Bypassing HIDSes

The problem with HIDS software is that it trusts and uses the operating system's APIs. By abusing this trust (e.g., hooking these APIs) you can bypass any HIDS.

Note

It's somewhat ironic that software designed to detect a root level compromise (e.g., the tampering of system binaries) would trust the underlying operating system.

The question now is, "Which calls do I hook?" The answer depends on what you wish to accomplish. Consider the following scenario. You have a FreeBSD machine with the binary shown in Listing 6-1 installed in /sbin/.

#include <stdio.h>

int main(int argc, char *argv[])
{
        printf("May the force be with you.\n");
        return(0);
}

Listing 6-1: hello.c

You want to replace that binary with a Trojan version—which simply ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Bypassing HIDSes

Note

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly