Hiding an Open TCP-based Port

Because no book about rootkits is complete without a discussion of how to hide an open TCP-based port, which indirectly hides an established TCP-based connection, I'll show an example here using DKOM. First, though, we need some background information on Internet protocol data structures.

The inpcb Structure

For each TCP- or UDP-based socket, an inpcb structure, which is known as an Internet protocol control block, is created to hold internetworking data such as network addresses, port numbers, routing information, and so on (McKusick and Neville-Neil, 2004). This structure is defined in the <netinet/in_pcb.h> header. The following list describes the fields in struct inpcb that you'll need to understand in order to ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Hiding an Open TCP-based Port

The inpcb Structure

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly