Chapter 6. PUTTING IT ALL TOGETHER

We'll now use the techniques from the previous chapters to write a complete example rootkit—albeit a trivial one—to bypass Host-based Intrusion Detection Systems (HIDSes).

What HIDSes Do

In general, an HIDS is designed to monitor, detect, and log the modifications to the files on a filesystem. That is, it is designed to detect file tampering and trojaned binaries. For every file, an HIDS creates a cryptographic hash of the file data and records it in a database; any change to a file results in a different hash being generated. Whenever an HIDS audits a filesystem, it compares the current hash of every file with its counterpart in the database; if the two differ, the file is flagged.

In principle this is a good idea, ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Chapter 6. PUTTING IT ALL TOGETHER

What HIDSes Do

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly