Tyton : Kernel-Mode Rootkit Hunter

Tyton Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.

Detected Attacks

  • Hidden Modules
  • Syscall Table Hooking
  • Network Protocol Hooking
  • Netfilter Hooking
  • Zeroed Process Inodes
  • Process Fops Hooking
  • Interrupt Descriptor Table Hooking

Also Read:Hatch – Brute Force Tool That Is Used To Brute Force Most Websites

Additional Features

Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.

DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.

Tyton Installing

From Source

Ubuntu/Debian/Kali

sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.

Arch

sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: It’s recommended to install it through the AUR so you can benefit from DKMS.

Fedora/CentOS

dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Kernel Module Arguments


 The kernel module can be passed a specific timeout argument on insertion through the command line.

To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.

AUR

It is available on the AUR here.

You can install it using the AUR helper of your choice:

yaourt -S tyton-dkms-git
yay -S tyton-dkms-git
pakku -S tyton-dkms-git

Download
R K

Share
Published by
R K
Tags: KernelKernel ModeRootkitTyton
7 years ago

Recent Posts

How AI Puts Data Security at Risk

Artificial Intelligence (AI) is changing how industries operate, automating processes, and driving new innovations. However,…

4 hours ago

The Evolution of Cloud Technology: Where We Started and Where We’re Headed

Image credit:pexels.com If you think back to the early days of personal computing, you probably…

4 days ago

The Evolution of Online Finance Tools In a Tech-Driven World

In an era defined by technological innovation, the way people handle and understand money has…

4 days ago

A Complete Guide to Lenso.ai and Its Reverse Image Search Capabilities

The online world becomes more visually driven with every passing year. Images spread across websites,…

5 days ago

How Web Application Firewalls (WAFs) Work

General Working of a Web Application Firewall (WAF) A Web Application Firewall (WAF) acts as…

1 month ago

How to Send POST Requests Using curl in Linux

How to Send POST Requests Using curl in Linux If you work with APIs, servers,…

1 month ago