I was going through the code and stumbled over the complex mechanism of intercepting TCP packages via pcap, reassembling them in the ring buffer and then searching through them.
Why is it not possible to simply take the command from the payload of the malformed TCP package (the one with the bad checksum), that triggers the rootkit in the first place?
I was going through the code and stumbled over the complex mechanism of intercepting TCP packages via pcap, reassembling them in the ring buffer and then searching through them.
Why is it not possible to simply take the command from the payload of the malformed TCP package (the one with the bad checksum), that triggers the rootkit in the first place?