Why get the command for RCE via pcap instead of taking it from the payload of the TCP packet with malformed checksum?

Question

Why get the command for RCE via pcap instead of taking it from the payload of the TCP packet with malformed checksum?

AITleo opened this issue 9 months ago · 0 comments

I was going through the code and stumbled over the complex mechanism of intercepting TCP packages via pcap, reassembling them in the ring buffer and then searching through them.

Why is it not possible to simply take the command from the payload of the malformed TCP package (the one with the bad checksum), that triggers the rootkit in the first place?