Skip navigation

Category Archives: security

The present article describes the possible method to launch applications without any trace in system.

It is a pretty interesting technical task. The application should not exist on the hard drive. The external drive is not the best way out too. The only solution is memory, but it will not appear in memory by itself. Yes, it’s possible to copy it manually, but it would not be handy at all. Therefore the process can be automated increasing a little the risk of detection.

So here is the plan: We’ve got a certain partition of memory, mounted as tmpfs. If the flash card is inserted by the boot, it’s content will be copied into the memory. Afterwards the card can be removed.

Now about the realisation. We will take Kubuntu 7.10 as an example therefore all information given here suit mostly this distribution.

Let’s start with creating of virtual memory partition. To do so we need to create new folder /etc/hack and to add into /etc/fstab the following string:

none /etc/hack tmpfs defaults,size=10m 0 0

For instance we will make 10Mb partition. In real situation the volume will depend on particular tasks.

Now let’s create a script /etc/hack.sh with the following content:

#!/bin/sh

# the node name of our flash card
DRIVENAME="/dev/sdb1"

# If the node exists (the card is inserted)
if [ -e $DRIVENAME ];  then

# mounting the card
    mkdir -p /tmp/hack
    mount $DRIVENAME /tmp/hack

# coping it's content into the memory
    cp -vR /tmp/hack/* /etc/hack

# unmounting the card
    umount /tmp/hack

# give all needed permissions to user
# that will use the programm
    chown -vR user /etc/hack
fi

Then we need to add the calling for our script into /etc/rc.local:

sh /etc/hack.sh

Thats it. For the ease of user it would be nice to create a launcher on desktop. We will make here a little trick: we will create a launcher of certain external script that will execute our application if it exists in memory, if not, it will launch something else.

The example of such script:

#!/bin/sh

if [ -e /etc/hack/app.bin ]; then
    /etc/hack/app.bin;
else
    konqueror http://google.com;
fi

By the absence of the application the browser will be launched, showing us the Google start page.

Now if you boot your pc without the flash card, nothing unnecessary will be found (there will be a trace of some file executed, but this fact does not indicate the particular application).

 Based on article from http://ylsoftware.com
Advertisements