tyton: Kernel-Mode Rootkit Hunter
Tyton
Kernel-Mode Rootkit Hunter
Detected Attacks
- Hidden Modules
- Syscall Table Hooking
- Network Protocol Hooking
- Netfilter Hooking
- Zeroed Process Inodes
- Process Fops Hooking
- Interrupt Descriptor Table Hooking
Additional Features
Notifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after installing by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.
DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.
Below is a table of rootkits and whether or not Tyton can detect them based on currently implemented features. Common features are those that you will commonly find in even the most basic kernel-mode rootkits. Advanced features are those that provide increased evasion features but are somewhat challenging or uncommon to implement.
- Found
- The rootkit has implemented this feature and it has been found.
- Evaded
- The rootkit has implemented this feature and it has not been found.
- N/a
- The rootkit has not implemented this feature.
Common Features
| Rootkit | Hidden Module | SCT/IDT Hooking | Netfilter Hooking |
|---|---|---|---|
| Reptile | Found | Evaded | Found |
| Diamorphine | Found | Found | Found |
Installing
Ubuntu/Debian/Kali
sudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-dev
git clone https://github.com/nbulischeck/tyton.git
cd tyton
make
sudo insmod tyton.ko
Arch
sudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3 git clone https://github.com/nbulischeck/tyton.git cd tyton make sudo insmod tyton.ko
Fedora/CentOS
dnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3 git clone https://github.com/nbulischeck/tyton.git cd tyton make sudo insmod tyton.ko
Kernel Module Arguments
The kernel module can be passed a specific timeout argument on insertion through the command line.
To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.
More info, please read here.
Copyright (c) 2018, nbulischeck
