FlipSwitch: a Novel Syscall Hooking Technique

FlipSwitch is a technical proof-of-concept rootkit technique that defeats Linux kernel 6.9's switch-based syscall dispatcher by locating the compiled call instruction to a target syscall (using sys_call_table/kallsyms via kprobes), disabling CR0 write protection, and patching the call's relative offset to redirect execution to attacker-controlled code; the report includes example kernel code and a YARA rule for detecting the PoC.