Tyton : Kernel-Mode Rootkit Hunter

Tyton Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.

Detected Attacks

  • Hidden Modules
  • Syscall Table Hooking
  • Network Protocol Hooking
  • Netfilter Hooking
  • Zeroed Process Inodes
  • Process Fops Hooking
  • Interrupt Descriptor Table Hooking

Also Read:Hatch – Brute Force Tool That Is Used To Brute Force Most Websites

Additional Features

Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.

DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.

Tyton Installing

From Source

Ubuntu/Debian/Kali

sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.

Arch

sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: It’s recommended to install it through the AUR so you can benefit from DKMS.

Fedora/CentOS

dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Kernel Module Arguments


 The kernel module can be passed a specific timeout argument on insertion through the command line.

To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.

AUR

It is available on the AUR here.

You can install it using the AUR helper of your choice:

yaourt -S tyton-dkms-git
yay -S tyton-dkms-git
pakku -S tyton-dkms-git

Download
R K

Share
Published by
R K
Tags: KernelKernel ModeRootkitTyton
7 years ago

Recent Posts

How OpenClaw Works

Imagine if you had a super-powered assistant who could automatically handle all the boring, repetitive…

7 days ago

How to Use the Linux find Command to Locate Files Like a Pro

Managing files efficiently is a core skill for anyone working in Linux, whether you're a…

1 week ago

How to Check Open Ports in Linux Using netstat, ss, and lsof

Open ports act as communication endpoints between your Linux system and the outside world. Every…

1 week ago

Best Endpoint Monitoring Tools for 2026

Introduction In today’s cyber threat landscape, protecting endpoints such as computers, smartphones, and tablets from…

2 weeks ago

Best 9 Incident Response Automation Tools

Introduction In today's fast-paced cybersecurity landscape, incident response is critical to protecting businesses from cyberattacks.…

2 weeks ago

How AI Puts Data Security at Risk

Artificial Intelligence (AI) is changing how industries operate, automating processes, and driving new innovations. However,…

3 months ago