Skip to content
Sample Rootkit for Linux
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
tools initial commit Jan 5, 2012
Makefile initial commit Jan 5, 2012 Fix broken Markdown headings Apr 17, 2017
polis_paper.tex add polish paper Oct 12, 2013
rt.c braces coding style fix to match one used by kernel Aug 18, 2012

Sample Rootkit for Linux


This is sample rootkit implementation for Linux. It is able to hide processes, files and grants root privileges. It also have stealth mode (enabled by default) that prevents it from detecting.


Just compile module (included Makefile does this against current kernel) and load it. There will be hidden file in /proc called rtkit. It's not visible when listing content of proc directory.

Just cat /proc/rtkit to see available commands. You can use attached program to give orders or use echo -n (don't forget -n, there should be no tailing new line).

Examples: echo -n thf >> /proc/rtkit ./ hp1337

To gain root you should give "My Pen Is Long" command (popculture reference, without spaces, small letters) and then fork some shell from writing process. does that for you if second parameter is specified. tools/ mypenislong /bin/bash


This code should run on Linux version 2.6.29 and higher, since before that lookup_address symbol wasn't exported. Were tested against 3.1.0, 3.1.5 and 3.1.6 and is fully working (both x86 and x86_64).

Paper describing details of implementation (in polish) is available.


Dual licensed under BSD and GPL.



Ivyl and t3hknr.

You can’t perform that action at this time.