Preventing Access, Modification, and Change Time Updates

Because the access and modification times on a file can be set, you can "prevent" them from updating by just rolling them back. Listing 6-6 demonstrates how:

#include <errno.h>
#include <stdio.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/stat.h>

int
main(int argc, char *argv[])
{
struct stat sb;
struct timeval time[2];

	   ❶if (stat("/sbin", &sb) < 0) {
                     fprintf(stderr, "STAT ERROR: %d\n", errno);
                     exit(-1);

	   }

	   ❷time[0].tv_sec = sb.st_atime;
	   time[1].tv_sec = sb.st_mtime;

	   /*
	    * Do something to /sbin/.
	    */

        ❸if (utimes("/sbin", (struct timeval *)&time) < 0) {
					  fprintf(stderr, "UTIMES ERROR: %d\n", errno);
					  exit(-1);
		}

		exit(0);
}

listing 6-6: rollback.c

The preceding code first ❶ calls ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Preventing Access, Modification, and Change Time Updates

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly