naROOTo is a decent LKM rootkit.

naROOTo is a decent LKM rootkit.

NOTICE : THIS POST FOR EDUCATION and RESEARCH PURPOSE ONLY! DON’T USE IT on PRODUCTION MACHINE.

naROOTo is a decent LKM rootkit for educational purposes.
Feature and Function:
+ File hiding
+ Process hiding
+ Module hiding
+ Hiding sockets
+ Hiding packets
+ Port knocking
+ Network keylogging
+ Privilege escalation for remote_shell_provider.

Main file :
File name                                    Functionality
gensysmap.sh                             Shell script that generates sysmap.h le.
main.fc,hg                                   Module (un-)loading and basic con guration.
control.fc,hg                               Control API for the di erent functionalities.
include.fc,hg                              Helper functions.
covert communication.fc,hg   Implementation of the covert communication channel.
getdents.fc,hg                            Hooking of the getdents syscall and related functionality.
read.fc,hg                                    Hooking of the read syscall and related functionality.
hide module.fc,hg                     Functionality needed for hiding kernel modules.
hide socket.fc,hg                       Functionality needed for hiding TCP and UDP sockets.
hide packet.fc,hg                       Functionality needed for hiding packets.
port knocking.fc,hg                 A port knocking implementation.
net keylog.fc,hg                        Functionality needed for network keylogging.

Example ScreenCapture install rootkit

Example ScreenCapture
install rootkit

Usage:

Source: https://github.com/nnedkov