Rixstep
 About | Buy | Industry Watch | Learning Curve | Products | Search
Home » ACP » GDE

GDE

Got rootkit?

Apple are always hiding things. And when they get found out, they deny it all and go hide somewhere else.

The marvelous way Cupertino play with Unix hard links will go either to history or to Ripley's Believe It or Not. Right now they've got a new method like no other: they mark their secrets with an inode of zero. So the file system thinks the entries are scheduled for deletion when they're really not.

You can use GDE to play hide and seek with Apple to see what they're up to. GDE compares different ways to access directories - not the files in them but the actual bits and bytes. There are two common methods and, right as rain, they don't always match up.

Got Rootkit?

So there can be files that the file system doesn't see? So if your OS vendor can hide files this way, can't the black hats do it too too? Of course they can.

This stuff is admittedly creepy. You thought it was Unix - but now you see it isn't. And now you know almost any hacker interloper could hide things from the very file system itself - but not from GDE. It's almost like having the rootkit police on your box. GDE will tell you if files are being cloaked and thus can give you a clue whether you've been compromised.

See Also
GDE-FAQ
GDE Screenshots
Getting Around HFS+ Private Data

About | Buy | Industry Watch | Learning Curve | Products | Search
Copyright © Rixstep. All rights reserved.