I found the suterusu rootkit to be feature-full and very well written. It covers all sorts of things a rootkit would do:
https://github.com/mncoppola/suterusu
I never wrote kernel code before, but within 24 hours I was able to write a 'whitekit' that installs and hides as a rootkit and reports on sneaky behavior in dmesg:
Here's the function used to find the syscall table address in x86-64 [1] from the suterusu rootkit. The code base also includes find functions for x86 [2], amd64 [3], and ARM [4].
I looked into doing this a while ago and came across something that you cant change the syscall table without recompiling the kernel to allow it. I didn't realize a work a round was so trivial.
>I will not be explaining too much in detail about the code sections as I have left comments that should help. By doing this it encourages the reader to research more and learn more.
I find it so weird to talk about the reader like I am not the reader.
Per your comment, I wrote a Chrome extension that creates links to other HN submissions pointing to the same URL. Hovering over the links provides additional details.
This provides similar functionality as the 'past' link in a submission's subtitle, but shows the duplicates automatically.
>> We've adjusted the dupe detector to reject fewer URLs. If a story hasn't had significant attention in about the last year, reposts are ok. That's been the policy for a while, but we've brought the software closer to it. It will still reject reposts for a few hours, though, to avoid stampedes. Allowing reposts is a way of giving high-quality stories multiple chances at making the front page. Please do this tastefully and don't overdo it.
>> When reposting, please don't delete the earlier post. Deletion is for things that shouldn't have been posted in the first place, such as if you regret having said something publicly.
>> When a story is a duplicate—that is, has had significant attention on HN in the last year or so—it's helpful to post a comment linking to the previous major thread, so users and/or moderators can flag the dupe. In addition, when a URL isn't the best source for a given story, it's helpful to post a better URL in the thread. We often see those and change the posts to use them.
> jsnell's correct, and I'll add that reposts are ok on HN if an article hasn't had significant attention yet. 23 points and no comments (which a previous submission had) would normally count as significant attention, but we sometimes relax the criteria when an article is substantive and seems likely to interest the community.
> When we put stories in the second-chance pool (described at https://news.ycombinator.com/item?id=11662380 and earlier posts linked from there), we try to pick the original submission as the one that reaps the benefit.
The guidelines ask that these type of questions are sent to them rather than posted in threads. But I feel guilty about saying (no matter how politely) "email the mods". It feels like I'm dumping work on them.
I think the point is that the timeout is not a fixed value but more of an algorithm. No traction, shorter timeout. Other factors probably come into play. HN works in mysterious ways.
I never wrote kernel code before, but within 24 hours I was able to write a 'whitekit' that installs and hides as a rootkit and reports on sneaky behavior in dmesg:
https://github.com/matthewaveryusa/whitekit/
Fun stuff!