it's a simple LKM rootkit. Tested on Linux Debian 6 - Kernel 2.6.32-5-686 (32bit) e con GCC 4.4.5
Just for fun
#Functionality:
- hide itself from commands like insmod, lsmod, modprobe..
- syscall hijacking
- hide a chosen tcp port
- parse commands from a /proc node ex. echo nasconditi > /proc/moooo # hide itself
References
http://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/ipsecs-kbeast-v1.c https://memset.wordpress.com/2011/03/18/syscall-hijacking-dynamically-obtain-syscall-table-address-kernel-2-6-x-2/ http://www.phrack.org/issues/58/6.html#article http://www.phrack.org/issues/58/7.html#article https://volatility-labs.blogspot.it/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html