I presented this material to a group of RPISEC members on August 30, 2008. It generated some lively discussion as to where the material could be expanded. In particular, the following points were made:
- Expanding 'udp_hook' to potentially cover all protocols by hooking IP. It was mentioned that poor firewall rule-sets could be bypassed by looking for non-standard packets.
- Modifying 'process' to perform more complete hiding of processes; primarily by disconnecting all associations with parents or children.
- Check whether the techniques in 'process' interfere with signals in any way.
- Hooking the syscall trapping itself to hide hooked syscalls.
I'm presenting this material with the hope of furthering discussion on this topic, and I hope that those who were unable to attend the meeting find it useful as well.
Here are samples and slides:
Please look at the slides for information about references I used.
Leave messages in the comments if you have any ideas for improvement, or any interesting comments.
As for licenses, the code is BSD, and the slides are Creative Commons By-SA.
Update 9-16-08: I changed the licenses to permit a little more freedom to share (if you do anything interesting with it, please let me know).