Tyton : Kernel-Mode Rootkit Hunter

Tyton Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.

Detected Attacks

  • Hidden Modules
  • Syscall Table Hooking
  • Network Protocol Hooking
  • Netfilter Hooking
  • Zeroed Process Inodes
  • Process Fops Hooking
  • Interrupt Descriptor Table Hooking

Also Read:Hatch – Brute Force Tool That Is Used To Brute Force Most Websites

Additional Features

Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.

DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.

Tyton Installing

From Source

Ubuntu/Debian/Kali

sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.

Arch

sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: It’s recommended to install it through the AUR so you can benefit from DKMS.

Fedora/CentOS

dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Kernel Module Arguments


 The kernel module can be passed a specific timeout argument on insertion through the command line.

To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.

AUR

It is available on the AUR here.

You can install it using the AUR helper of your choice:

yaourt -S tyton-dkms-git
yay -S tyton-dkms-git
pakku -S tyton-dkms-git

Download
R K

Share
Published by
R K
Tags: KernelKernel ModeRootkitTyton
7 years ago

Recent Posts

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

1 week ago

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

1 week ago

What Does chmod 777 Mean in Linux

If you are a Linux user, you have probably seen commands like chmod 777 while…

1 week ago

How to Undo and Redo in Vim or Vi

Vim and Vi are among the most powerful text editors in the Linux world. They…

1 week ago

How to Unzip and Extract Files in Linux

Working with compressed files is a common task for any Linux user. Whether you are…

1 week ago

Free Email Lookup Tools and Reverse Email Search Resources

In the digital era, an email address can reveal much more than just a contact…

1 week ago