[_quasimodo]

I dont think it is as hard as it it sounds.

Consider, for example, hooking all fclose function calls and testing on every call whether

* you have write permission on the file,

* its an object file,

* its in an architecture your exploit supports,

* it uses the fclose function (or the corresponding system call, if it is linked statically)

* and your exploit is not already present.

If those conditions are true, hook the fclose calls in the object file before actually closing it, otherwise just close it normally.

[PeterisP]

If I understand your proposal correctly, it would be found out almost immediately, as file checksums would be altered and quite a few places do check them.

[_quasimodo]

My idea was that, if you have an object file open with write permissions, you can assume that it has been created/modified anyway, and people will expect the checksum to change.

Of course this does not work if the checksum is calculated before the file is closed by your backdoored compiler.