Feature request: Add an option to disable/remove the ftrace hook at launch

[mnrkbys]

Modern LKM rootkits use ftrace to hook syscalls.
Therefore, disabling ftrace early after UAC starts can be effective for collecting more accurate artifacts.
This can be done as follows:

echo 0 > /proc/sys/kernel/ftrace_enabled

or

sysctl kernel.ftrace_enabled=0

However, I have not been able to determine to what extent this might affect EDRs or other security features.
I believe it would be beneficial for UAC. What do you think?

reference: https://tmpout.sh/4/10.html

[tclahr]

An option would be creating a modifier artifact (https://tclahr.github.io/uac-docs/#modifiers) executed only when --enable-modifiers is used in the command line. What do you think?

Take a look at this one -> https://github.com/tclahr/uac/blob/main/artifacts/live_response/modifiers/revel_hidden_processes.yaml

[mnrkbys]

Ah, I had forgotten about that feature.
So, I'll try adding a new artifact to disable ftrace.

[tclahr]

Merged in PR #353