[an error occurred while processing this directive]

Chapter 10. Additional Features — Stealth

Table of Contents

1. Hiding the executable
1.1. Using kernel modules to hide samhain (Linux/ix86 only)
2. Packing the executable

If an intruder does not know that samhain is running, s/he will make no attempt to subvert it. Hence, you may consider to run samhain in stealth mode, using some of the options discussed in this section.

1. Hiding the executable

samhain may be compiled with support for a stealth mode of operation, meaning that the program can be run without any obvious trace of its presence on disk. The following compile-time options are provided:

--enable-stealth= xor_val provides the following measures:

  1. All embedded strings are obfuscated by XORing them with some value xor_val chosen at compile time. The allowed range for xor_val is 128 to 255.

  2. The messages in the log file are obfuscated by XORing them with xor_val. The built-in routine for validating the log file ( samhain -L /path/to/logfile ) will handle this transparently. You may specify as path an already existing binary file (e.g. an executable, or a JPEG image), to which the log will get appended.


    Use samhain -jL /path/to/logfile if you just want to view rather than verify the logfile.

  3. Strings in the database file are obfuscated by XORing them with xor_val. You may append the database file to some binary file (e.g. an executable, or a JPEG image), if you like.

  4. The configuration file must be steganographically hidden in a postscript image file (the image data must be uncompressed). To create such a file from an existing image, you may use e.g. the program convert , which is part of the ImageMagick package, such as convert +compress ima.jpg ima.ps .


    make install will do this automatically before installation.

    To hide/extract the configuration data within/from the postscript file, a utility program samhain_stealth is provided. Use it without options to get help.


    If --enable-stealth is used together with --with-gpg or --with-signify , then the config file must be signed before hiding it (rather than signing the PS image file afterwards).

    Furthermore, in the case of --with-signify, the config file MUST end with the '[EOF]' marker, as the only content of the LAST line. If there are blank lines afterwards, they will not get extracted, and the signature verification will fail.

--enable-micro-stealth= xor_val is like --enable-stealth , but uses a 'normal' configuration file (not hidden steganographically).

--enable-nocl[=ARG] will disables command line parsing. The optional argument is a 'magic' word that will enable reading command-line arguments from stdin. If the first command-line argument is not the 'magic' word, all command line arguments will be ignored. This allows to start the program with completely arbitrary command-line arguments.

--enable-install-name= NAME will rename every installed file from samhain to NAME when doing a make install (standalone/client installation), and likewise rename installed files from yule to NAME when doing a make install (server installation). Also, the boot scripts will be updated accordingly. Files created by samhain (e.g. the database) will also have samhain replaced by NAME in their filenames.


The man pages have far too much specific information enabling an intruder to infer the presence of samhain. There is no point in changing samhain to NAME there — this would rather help an intruder to find out what NAME is. You probably want to avoid installing man8/samhain.8 and man5/samhainrc.5.

1.1. Using kernel modules to hide samhain (Linux/ix86 only)

This feature has been removed as of samhain version 4.0, because it does not work anymore on modern kernels due to enhanced kernel hardening.

[an error occurred while processing this directive]