, author={Marcos Sánchez Bajo} }, @manual{8664_params_abi_p18, title={System V Application Binary Interface AMD64 Architecture Processor Supplement}, author={H.J. Lu et al.}, pages={18}, date={2018-01-28}, url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf} }, @online{write_helper_non_fault, title={probe\_write\_common\_error}, url={https://www.spinics.net/lists/bpf/msg16795.html} }, @online{code_vfs_read, indextitle={Linux kernel source code}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/read_write.c#L476} }, @manual{8664_params_abi_p1922, title={System V Application Binary Interface AMD64 Architecture Processor Supplement}, author={H.J. Lu et al.}, pages={19-22}, date={2018-01-28}, url={https://raw.githubusercontent.com/wiki/hjl-tools/x86-psABI/x86-64-psABI-1.0.pdf} }, @online{network_layers, title={The Network Layers Explained [with examples]}, author={Alienor}, date={2018-11-28}, url={https://www.plixer.com/blog/network-layers-explained/} }, @online{tcp_reliable, title={Transmission Control Protocol}, date={2022-04-19}, organization={IBM}, url={https://www.ibm.com/docs/en/aix/7.2?topic=protocols-transmission-control-protocol} }, @online{tcp_handshake, title={Three-Way Handshake}, url={https://www.sciencedirect.com/topics/computer-science/three-way-handshake} }, @proceedings{evil_ebpf_p6974, institution = {NCC Group}, author = {Jeff Dileo}, organization= {DEFCON 27}, eventtitle = {Evil eBPF Practical Abuses of an In-Kernel Bytecode Runtime}, url = {https://raw.githubusercontent.com/nccgroup/ebpf/master/talks/Evil_eBPF-DC27-v2.pdf}, pages={69-74} }, @proceedings{ebpf_friends_p37, institution = {Datadog}, author = {Guillaume Fournier, Sylvain Afchainthe}, organization= {DEFCON 29}, eventtitle = {Cyber Threats 2021: A year in Retrospect}, url = {https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Guillaume%20Fournier%20Sylvain%20Afchain%20Sylvain%20Baubeau%20-%20eBPF%2C%20I%20thought%20we%20were%20friends.pdf}, pages={37} }, @online{rop_prog_finder, title={ROPgadget Tool}, url={https://github.com/JonathanSalwan/ROPgadget} }, @online{glibc, title={The GNU C library}, url={https://www.gnu.org/software/libc/} }, @online{plt_got_technovelty, title={PLT and GOT - the key to code sharing and dynamic libraries}, author={Ian Wienand}, url={https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html}, date={2011-05-11} }, @online{plt_got_overlord, title={GOT and PLT for pwning.}, author={David Tomaschik}, url={https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html}, date={2017-03-19} }, @manual{elf, title={ELF}, url={https://wiki.osdev.org/ELF} }, @online{pie_exploit, title={Position Independent Code}, url={https://ir0nstone.gitbook.io/notes/types/stack/pie} }, @online{aslr_pie_intro, title={aslr/pie intro}, url={https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html#aslrpie-intro} }, @online{relro_redhat, title={Hardening ELF binaries using Relocation Read-Only (RELRO)}, author={Huzaifa Sidhpurwala}, date={2019-01-28}, url={https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro} }, @online{cet_windows, title={R.I.P ROP: CET Internals in Windows 20H1}, author={Yarden Shafir, Alex Ionescu}, date={2020-05-01}, url={https://windows-internals.com/cet-on-windows/} }, @online{cet_linux, title={Another Round Of Intel CET Patches, Still Working Toward Linux Kernel Integration}, author={Michael Larabel}, date={2021-07-21}, url={https://www.phoronix.com/scan.php?page=news_item&px=Intel-CET-v29} }, @online{canary_exploit, title={Stack Canaries}, url={https://ir0nstone.gitbook.io/notes/types/stack/canaries} }, @online{rawtcp_lib, title={RawTCP\_Lib}, author={Marcos Sánchez Bajo}, url={https://github.com/h3xduck/RawTCP_Lib} }, @manual{proc_fs, title={proc(5) — Linux manual page}, url={https://man7.org/linux/man-pages/man5/proc.5.html} }, @online{proc_mem_write, title={enable writing to /proc/pid/mem}, url={https://lwn.net/Articles/433326/} }, @online{reverse_shell, title={Reverse Shell}, url={https://www.imperva.com/learn/application-security/reverse-shell/} }, @online{sudoers_man, title={die.net sudoers(5) - Linux man page}, url={https://linux.die.net/man/5/sudoers} }, @online{syscall_reference, title={Linux Syscall Reference (64bit)}, url={https://syscalls64.paolostivanin.com/} }, @online{code_kernel_execve, indextitle={Linux kernel code}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/exec.c#L2054} }, @online{environ, title={How to Set and List Environment Variables in Linux}, date={2021-06-03}, url={https://linuxize.com/post/how-to-set-and-list-environment-variables-in-linux/} }, @online{execve_man, title={execve(2) — Linux manual page}, url={https://man7.org/linux/man-pages/man2/execve.2.html} }, @online{bpf_probe_write_user_errors, title={[iovisor-dev] Accessing user memory and minor page faults}, date = {2017-08-06}, url={https://lists.linuxfoundation.org/pipermail/iovisor-dev/2017-September/001035.html} }, @online{c_standard_main, title={Main function}, url={https://en.cppreference.com/w/c/language/main_function} }, @online{busybox_argv, title={BusyBox Examples}, url={https://en.wikipedia.org/wiki/BusyBox#Examples} }, @online{ips, title={What is an intrusion prevention system?}, organization={VMware}, url={https://www.vmware.com/topics/glossary/content/intrusion-prevention-system.html} }, @online{port_knocking, title={Port Knocking -- Network Authentication Across Closed Ports}, author={Martin Krzywinski}, url={https://www.muppetwhore.net/sysadmin/html/v12/i06/a2.htm} }, @report{bvp47_report_p49, institution = {Pangu Lab}, title = {Bvp47 Top-tier Backdoor of US NSA Equation Group}, date = {2022-02-23}, pages={49}, url = {https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf} }, @online{pangu_lab, title={Welcome to Pangu Research Lab}, url={https://pangukaitian.github.io/pangu/?lg=en} }, @online{rfc_tcp4, title={TFC 793}, institution={Information Sciences Institute, University of Southern California}, date={1981-09-01}, url={https://datatracker.ietf.org/doc/html/rfc793} }, @online{tcp_syn_payload, title={TCP Fast Open: expediting web services}, date={2012-08-01}, author={Michael Kerrisk}, url={https://lwn.net/Articles/508865/} }, @book{cisco_syn_firewall, title={CCNP Security Firewall 642-617 Official Cert Guide}, date={2011-10-01}, author={David Hucaby, David Garneau, Anthony Sequeira}, pages={436}, url={https://books.google.es/books?id=-lvwaqFbIS8C&dq=syn+packet+firewall+ignore+payload} }, @online{hive_implant, title={(U) Hive Engineering Development Guide}, date = {2014-10-15}, url={https://wikileaks.org/vault7/document/hive-DevelopersGuide/hive-DevelopersGuide.pdf} }, @online{crc, title={Cyclic redundancy check}, organization={Wikipedia}, url={https://en.wikipedia.org/wiki/Cyclic_redundancy_check} }, @online{file_descriptors, title={File Descriptor}, url={http://www.cse.cuhk.edu.hk/~ericlo/teaching/os/lab/11-FS/fd.html} }, @online{raw_sockets, title={raw(7) — Linux manual page}, urlhttps://man7.org/linux/man-pages/man7/raw.7.html={} }, @online{cron, title={How To Add Jobs To cron Under Linux or UNIX}, date={2022-06-02}, author={Vivek Gite}, url={https://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/} }, @online{linux_daemons, title={Linux Jargon Buster: What are Daemons in Linux?}, date={2021-06-05}, author={Bill Dyer}, url={https://itsfoss.com/linux-daemons/} }, @online{code_kernel_getdents64, indextitle={Linux kernel source code}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/readdir.c#L351} }, @online{getdents_man, title={getdents(2) — Linux manual page}, url={https://man7.org/linux/man-pages/man2/getdents.2.html} }, @online{code_kernel_linux_dirent64, indextitle={Linux kernel source code}, url={https://elixir.bootlin.com/linux/v5.11/source/include/linux/dirent.h#L5} }, @online{code_kerel_getdents_buffer_alignation, indextitle={Linux kernel source code}, url={https://elixir.bootlin.com/linux/v5.11/source/fs/readdir.c#L313} }, @online{xcellerator_getdents, title={Linux Rootkits Part 6: Hiding Directories}, date={2020-09-19}, author={TheXcellerator}, url={https://xcellerator.github.io/posts/linux_rootkits_06/} }, @online{embracethered_getdents, title={Offensive BPF: Understanding and using bpf\_probe\_write\_user}, date={2021-10-20}, author={Johann Rehberger}, url={https://embracethered.com/blog/posts/2021/offensive-bpf-libbpf-bpf_probe_write_user/} }, @online{dtype_dirent, title={Format of a Directory Entry}, url={https://www.gnu.org/software/libc/manual/html_node/Directory-Entries.html} }, @online{virtualbox_page, title={VirtualBox}, url={https://www.virtualbox.org/} }, @online{bridged_networking, title={Bridgeg Networking}, url={https://docs.oracle.com/en/virtualization/virtualbox/6.0/user/network_bridged.html} }, @online{nat_comptia, title={What Is NAT?}, institution={CompTIA}, url={https://www.comptia.org/content/guides/what-is-network-address-translation} }, @online{kernel_modules_restrict, title={Increasing Linux kernel integrity}, author={Michael Boelen}, date={2015-05-12}, url={https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/} }, @online{jynx2_infosecinstitute, title={Blackhat Academy}, author={Blackhat Academy}, date={2012-03-15}, url={https://resources.infosecinstitute.com/topic/jynx2-sneak-peek-analysis/} }, @article{ldpreload_so_jynx, title={Linux Rootkit Detection With OSSEC}, author={Sally Vandeven}, date={2014-03-26}, pages={18-19}, url={https://www.giac.org/paper/gcia/8751/rootkit-detection-ossec/126976} }, @proceedings{ldpreload_pros, title={The Continued Evolution of Userland Linux Rootkits}, pages={3-6}, date={2022-03-13}, url={https://www.bsidesdub.ie/past/media/2022/darren_martyn_userland_linux_rootkits.pdf} }, @proceedings{ldpreload_pros_2327, title={The Continued Evolution of Userland Linux Rootkits}, pages={23-27}, date={2022-03-13}, url={https://www.bsidesdub.ie/past/media/2022/darren_martyn_userland_linux_rootkits.pdf} }, @online{jynx_github, title={Jynx-kit}, author={BlackHatAcademy.org}, url={https://github.com/chokepoint/jynxkit} }, @online{jynx2_github, title={Jynx-kit (2)}, author={BlackHatAcademy.org}, url={https://github.com/chokepoint/Jynx2} }, @online{azazel_github, title={Azazel}, url={https://github.com/chokepoint/azazel} }, @online{azazel_wiki, title={Azazel}, url={https://web.archive.org/web/20141102234744/http://blackhatlibrary.net/Azazel#Hooking_Methods} }, @online{ld_preload_detect, title={Linux Attack Techniques: Dynamic Linker Hijacking with LD Preload}, date={2022-05-18}, url={https://www.cadosecurity.com/linux-attack-techniques-dynamic-linker-hijacking-with-ld-preload/} }, @online{suckit_rootkit, indextitle={SucKIT rootkit}, url={https://github.com/CSLDepend/exploits/blob/master/Rootkit_tools/suckit2priv.tar.gz} }, @online{suckit_lasamhna, title={Linux Kernel Rootkits}, url={https://www.la-samhna.de/library/rootkits/basics.html#FLOW} }, @online{dev_kmem, title={kmem(4) - Linux man page}, url={https://linux.die.net/man/4/kmem} }, @online{dev_kmem_debian, title={mem(4)}, url={https://manpages.debian.org/buster-backports/manpages/port.4.en.html} }, @online{dev_kmem_off_default, title={Change CONFIG\_DEVKMEM default value to n}, url={https://lore.kernel.org/all/20161007035719.GB17183@kroah.com/T/} }, @online{diamorphine_github, title={Diamorphine}, url={https://github.com/m0nad/Diamorphine} }, @online{incibe_rootkit_lkm, title={Malware in Linux: Kernel-mode-rootkits}, author={Antonio López}, date={2015-03-26}, url={https://www.incibe-cert.es/en/blog/kernel-rootkits-en} }, @online{reptile_github, title={Reptile}, url={https://github.com/f0rb1dd3n/Reptile} }, @online{usermode_helper_lkm, title={call\_usermodehelper, Module Loading}, url={https://www.kernel.org/doc/htmldocs/kernel-api/API-call-usermodehelper.html} }, @online{rasps, title={RASP rings in a new Java application security paradigm}, author={Hussein Badakhchani}, date={2016-10-20}, url={https://www.infoworld.com/article/3125515/rasp-rings-in-a-new-java-application-security-paradigm.html} }, @online{sql_injection, title={SQL Injection}, url={https://www.w3schools.com/sql/sql_injection.asp} }, @online{boopkit, title={Boopkit}, author={Kris Nóva}, url={https://github.com/kris-nova/boopkit} }, @online{symbiote, title={Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat}, institution={The BlackBerry Research & Intelligence Team}, date={2022-06-09}, url={https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat} }, @online{pentest_redteam, title={Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues}, date={2016-06-23}, author={Kirk Hayes}, url={https://www.rapid7.com/blog/post/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/} }, @online{nist_cyber, title={Framework for Improving Critical Infrastructure Cybersecurity}, date={2018-04-16}, institution={National Institute of Standards and Technology}, url={https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf} }, @online{mitre_blog, title={ATT\&CK 101}, author={Blake Strom}, date={2018-08-21}, url={https://medium.com/mitre-attack/att-ck-101-17074d3bc62} }, @online{mitre_blog_2, title={What Is the MITRE ATT\&CK Framework?}, url={https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-framework.html} }, @online{mitre_matrix_linux, title={ATT\&CK Matrix for Enterprise}, url={https://attack.mitre.org/matrices/enterprise/linux/} }