Skip to content
This repository has been archived by the owner on May 23, 2022. It is now read-only.
/ ntsh Public archive

Experimental LKM short of being a full rootkit - showing the handling of linux internals like Kobjects and tasks

License

Notifications You must be signed in to change notification settings

carloslack/ntsh

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

80 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Nothing to See Here

LKM that hides itself and system processes.

Total alerts Language grade: C/C++

Software License

Usage

Commands are sent to /proc/ntsh as ROOT, exemple:
    echo hide >/proc/ntsh

hide:  hide the module from lsmod/rmmod. Key to unhide is output from ring buffer
    echo hide >/proc/ntsh
    dmesg

<key>: unhide the module
    echo "<random key from ring buffer>" >/proc/ntsh

<PID>: hide/unhide process. Suppose there is a PID 28172
    hide:
        echo 28172 >/proc/ntsh
    unhide if the process is hidden:
        echo 28172 >/proc/ntsh

list: list hidden processes via ring buffer
    echo list >/proc/ntsh
    dmesg

The LKM can only be unloaded if it is not hidden

About

Experimental LKM short of being a full rootkit - showing the handling of linux internals like Kobjects and tasks

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published