Awesome
AFkit
Description
It is able to:
- Hide himself from /proc/modules, /proc/kallsyms and /sys/modules
- Hide files with "__rt" substring in their name (and their content)
- Avoid the opening and reading of /dev/mem, /dev/port and /dev/kmem devices
This anti-forensic rootkit uses the system call hijacking method, in particular are hijacked the following syscalls:
- open
- read
- getdents
- getdents64
- chdir
- kill
ToDo
- Hide network connections
- Hide network ports
- Hide process by given PID
PLEASE REPORT BUGS. IT'LL BE VERY APPRECIATED!
Tested on ArchLinux Kernel 3.10.10 (x86_64) but it is supposed to work on all 3.x versions.
Beta quality product. I don't take any responsability about its usage and its behaviour.
UPDATE 19/04/2014
Tested on ArchLinux with Kernel 3.14.1 (x86_64) and Debian Wheezy with kernel 3.12 (686)
UPDATE 15/04/2017
Tested on ArchLinux with Kernel 4.10.8 (x86_64)