Skip to content

Safe3/AFkit

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits

AFkit__rt.c

AFkit__rt.c

 
 

AFkit__rt.h

AFkit__rt.h

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

Repository files navigation

AFkit

Description

It is able to:

  1. Hide himself from /proc/modules, /proc/kallsyms and /sys/modules
  2. Hide files with "__rt" substring in their name (and their content)
  3. Avoid the opening and reading of /dev/mem, /dev/port and /dev/kmem devices

This anti-forensic rootkit uses the system call hijacking method, in particular are hijacked the following syscalls:

  • open
  • read
  • getdents
  • getdents64
  • chdir
  • kill

ToDo

  1. Hide network connections
  2. Hide network ports
  3. Hide process by given PID

PLEASE REPORT BUGS. IT'LL BE VERY APPRECIATED!

Tested on ArchLinux Kernel 3.10.10 (x86_64) but it is supposed to work on all 3.x versions.
Beta quality product. I don't take any responsability about its usage and its behaviour.

UPDATE 19/04/2014

Tested on ArchLinux with Kernel 3.14.1 (x86_64) and Debian Wheezy with kernel 3.12 (686)

About

Anti live forensic linux LKM rootkit

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published