Linux Rootkits

Understanding Linux rootkits to detect them better.

What if the danger did not come from malware hidden deep inside the system, but from a perfectly legitimate Linux mechanism?

A binary that lies. A shell that logs activity silently. An editor that reacts when opening a simple text file. A runtime that loads code before the application even starts.

This is the starting point of Linux Rootkits - Userland Foundations.

A book written for defenders

This first volume explores the mechanisms that allow code to execute where you do not expect it.

LD_PRELOAD, LD_AUDIT, sitecustomize.py, NODE_OPTIONS, Vim autocmd, Bash completion, inputrc, and Zsh hooks: each chapter starts from a concrete anomaly, follows the trail, shows the code, then explains how to detect and neutralize the technique.

This book is for SOC analysts, blue teamers, system administrators, SREs, DevOps engineers, cybersecurity students, and Linux-curious technical readers.

You will not only learn to ask which process is running. You will also learn to ask who was allowed to execute before it.

Inside Volume 1

• Dynamic loading with LD_PRELOAD, /etc/ld.so.preload, and LD_AUDIT
• Invisible entry points in Python and Node.js
• Interactive shell mechanisms: DEBUG trap, PROMPT_COMMAND, PATH, function shadowing, programmable completion, Readline, and Zsh
• Vim hooks triggered by opening a simple file
• Polymorphic Bash and the limits of textual signatures

A progression by investigation

Each chapter follows a concrete method: observe the anomaly, inspect the traces, read the code, run a mini-lab, then switch to the defender's side.

The commands are explained, expected outputs are shown, diagrams clarify the execution path, and common mistakes are addressed directly.

Autonomous and isolated labs

The book is self-contained. No repository to clone. No custom Docker image. No external file required.

The mini-labs run inside a disposable ubuntu:24.04 Docker container, with harmless, visible code designed for learning.

What this book is not

This is not an attack manual. It is a manual for auditing, detection, and neutralization.

The goal is not to learn how to hide a rootkit. The goal is to understand why it works, where it hooks, what traces it leaves, and how to take it down.

Usage framework

All manipulations must remain inside a disposable Docker container.