| ▲ | gus_ 2 hours ago | |
ss obtains the connections information via netlink directly from the kernel (besides parsing /proc): https://manpages.debian.org/bookworm/manpages/sock_diag.7.en... https://github.com/vishvananda/netlink/blob/main/inet_diag.g... Not many rootkits tamper the netlink channel, so in most cases it's a bit more reliable. | ||
| ▲ | jcgl an hour ago | parent [-] | |
Okay yeah, sure. So it's not intrinsically more reliable or anything, it's just not specifically vulnerable to LD_PRELOAD. And it's not clear to me why LD_PRELOAD would be a particularly interesting attack vector, but maybe that's just my ignorance. | ||