kernel hacking draft

Author: Ceald1

content/posts/kernel_hacking.md

@@ -0,0 +1,41 @@
++++
+title = "Kernel_hacking"
+date = "2026-02-17T00:05:22-07:00"
+#dateFormat = "2006-01-02" # This value can be configured for per-post date formatting
+author = "Ceald"
+# authorTwitter = "" # do not include @
+cover = "https://media1.tenor.com/m/oZJ_94Ngnl8AAAAd/penguin-linux.gif"
+tags = ["linux", "ebpf", "lkms", "malware", "C", "programming"]
+keywords = ["linux", "kernel", "hacking", "C"]
+description = "A dive into linux kernel hacking"
+showFullContent = false
+readingTime = true
+hideComments = false
++++
+
+
+# Generic Title
+
+Let's skip introductions, everyone knows what Linux is and that it's a kernel and not an OS. Most people tend to overlook how the kernel actually works not just how to install or compile packages. This article will go over how the kernel actually functions and not a "zero to hero" post.
+
+# Building Wootkits
+
+It's the big 26 as of writing this and writing a hooked library seems a bit outdated and generic so why not live a bit on the edge and do something directly at the kernel level?
+
+## Limitations
+
+Unless you're like 80 years old or something you can't modify the system call table directly anymore for safety but that's okay it's still very nice to make scary kernel modules or eBPFs.
+
+## Hooks
+
+In Linux you can hook system calls meaning you can intercept and modify them. If you want to see how this is done it's super easy to do using kprobes. You make a generic Linux kernel module and then create a variable with the structure type `kprobe`, the variables in the structure tell kprobes where the hook sits in the execution flow, the symbol like `"__x64_sys_kill"`. Having something like `pre_handler` set to a function means that your function will sit right after the system call is made before anything else runs. You can register probes with the `register_kprobe(&my_kprobe_structure)` function and a pointer to your kprobes structure.
+
+An issue with using kprobes is you can't really interrupt the execution flow that much but mostly debug. Using ftrace accomplishes full system call hooking. Think of kprobes as read only mostly while ftrace is full read and write.
+
+Ftrace allows you to fully control the system call hook as much as possible but the issue is you're manipulating the system call or overwriting the system call and can cause issues if you don't have the proper hook set up.
+
+### eBPFs
+
+A "safe" way of hooking into system calls is by using an eBPF but you're only given read only access to kernel memory and can't change any of it. Now this isn't super bad and totally workable but it'd only be good if you just want to do something like capture PAM credentials or lock down an entire system by denying everything access to every file. These are much harder to screw up but their ecosystem isn't as mature and more DIY than kernel modules. eBPFs are great but not there yet and still very neat for a niche skill for kernel programming.
+
+BPFs are used for things like policy enforcement with projects like Kube Armor by hooking Linux Security Modules or LSMs. If a rootkit is an eBPF there almost certainly needs to be another program in the background that's sending out the data it collects because eBPFs are reactionary because they use system call hooks. BPFs have even more restrictions than just having read only access to kernel land by having memory limitations in place because they're ran in a VM inside of the kernel.

public/index.html

@@ -183,6 +183,51 @@
 
 
 
+      <article class="post on-list">
+        <h2 class="post-title">
+          <a href="//localhost:1313/posts/kernel_hacking/">Kernel_hacking</a>
+        </h2>
+
+        <div class="post-meta"><time class="post-date">2026-02-17</time><span class="post-author">Ceald</span></div>
+
+        
+          <span class="post-tags">
+            
+            #<a href="//localhost:1313/tags/linux/">linux</a>&nbsp;
+            
+            #<a href="//localhost:1313/tags/ebpf/">ebpf</a>&nbsp;
+            
+            #<a href="//localhost:1313/tags/lkms/">lkms</a>&nbsp;
+            
+            #<a href="//localhost:1313/tags/malware/">malware</a>&nbsp;
+            
+            #<a href="//localhost:1313/tags/c/">C</a>&nbsp;
+            
+            #<a href="//localhost:1313/tags/programming/">programming</a>&nbsp;
+            
+          </span>
+        
+
+        
+  <img src="https://media1.tenor.com/m/oZJ_94Ngnl8AAAAd/penguin-linux.gif"
+    class="post-cover"
+    alt="Kernel_hacking"
+    title="Cover Image" />
+
+
+        <div class="post-content">
+          
+            <p>A dive into linux kernel hacking</p>
+          
+        </div>
+
+        
+          <div>
+            <a class="read-more button inline" href="/posts/kernel_hacking/">[Read more]</a>
+          </div>
+        
+      </article>
+    
       <article class="post on-list">
         <h2 class="post-title">
           <a href="//localhost:1313/posts/bpfs/">Bpfs</a>
@@ -349,44 +394,6 @@ <h2 id="stealing-tokens-via-windows-processes">Stealing Tokens Via Windows Proce
 
       </article>
 
-      <article class="post on-list">
-        <h2 class="post-title">
-          <a href="//localhost:1313/posts/winregistrysecrets/">Win-Registry-Secrets</a>
-        </h2>
-
-        <div class="post-meta"><time class="post-date">2025-03-20</time><span class="post-author">Ceald</span></div>
-
-        
-          <span class="post-tags">
-            
-            #<a href="//localhost:1313/tags/windows/">windows</a>&nbsp;
-            
-            #<a href="//localhost:1313/tags/new/">new</a>&nbsp;
-            
-            #<a href="//localhost:1313/tags/go/">go</a>&nbsp;
-            
-          </span>
-        
-
-        
-
-
-        <div class="post-content">
-          
-            <h2 id="intro">Intro</h2>
-<p>The windows registry is a system database that contains keys and values. Some things in the registry include; Windows credentials, cached passwords, usernames, and other credentials. In windows a group of keys is called a &ldquo;hive&rdquo; the hives that are the cool ones are; SAM, System, and Security.</p>
-<h2 id="system-hive">SYSTEM Hive</h2>
-<p>The most important registry hive is the &ldquo;System&rdquo; hive, in the key: <code>CurrentControlSet\Control\Lsa</code> there are the necessary components to craft the boot key which will be used to decrypt the rest of the registry database to get things like hashes for users. Here&rsquo;s some example code from &ldquo;Go-Go-Gadget-Katz&rdquo; for getting the boot key:</p>
-          
-        </div>
-
-        
-          <div>
-            <a class="read-more button inline" href="/posts/winregistrysecrets/">[Read more]</a>
-          </div>
-        
-      </article>
-    
 
     <div class="pagination">
   <div class="pagination__buttons">

public/index.xml

@@ -6,8 +6,15 @@
     <description>Recent content on Ceald&#39;s blog</description>
     <generator>Hugo</generator>
     <language>en-us</language>
-    <lastBuildDate>Mon, 02 Feb 2026 00:25:35 -0700</lastBuildDate>
+    <lastBuildDate>Tue, 17 Feb 2026 00:05:22 -0700</lastBuildDate>
     <atom:link href="//localhost:1313/index.xml" rel="self" type="application/rss+xml" />
+    <item>
+      <title>Kernel_hacking</title>
+      <link>//localhost:1313/posts/kernel_hacking/</link>
+      <pubDate>Tue, 17 Feb 2026 00:05:22 -0700</pubDate>
+      <guid>//localhost:1313/posts/kernel_hacking/</guid>
+      <description>&lt;h1 id=&#34;generic-title&#34;&gt;Generic Title&lt;/h1&gt;&#xA;&lt;p&gt;Let&amp;rsquo;s skip introductions, everyone knows what Linux is and that it&amp;rsquo;s a kernel and not an OS. Most people tend to overlook how the kernel actually works not just how to install or compile packages. This article will go over how the kernel actually functions and not a &amp;ldquo;zero to hero&amp;rdquo; post.&lt;/p&gt;&#xA;&lt;h1 id=&#34;building-wootkits&#34;&gt;Building Wootkits&lt;/h1&gt;&#xA;&lt;p&gt;It&amp;rsquo;s the big 26 as of writing this and writing a hooked library seems a bit outdated and generic so why not live a bit on the edge and do something directly at the kernel level?&lt;/p&gt;</description>
+    </item>
     <item>
       <title>Bpfs</title>
       <link>//localhost:1313/posts/bpfs/</link>

public/sitemap.xml

@@ -2,23 +2,26 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
   xmlns:xhtml="http://www.w3.org/1999/xhtml">
   <url>
+    <loc>//localhost:1313/</loc>
+    <lastmod>2026-02-17T00:05:22-07:00</lastmod>
+  </url><url>
+    <loc>//localhost:1313/posts/kernel_hacking/</loc>
+    <lastmod>2026-02-17T00:05:22-07:00</lastmod>
+  </url><url>
+    <loc>//localhost:1313/posts/</loc>
+    <lastmod>2026-02-17T00:05:22-07:00</lastmod>
+  </url><url>
     <loc>//localhost:1313/posts/bpfs/</loc>
     <lastmod>2026-02-02T00:25:35-07:00</lastmod>
   </url><url>
     <loc>//localhost:1313/tags/c/</loc>
     <lastmod>2026-02-02T00:25:35-07:00</lastmod>
-  </url><url>
-    <loc>//localhost:1313/</loc>
-    <lastmod>2026-02-02T00:25:35-07:00</lastmod>
   </url><url>
     <loc>//localhost:1313/tags/ebpf/</loc>
     <lastmod>2026-02-02T00:25:35-07:00</lastmod>
   </url><url>
     <loc>//localhost:1313/tags/malware/</loc>
     <lastmod>2026-02-02T00:25:35-07:00</lastmod>
-  </url><url>
-    <loc>//localhost:1313/posts/</loc>
-    <lastmod>2026-02-02T00:25:35-07:00</lastmod>
   </url><url>
     <loc>//localhost:1313/tags/</loc>
     <lastmod>2026-02-02T00:25:35-07:00</lastmod>

public/tags/index.html

@@ -252,7 +252,7 @@ <h1>Tags</h1>
 
 
           <li>
-            <a class="terms-title" href="//localhost:1313/tags/new/">new [6]</a>
+            <a class="terms-title" href="//localhost:1313/tags/new/">New [6]</a>
           </li>