Statically linked tools

• Ubuntu includes busybox-static which can be copied from /bin/ls. Running busybox sh gives a shell.

• statically linked binaries (tcpdump, etc.) - yunchin and here - andrew-d

• statically linked vim

• statically linked curl

• statically linked kafkacat and kafkacat here - may also look into kafcat which is a rust implementation.

• statically linked python27, nmap, ncat

Internals

• Dynamic linking implementation

• iptables tutorial -- very long

• Darch development environments based on docker images

• Linux kernel insides or here

• Linux Kernel Teaching

• futex

• The EFI boot process

• Implement an OS over KVM

• LVM

Monitoring network traffic

strace -p $PID -f -e trace=network -s 10000

Or create a whole separate network for the process

(A C implementation is here and another option is Tracedump)

• Create test network

  ip netns add test

• Create a pair of virtual network interfaces veth-a and veth-b

  ip link add veth-a type veth peer name veth-b

• Change active namespace of veth-a interface

  ip link set veth-a netns test

• Configure the IP address of the virtual interfaces

  ip netns exec test ifconfig veth-a up 192.168.163.1 netmask 255.255.255.0 ifconfig veth-b up 192.168.163.254 netmask 255.255.255.0

• configure the routing in the test namespace:

  ip netns exec test route add default gw 192.168.163.254 dev veth-a

• activate ip_forward and establish a NAT rule to forward the traffic coming in from the namespace you created (you have to adjust the network interface and SNAT ip address):

  echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.163.0/24 -o <your internet interface, e.g. eth0> -j SNAT --to-source

  (You can also use the MASQUERADE rule if you prefer) finally, you can run the process you want to analyze in the new namespace, and wireshark too:

  ip netns exec test thebinarytotest ip netns exec test wireshark

  You'll have to monitor the veth-a interface.

Enable USB for all users

sudo chmod -R a+w /dev/bus/usb/

• How to create UDEV rules for USB devices. Added the following to /etc/udev/rules.d/51-android.rules in order to support Tensera's Nexus 5x:

  adb rules for Tensera's Nexus5x

  SUBSYSTEM=="usb", ATTR{idVendor}=="18d1", ATTR{idProduct}=="4ee7", MODE="0600", OWNER="nimrody"

Performance monitoring

• perf tools

• eBPF tools

• ebpftrace

• Sysdig - the art of writing ebpf programs

• LWN article about ebpf

• Ply for tracing instead of writing ebpf

Supervisor tools

• runit rpm build and here

• s6 rpm build and here

Useful Linux software

• Ranger terminal file manager

• Show which process is using the port: sudo netstat -tupln

• Linux insides book

• Show list of "zombie" files (opened but not linked to any directory. will be removed when the process exists)

  lsof -a +L1 /dev/dir |grep deleted

• reredirect - can be used to redirect the output and stderr of a running process (https://github.com/jerome-pouiller/reredirect/)

  ../temp/reredirect -N -m nohup.out 21205

  The -N switch means do not keep the previous file descriptors alive (otherwise keeps old files open) The -m means point both stderr and stdout to this file

• SSH

• SystemD

• How to make a rootkit and here and here

• BPF

• Stefan Hajnoczi - Kernel development using QEMU

Applications

• flameshot - screenshot capture and edit