Tyton: Rootkit Hunter

1 Min Read

Loadable kernel modules are an important companion of the Linux kernel, LKMs for example.

Typically, LKMs are used to add or add extra system calls to support fresh hardware (as device drivers) or file systems. Without LKMs, any predicted functionality must be included in an operating system.

When developing a platform to use with everything from a smartphone to a server, this is borderline impossible to do. LKMs provide the kernel and the device user with 
extra functionality by extension, and can be safely added or removed when needed or not.

Read Also: The powerful truth – All those “smart” devices…

Therefore, developing multiple methods of detection on more advanced rootkits would benefit system administrators globally.

Tyton Detected Attacks

  • Process Fops Hooking
  • Interrupt Descriptor Table Hooking
  • Syscall Table Hooking
  • Zeroed Process Inodes
  • Network Protocol Hooking


  • Linux Kernel 4.4.0-31 or greater
  • GTK3 & GCC
  • Make
  • Package Config
  • Libnotify
  • Libsystemd
  • GTK3
Share This Article
Leave a comment