Tyton : Kernel-Mode Rootkit Hunter

Tyton Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.

Detected Attacks

  • Hidden Modules
  • Syscall Table Hooking
  • Network Protocol Hooking
  • Netfilter Hooking
  • Zeroed Process Inodes
  • Process Fops Hooking
  • Interrupt Descriptor Table Hooking

Also Read:Hatch – Brute Force Tool That Is Used To Brute Force Most Websites

Additional Features

Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.

DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.

Tyton Installing

From Source

Ubuntu/Debian/Kali

sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.

Arch

sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Note: It’s recommended to install it through the AUR so you can benefit from DKMS.

Fedora/CentOS

dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko

Kernel Module Arguments


 The kernel module can be passed a specific timeout argument on insertion through the command line.

To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.

AUR

It is available on the AUR here.

You can install it using the AUR helper of your choice:

yaourt -S tyton-dkms-git
yay -S tyton-dkms-git
pakku -S tyton-dkms-git

Download
R K

Share
Published by
R K
Tags: KernelKernel ModeRootkitTyton
6 years ago

Recent Posts

The Strength Of Signed App Control Policies

Before delving into the topic, let's first clarify the role of an Administrator within the…

7 hours ago

Embassy : Revolutionizing Embedded Systems With Rust And Asynchronous Programming

Embassy is the next-generation framework for embedded applications. Write safe, correct and energy-efficient embedded code…

7 hours ago

AttackRuleMap : Bridging Adversary Simulations And Detection Rules For Enhanced Cybersecurity

This repository provides a mapping of Atomic Red Team attack simulations to open-source detection rules,…

9 hours ago

Qdrant : A High-Performance Vector Similarity Search Engine

Qdrant (read: quadrant) is a vector similarity search engine and vector database. It provides a…

9 hours ago

ShadowHound : Leveraging PowerShell For Stealthy Active Directory Enumeration

ShadowHound is a set of PowerShell scripts for Active Directory enumeration without the need for…

11 hours ago

Awesome EDR Bypass : A Comprehensive Guide For Ethical Hackers

EDR bypass technology is not just for attackers. Many malware now have EDR bypass capabilities,…

1 day ago