I was wondering the other day if you could use something like this for good. For example, you could create something like FUSE that creates virtual file systems entirely in userspace - useful if your admin won't install additional kernel modules, or if you are on WSL (Windows Subsystem for Linux). This rootkit seems to be systemwide (requiring root) though?<p>I read somewhere that it is probably impossible to redirect everything via LD_PRELOAD, because with GCC + glib many system calls get inlined, and there is no place to hook into. You just have ASM syscalls in your executable that AFAIK you cannot redirect easily. I wonder how they did it.<p>Of course my thoughts quickly turned to the pranks you could play (with a purely non-root rootkit)... put an `export LD_PRELOAD=...` in someones `.profile`, and make the rootkit hide itself and that line when someone tries to view `.profile` :-)