\contentsline {figure}{\numberline {2.1}{\ignorespaces Functionality of classic BPF. Based on the figure at the original paper \cite {bpf_bsd_origin_bpf_page2}.\relax }}{6}{figure.caption.7}%
\contentsline {figure}{\numberline {2.4}{\ignorespaces BPF address modes, as shown by McCanne and Jacobson \cite {bpf_bsd_origin_bpf_page8}\relax }}{9}{figure.caption.11}%
\contentsline {figure}{\numberline {2.5}{\ignorespaces BPF bytecode tcpdump needs to set a filter to display packets directed to port 80.\relax }}{10}{figure.caption.12}%
\contentsline {figure}{\numberline {2.6}{\ignorespaces Shortest path in the CFG described in the example of figure \ref {fig:bpf_tcpdump_example} that a packet needs to follow to be accepted by the BPF filter set with \textit {tcpdump}.\relax }}{11}{figure.caption.13}%
\contentsline {figure}{\numberline {2.7}{\ignorespaces eBPF architecture in the Linux kernel and the process of loading an eBPF program. Based on \cite {brendan_gregg_bpf_book} and \cite {ebpf_io_arch}.\relax }}{12}{figure.caption.15}%
\contentsline {figure}{\numberline {2.8}{\ignorespaces XDP and TC modules integration in the network processing module of the Linux kernel.\relax }}{19}{figure.caption.23}%
\contentsline {figure}{\numberline {2.9}{\ignorespaces Compilation and loading process of a program developed with libbpf.\relax }}{25}{figure.caption.28}%
\contentsline {figure}{\numberline {2.12}{\ignorespaces Minor page fault after a fork() in which the page table was not copied completely.\relax }}{30}{figure.caption.35}%
\contentsline {figure}{\numberline {2.13}{\ignorespaces Virtual memory architecture of a process \cite {mem_arch_proc}.\relax }}{30}{figure.caption.36}%
\contentsline {figure}{\numberline {2.16}{\ignorespaces Stack representation right before starting the function call process.\relax }}{33}{figure.caption.40}%
\contentsline {figure}{\numberline {2.26}{\ignorespaces Inspecting address stored in GOT section before dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.53}%
\contentsline {figure}{\numberline {2.27}{\ignorespaces Inspecting address stored in GOT section after dynamic linking, seen from gdb-peda.\relax }}{47}{figure.caption.54}%
\contentsline {figure}{\numberline {2.28}{\ignorespaces Glibc function to which PLT jumps using address stored at GOT, seen from gdb-peda.\relax }}{48}{figure.caption.55}%
\contentsline {figure}{\numberline {4.1}{\ignorespaces Overview of the rootkit subsystems and components.\relax }}{67}{figure.caption.62}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.2}{\ignorespaces Rootkit programs and scripts.\relax }}{69}{figure.caption.63}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.3}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{71}{figure.caption.64}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.4}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{72}{figure.caption.65}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.5}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{73}{figure.caption.66}%
\defcounter {refsection}{0}\relax
\contentsline {figure}{\numberline {4.6}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{74}{figure.caption.67}%
\contentsline {figure}{\numberline {4.7}{\ignorespaces Overview of jump and return instructions from the program instructions to the syscall at the kernel.\relax }}{76}{figure.caption.68}%
