Learning Project making versions of rootkits and rootkit detection. A daemon writing "Hello-" every 5 seconds is used to simulate a virus that the "rootkit" hides.
Using Ftrace to redirect pointer for getdents64 to my version. And removing daemon PID from /proc
It reads the first bytes of getdents64, looks for an injected JMP/CALL or indirect jump in the function prologue, and flags the target if it points into a loadable kernel module
Uses eBPF kprobes on getdents64 to capture returned directory entries, parse numeric PIDs from the buffer, compare them to a trusted /proc PID list, and alert when active PIDs are missing.