|
|
|
|
|
|
by wulczer
4954 days ago
|
|
|
CrowdStrike says that it hooks vfs_read and if the data read contains the line it injects into /etc/rc.local, it is removed from the read buffer. This means you could just read the file byte-by-byte (I guess runnin dd a couple of times would work), though I haven't tried myself. |
|
|