Skip to content
This repository has been archived by the owner on May 23, 2022. It is now read-only.
/ ntsh Public archive

Experimental LKM short of being a full rootkit - showing the handling of linux internals like Kobjects and tasks

License

MIT license
8 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

carloslack/ntsh

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

80 Commits
src
src
 
 
tests
tests
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
demo.gif
demo.gif
 
 
lgtm.yml
lgtm.yml
 
 

Repository files navigation

Nothing to See Here

LKM that hides itself and system processes.

Total alerts Language grade: C/C++

Software License

Usage

Commands are sent to /proc/ntsh as ROOT, exemple:
    echo hide >/proc/ntsh

hide:  hide the module from lsmod/rmmod. Key to unhide is output from ring buffer
    echo hide >/proc/ntsh
    dmesg

<key>: unhide the module
    echo "<random key from ring buffer>" >/proc/ntsh

<PID>: hide/unhide process. Suppose there is a PID 28172
    hide:
        echo 28172 >/proc/ntsh
    unhide if the process is hidden:
        echo 28172 >/proc/ntsh

list: list hidden processes via ring buffer
    echo list >/proc/ntsh
    dmesg

The LKM can only be unloaded if it is not hidden

About

Experimental LKM short of being a full rootkit - showing the handling of linux internals like Kobjects and tasks

Topics

c kernel lkm linux-kernel-hacking assembly-x86-64

Resources

Readme

License

MIT license
Activity

Stars

8 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages