nbulischeck / tyton Goto Github PK

View Code? Open in Web Editor NEW

361.0 361.0 76.0 2.09 MB

Kernel-Mode Rootkit Hunter

Home Page: https://nbulischeck.github.io/tyton/

License: GNU General Public License v3.0

Makefile 5.53% C 89.87% Shell 4.60%

tyton's People

Contributors

Stargazers

Watchers

Forkers

curlio pedrosfreitas poeblu dvadell t94j0 fcccode jack51706 pentestjosh explife0011 nnazym idkwim avaudioplayer killvxk 5up3rc zcg19 heruix liuliu2307 safe3 xianlimei clicknull 3453-315h haidragon flatl1neapt lunixoid butterflyhack zan00789 chensiqia zhuhuibeishadiao applesky6 hymeca sukelluskello ttua iamgublin trietptm-on-coding-algorithms lin0x petergriffin321 attackgithub imulmul zhyfei threatintel-c xizhimen qhxb rahmiy 5l1v3r1 blue-infosec sporiyano dendisuhubdy v14dz taibaiyifeng webvul fzxcp3 a-new julianvolodia denji hartl3y94 hyohhh freemanzyq medasz jxhexi binlmmhc hecg119 divdroid25 peacesh4wn int2ecall crackercat 957204459 user64-bash cnguoyj fengjixuchui sesyi ipop orangice1997

tyton's Issues

Module name can be easily tampered

tyton/src/netfilter_hooks.c

Line 12 in ef291a9

const char *mod_wl[] = {

[Feature Request] Kernel Module Signing

As it stands, if you build the kernel module and insert it into your kernel, you will taint it.

If you could figure out a way to prevent this from happening, possibly through kernel module signing, that would be great.

error: ‘module_mutex’ undeclared (first use in this function); did you mean ‘module_put’?

Hello,

There is an issue with the latest version of tyton code. When trying to compile it I get the error in the subject.

OS: Blackarch Linux
Kernel version: 5.13.13-arch1-1
Tyton version: master brach from github and 1:80.56494f3-1 from Blackarch repository.

DKMS make.log for tyton-80.56494f3 for kernel 5.13.13-arch1-1 (x86_64)
sâmbătă 28 august 2021, 17:11:15 +0300
make -C /lib/modules/5.13.13-arch1-1/build M=/var/lib/dkms/tyton/80.56494f3/build modules
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
make[1]: Entering directory '/usr/lib/modules/5.13.13-arch1-1/build'
 CC [M]  /var/lib/dkms/tyton/80.56494f3/build/src/core.o
 CC [M]  /var/lib/dkms/tyton/80.56494f3/build/src/util.o
 CC [M]  /var/lib/dkms/tyton/80.56494f3/build/src/proc.o
/var/lib/dkms/tyton/80.56494f3/build/src/proc.c: In function ‘analyze_fops’:
/var/lib/dkms/tyton/80.56494f3/build/src/proc.c:116:29: error: ‘module_mutex’ undeclared (first use in this function); did you mean ‘module_put’?
 116 |                 mutex_lock(&module_mutex);
     |                             ^~~~~~~~~~~~
     |                             module_put
/var/lib/dkms/tyton/80.56494f3/build/src/proc.c:116:29: note: each undeclared identifier is reported only once for each function it appears in
make[2]: *** [scripts/Makefile.build:273: /var/lib/dkms/tyton/80.56494f3/build/src/proc.o] Error 1
make[1]: *** [Makefile:1862: /var/lib/dkms/tyton/80.56494f3/build] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.13.13-arch1-1/build'
make: *** [Makefile:19: module] Error 2

If I run make to compile the code I have downloaded from git I get the exact same error. This happens each time I try to compile that module. Tried with different kernel versions, 2 or 3 versions, and always the compilation ends in error.

The kernel module could not be built with the linux>=5.7.6

Dear development team,

In a recent kernel patch, "kallsyms_lookup_name" was unexported, and building tyton on kernel>=5.7.6 fails.

I built tyton-1.2 under Blackarch on kernel 5.7.7-arch1-1 and the following error occurred:

Error Message from pacman:

==> dkms install --no-depmod -m tyton -v 1.2 -k 5.7.7-arch1-1  
Error! Bad return status for module build on kernel: 5.7.7-arch1-1 (x86_64)  
Consult /var/lib/dkms/tyton/1.2/build/make.log for more information.  
==> Warning, `dkms install --no-depmod -m tyton -v 1.2 -k 5.7.7-arch1-1' returned 10

make.log

DKMS make.log for tyton-1.2 for kernel 5.7.7-arch1-1 (x86_64)            [0/184]
2020-07-05T23:06:53 EDT
make -C /lib/modules/5.7.7-arch1-1/build M=/var/lib/dkms/tyton/1.2/build modules
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
make[1]: Entering directory '/usr/lib/modules/5.7.7-arch1-1/build'
  CC [M]  /var/lib/dkms/tyton/1.2/build/src/core.o
  CC [M]  /var/lib/dkms/tyton/1.2/build/src/util.o
  CC [M]  /var/lib/dkms/tyton/1.2/build/src/proc.o
  CC [M]  /var/lib/dkms/tyton/1.2/build/src/module_list.o
  CC [M]  /var/lib/dkms/tyton/1.2/build/src/syscall_hooks.o
  CC [M]  /var/lib/dkms/tyton/1.2/build/src/network_hooks.o
  CC [M]  /var/lib/dkms/tyton/1.2/build/src/netfilter_hooks.o
  CC [M]  /var/lib/dkms/tyton/1.2/build/src/interrupt_hooks.o
  LD [M]  /var/lib/dkms/tyton/1.2/build/tyton.o
  MODPOST 1 modules
ERROR: modpost: "kallsyms_lookup_name" [/var/lib/dkms/tyton/1.2/build/tyton.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:99: __modpost] Error 1
make[1]: *** [Makefile:1645: modules] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.7.7-arch1-1/build'
make: *** [Makefile:19: module] Error 2

So I wonder if there's any workaround for this issue, or I do have to compile my own kernel to make tyton work?

Best regards,
Yu

Does not compile on 4.4.0-75

Can't compile master branch on Ubuntu 16.04 + kernel 4.4.0-75, can you take a look?

/tmp/tyton-master/src/network_hooks.c: In function 'analyze_networks':
/tmp/tyton-master/src/network_hooks.c:54:42: error: dereferencing pointer to incomplete type 'const struct file_operations'
   op_addr[0] = *(unsigned long *)seq_fops->llseek;

[README Request] Add Fedora Dependencies

Currently we have Debian/Ubuntu/Kali and Arch. Adding Fedora to this list would be beneficial.

ERROR: modpost: "__module_address" [/home/blackarch/tyton/tyton.ko] undefined!

Environment:
Distro name and version: Black Arch (rolling release)
Kernel version: 5.10.13-arch1-2
Reproducibility Rate: Always. Even if building the package from AUR it fails.

Steps to reproduce:

git clone https://github.com/nbulischeck/tyton.git
make
Errors on ERROR: modpost: "__module_address" [/home/blackarch/tyton/tyton.ko] undefined!. Please refer to "Actual result" section.

Expected result:
Kernel module should be built.

Actual result:

make -C /lib/modules/5.10.13-arch1-2/build M=/home/blackarch/tyton modules
make[1]: Entering directory '/usr/lib/modules/5.10.13-arch1-2/build'
  CC [M]  /home/blackarch/tyton/src/core.o
  CC [M]  /home/blackarch/tyton/src/util.o
  CC [M]  /home/blackarch/tyton/src/proc.o
  CC [M]  /home/blackarch/tyton/src/module_list.o
  CC [M]  /home/blackarch/tyton/src/syscall_hooks.o
  CC [M]  /home/blackarch/tyton/src/network_hooks.o
  CC [M]  /home/blackarch/tyton/src/netfilter_hooks.o
  CC [M]  /home/blackarch/tyton/src/interrupt_hooks.o
  LD [M]  /home/blackarch/tyton/tyton.o
  MODPOST /home/blackarch/tyton/Module.symvers
ERROR: modpost: "__module_address" [/home/blackarch/tyton/tyton.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:111: /home/blackarch/tyton/Module.symvers] Error 1
make[2]: *** Deleting file '/home/blackarch/tyton/Module.symvers'
make[1]: *** [Makefile:1709: modules] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.10.13-arch1-2/build'
make: *** [Makefile:19: module] Error 2

Severity/Priority
Critical.

Notes
This link from linux-kernel mailing-list might be related.

Crash on Ubuntu 16.04 - 4.4.0-75

Fresh compile from master branch, I didn't do anything after insmod. No other kernel modules or hooks installed.

It just crashed on 4.4.0-75-generic in a few seconds, I can enable kdump if it's needed.

Logs from dmesg:

[   65.415771] CPU: 0 PID: 360 Comm: kworker/0:2 Tainted: G           OE   4.4.0-75-generic #96-Ubuntu
[   65.415792] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
[   65.415819] Workqueue: events work_func [tyton]
[   65.415832] task: ffff8800345b6900 ti: ffff880035654000 task.ti: ffff880035654000
[   65.415850] RIP: 0010:[<ffffffffc0008817>]  [<ffffffffc0008817>] analyze_netfilter+0x47/0x100 [tyton]
[   65.415874] RSP: 0018:ffff880035657dd0  EFLAGS: 00010246
[   65.415887] RAX: ffffffff81ef6aa0 RBX: ffff880035bc8300 RCX: 0000000000000006
[   65.415904] RDX: ffffffff81ef6aa0 RSI: 0000000000000246 RDI: ffff88013960dd50
[   65.415921] RBP: ffff880035657e08 R08: 00000000736b6f6f R09: 00000000000006fd
[   65.415937] R10: ffffffff81c9bb76 R11: 00000000000006fd R12: ffffffff81ef6a10
[   65.415954] R13: ffff88013961af00 R14: 0000000000000000 R15: ffffffff81ef6a20
[   65.415971] FS:  0000000000000000(0000) GS:ffff880139600000(0000) knlGS:0000000000000000
[   65.415990] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   65.416004] CR2: 0000000000000000 CR3: 0000000001e0a000 CR4: 00000000003406f0
[   65.416049] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   65.416066] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   65.416083] Stack:
[   65.416089]  ffffffff81ef6aa0 00000005c0009403 ffff880035bc8300 ffff8801396165c0
[   65.416110]  ffff88013961af00 0000000000000000 ffffffffc000a000 ffff880035657e18
[   65.416131]  ffffffffc000801d ffff880035657e58 ffffffff8109a555 0000000000000000
[   65.416152] Call Trace:
[   65.416162]  [<ffffffffc000801d>] work_func+0x1d/0x60 [tyton]
[   65.416179]  [<ffffffff8109a555>] process_one_work+0x165/0x480
[   65.416629]  [<ffffffff8109a8bb>] worker_thread+0x4b/0x4c0
[   65.417064]  [<ffffffff8109a870>] ? process_one_work+0x480/0x480
[   65.417499]  [<ffffffff8109a870>] ? process_one_work+0x480/0x480
[   65.417919]  [<ffffffff810a0be8>] kthread+0xd8/0xf0
[   65.418327]  [<ffffffff810a0b10>] ? kthread_create_on_node+0x1e0/0x1e0
[   65.418736]  [<ffffffff8183bd0f>] ret_from_fork+0x3f/0x70
[   65.419137]  [<ffffffff810a0b10>] ? kthread_create_on_node+0x1e0/0x1e0
[   65.419545] Code: 10 e8 e5 4d 18 c1 48 c7 45 c8 20 68 ef 81 c7 45 d4 00 00 00 00 48 8b 45 c8 4c 8d 78 80 83 7d d4 05 41 be 00 00 00 00 4d 0f 45 f7 <4d> 8b 26 4d 39 f4 74 5f 4d 8b 6c 24 10 48 c7 c7 e0 ae e5 81 e8
[   65.420789] RIP  [<ffffffffc0008817>] analyze_netfilter+0x47/0x100 [tyton]
[   65.421195]  RSP <ffff880035657dd0>
[   65.421578] CR2: 0000000000000000
[   65.421940] ---[ end trace 9bd2729f4cf2d893 ]---
[   65.422377] BUG: unable to handle kernel paging request at ffffffffffffffd8
[   65.422747] IP: [<ffffffff810a1290>] kthread_data+0x10/0x20
[   65.423104] PGD 1e0d067 PUD 1e0f067 PMD 0
[   65.423451] Oops: 0000 [#2] SMP
[   65.423803] Modules linked in: tyton(OE) hid_generic usbhid hid psmouse ahci libahci vmwgfx e1000 ttm mptspi drm_kms_helper mptscsih mptbase syscopyarea sysfillrect scsi_transport_spi sysimgblt fb_sys_fops drm pata_acpi fjes
[   65.426720] CPU: 0 PID: 360 Comm: kworker/0:2 Tainted: G      D    OE   4.4.0-75-generic #96-Ubuntu
[   65.427449] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/13/2018
[   65.428220] task: ffff8800345b6900 ti: ffff880035654000 task.ti: ffff880035654000
[   65.428612] RIP: 0010:[<ffffffff810a1290>]  [<ffffffff810a1290>] kthread_data+0x10/0x20
[   65.429013] RSP: 0018:ffff880035657ac8  EFLAGS: 00010002
[   65.429411] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff82108e80
[   65.429819] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800345b6900
[   65.430233] RBP: ffff880035657ac8 R08: 00000000ffffffff R09: 0000000000000000
[   65.430620] R10: ffff8800345b6960 R11: 0000000000003800 R12: 0000000000000000
[   65.431005] R13: 0000000000016dc0 R14: ffff8800345b6900 R15: ffff880139616dc0
[   65.431390] FS:  0000000000000000(0000) GS:ffff880139600000(0000) knlGS:0000000000000000
[   65.431776] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   65.432160] CR2: 0000000000000028 CR3: 00000000b9ad5000 CR4: 00000000003406f0
[   65.432572] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   65.432980] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   65.433367] Stack:
[   65.433754]  ffff880035657ae0 ffffffff8109b8f1 ffff880139616dc0 ffff880035657b30
[   65.434163]  ffffffff81837430 ffff880035657b48 ffffffff00000000 ffff8800345b6900
[   65.434569]  ffff880035658000 ffff8800345b6fd0 ffff8800356576e0 0000000000000046
[   65.434977] Call Trace:
[   65.435378]  [<ffffffff8109b8f1>] wq_worker_sleeping+0x11/0x90
[   65.435780]  [<ffffffff81837430>] __schedule+0x650/0xa30
[   65.436199]  [<ffffffff81837845>] schedule+0x35/0x80
[   65.436569]  [<ffffffff81084455>] do_exit+0x775/0xb00
[   65.436932]  [<ffffffff81031c41>] oops_end+0xa1/0xd0
[   65.437299]  [<ffffffff8106ad35>] no_context+0x135/0x380
[   65.437646]  [<ffffffff8106b000>] __bad_area_nosemaphore+0x80/0x1f0
[   65.437996]  [<ffffffff8106b183>] bad_area_nosemaphore+0x13/0x20
[   65.438341]  [<ffffffff8106b447>] __do_page_fault+0xb7/0x400
[   65.438681]  [<ffffffff8106b7b2>] do_page_fault+0x22/0x30
[   65.439019]  [<ffffffff8183daf8>] page_fault+0x28/0x30
[   65.439359]  [<ffffffffc0008817>] ? analyze_netfilter+0x47/0x100 [tyton]
[   65.439694]  [<ffffffffc000801d>] work_func+0x1d/0x60 [tyton]
[   65.440019]  [<ffffffff8109a555>] process_one_work+0x165/0x480
[   65.440335]  [<ffffffff8109a8bb>] worker_thread+0x4b/0x4c0
[   65.440643]  [<ffffffff8109a870>] ? process_one_work+0x480/0x480
[   65.440943]  [<ffffffff8109a870>] ? process_one_work+0x480/0x480
[   65.441228]  [<ffffffff810a0be8>] kthread+0xd8/0xf0
[   65.441508]  [<ffffffff810a0b10>] ? kthread_create_on_node+0x1e0/0x1e0
[   65.441780]  [<ffffffff8183bd0f>] ret_from_fork+0x3f/0x70
[   65.442043]  [<ffffffff810a0b10>] ? kthread_create_on_node+0x1e0/0x1e0
[   65.442305] Code: ff ff ff be 46 02 00 00 48 c7 c7 48 b2 cb 81 e8 b7 01 fe ff e9 a6 fe ff ff 66 90 0f 1f 44 00 00 48 8b 87 18 05 00 00 55 48 89 e5 <48> 8b 40 d8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
[   65.443209] RIP  [<ffffffff810a1290>] kthread_data+0x10/0x20
[   65.443724]  RSP <ffff880035657ac8>
[   65.444241] CR2: ffffffffffffffd8
[   65.444584] ---[ end trace 9bd2729f4cf2d894 ]---
[   65.444861] Fixing recursive fault but reboot is needed!

[Feature Request] Kernel Module Insertion Alert

There is currently no alert system, but generating an alert every time a new module is inserted into the kernel would be helpful.

This can be done by:

Grabbing a list of currently installed kernel modules on init.
Storing that list of kernel modules in an internal linked list (preferably using the kernel's linked list implementation).
Comparing each run to see whether or not a module has been loaded/unloaded.

You could probably also use a refactored form of the analyze_modules function here to search for hidden modules as well.

[Feature Request] Userland Notifications

Currently, warnings/alerts/etc. will only be displayed to the user if they view the journalctl log after one has been generated. This is inconvenient as users will not commonly analyze this log for new behavior, nor will it be maintained across boot sessions.

If you could find a way to create userland notifications so that, in the event of an alert or warning the user would be notified of such and could take appropriate action, that would be great.

A possible, and suggested, avenue for tackling this would be to write a journalctl message that is acted upon by a journald-remote that ultimately talks to libnotify. Journald-remote is a client that reads messages from journalctl.

You can find more information on the above approach at the following links:
https://www.freedesktop.org/software/systemd/man/systemd-journal-remote.service.html
https://serverfault.com/questions/758244/how-to-configure-systemd-journal-remote

Arch linux AUR package error

==> Запускается build()...
make -C /lib/modules/5.15.2-zen1-1-zen/build M=/home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton modules
make[1]: предупреждение: сервер заданий недоступен: используется -j1. Добавьте «+» к правилу в родительском make.
make[1]: вход в каталог «/usr/lib/modules/5.15.2-zen1-1-zen/build»
  CC [M]  /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/core.o
  CC [M]  /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/util.o
  CC [M]  /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.o
/home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.c: В функции «analyze_fops»:
/home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.c:116:29: ошибка: «module_mutex» не описан (первое использование в этой функции); имелось в виду «module_put»?
  116 |                 mutex_lock(&module_mutex);
      |                             ^~~~~~~~~~~~
      |                             module_put
/home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.c:116:29: замечание: сообщение о каждом неописанном идентификаторе выдается один раз в каждой функции, где он встречается
make[2]: *** [scripts/Makefile.build:277: /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton/src/proc.o] Ошибка 1
make[1]: *** [Makefile:1863: /home/admin/Buildroot0/PAMAC/tyton-dkms-git/src/tyton] Ошибка 2
make[1]: выход из каталога «/usr/lib/modules/5.15.2-zen1-1-zen/build»
make: *** [Makefile:19: module] Ошибка 2
==> ОШИБКА: Произошел сбой в build().
    Прерывание...

I have this error. I use kernel 5.15.2-zen1-1-zen

Unable to resume after suspending

Hi, I have started to experience this issue after installing tyton module, the latest snapshot.

My laptop goes into suspend mode just fine, however it boots fresh later after I power it on

Here is the pm-suspend.log file:

Mon Jan 21 23:11:27 +08 2019: performing suspend
Tue Jan 22 08:48:41 +08 2019: Awake.
Tue Jan 22 08:48:41 +08 2019: Running hooks for resume
Running hook /usr/lib64/pm-utils/sleep.d/99video resume suspend:
/usr/lib64/pm-utils/sleep.d/99video resume suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler resume suspend:
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler resume suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/95led resume suspend:
/usr/lib64/pm-utils/sleep.d/95led resume suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/94cpufreq resume suspend:
/usr/lib64/pm-utils/sleep.d/94cpufreq resume suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/90clock resume suspend:
/usr/lib64/pm-utils/sleep.d/90clock resume suspend: disabled.

Running hook /usr/lib64/pm-utils/sleep.d/75modules resume suspend:
Reloaded unloaded modules.
/usr/lib64/pm-utils/sleep.d/75modules resume suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/50unload_alx resume suspend:
/usr/lib64/pm-utils/sleep.d/50unload_alx resume suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/01grub resume suspend:
/usr/lib64/pm-utils/sleep.d/01grub resume suspend: disabled.

Running hook /usr/lib64/pm-utils/sleep.d/00powersave resume suspend:
Blacklisting 01grub.
Blacklisting 90clock.
/usr/lib64/pm-utils/sleep.d/00powersave resume suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/00logging resume suspend:
/usr/lib64/pm-utils/sleep.d/00logging resume suspend: success.

Tue Jan 22 08:48:41 +08 2019: Finished.
Initial commandline parameters: 
Blacklisting 01grub.
Blacklisting 90clock.
Tue Jan 22 08:48:43 +08 2019: Running hooks for suspend.
Running hook /usr/lib64/pm-utils/sleep.d/00logging suspend suspend:
Linux pt 4.20.2-pentoo #3 SMP PREEMPT Sun Jan 20 16:44:51 +08 2019 x86_64 Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz GenuineIntel GNU/Linux
Module                  Size  Used by
tyton                  16384  0
ctr                    16384  0
ccm                    20480  0
ipv6                  430080  76
usbhid                 40960  0
uvcvideo              102400  0
videobuf2_vmalloc      16384  1 uvcvideo
videobuf2_memops       16384  1 videobuf2_vmalloc
videobuf2_v4l2         24576  1 uvcvideo
videodev              180224  2 videobuf2_v4l2,uvcvideo
videobuf2_common       45056  2 videobuf2_v4l2,uvcvideo
vboxpci                28672  0
vboxnetadp             28672  0
iwldvm                188416  0
vboxnetflt             32768  0
mac80211              684032  1 iwldvm
x86_pkg_temp_thermal    16384  0
kvm_intel             192512  0
vboxdrv               430080  3 vboxpci,vboxnetadp,vboxnetflt
iwlwifi               245760  1 iwldvm
kvm                   634880  1 kvm_intel
sdhci_pci              40960  0
irqbypass              16384  1 kvm
cqhci                  28672  1 sdhci_pci
efivars                20480  0
serio_raw              16384  0
sdhci                  49152  1 sdhci_pci
i2c_i801               28672  0
mmc_core              143360  3 sdhci,cqhci,sdhci_pci
cfg80211              663552  3 iwldvm,iwlwifi,mac80211
xhci_pci               16384  0
e1000e                249856  0
ehci_pci               16384  0
ehci_hcd               86016  1 ehci_pci
xhci_hcd              225280  1 xhci_pci
thinkpad_acpi          81920  0
rfkill                 24576  3 thinkpad_acpi,cfg80211
pcc_cpufreq            16384  0
efivarfs               16384  1
              total        used        free      shared  buff/cache   available
Mem:        7970748     1463528     4726832      554416     1780388     5853408
Swap:       4194300         372     4193928
/usr/lib64/pm-utils/sleep.d/00logging suspend suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/00powersave suspend suspend:
Blacklisting 01grub.
Blacklisting 90clock.
/usr/lib64/pm-utils/sleep.d/00powersave suspend suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/01grub suspend suspend:
/usr/lib64/pm-utils/sleep.d/01grub suspend suspend: disabled.

Running hook /usr/lib64/pm-utils/sleep.d/50unload_alx suspend suspend:
/usr/lib64/pm-utils/sleep.d/50unload_alx suspend suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/75modules suspend suspend:
/usr/lib64/pm-utils/sleep.d/75modules suspend suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/90clock suspend suspend:
/usr/lib64/pm-utils/sleep.d/90clock suspend suspend: disabled.

Running hook /usr/lib64/pm-utils/sleep.d/94cpufreq suspend suspend:
/usr/lib64/pm-utils/sleep.d/94cpufreq suspend suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/95led suspend suspend:
/usr/lib64/pm-utils/sleep.d/95led suspend suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler suspend suspend:
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/bios_version: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/bios_vendor: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/bios_date: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/sys_vendor: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/product_name: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/product_version: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/board_name: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/board_version: No such file or directory
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler: line 101: /sys/class/dmi/id/board_vendor: No such file or directory
Kernel modesetting video driver detected, not using quirks.
/usr/lib64/pm-utils/sleep.d/98video-quirk-db-handler suspend suspend: success.

Running hook /usr/lib64/pm-utils/sleep.d/99video suspend suspend:
kernel.acpi_video_flags = 0
/usr/lib64/pm-utils/sleep.d/99video suspend suspend: success.

Tue Jan 22 08:48:44 +08 2019: performing suspend

any ideas what's wrong?

ERROR: modpost: "kallsyms_lookup_name" [/home/joaomanoel/git/tyton/tyton.ko] undefined!

make -C /lib/modules/5.7.2-arch1-1/build M=/home/joaomanoel/git/tyton modules
make[1]: Entrando no diretório '/usr/lib/modules/5.7.2-arch1-1/build'

CC [M] /home/joaomanoel/git/tyton/src/core.o
CC [M] /home/joaomanoel/git/tyton/src/util.o
CC [M] /home/joaomanoel/git/tyton/src/proc.o
CC [M] /home/joaomanoel/git/tyton/src/module_list.o
CC [M] /home/joaomanoel/git/tyton/src/syscall_hooks.o
CC [M] /home/joaomanoel/git/tyton/src/network_hooks.o
CC [M] /home/joaomanoel/git/tyton/src/netfilter_hooks.o
CC [M] /home/joaomanoel/git/tyton/src/interrupt_hooks.o
LD [M] /home/joaomanoel/git/tyton/tyton.o
MODPOST 1 modules
ERROR: modpost: "kallsyms_lookup_name" [/home/joaomanoel/git/tyton/tyton.ko] undefined!
make[2]: *** [scripts/Makefile.modpost:94: __modpost] Erro 1
make[1]: *** [Makefile:1642: modules] Erro 2
make[1]: Saindo do diretório '/usr/lib/modules/5.7.2-arch1-1/build'

make: *** [Makefile:19: module] Erro 2

HELP-ME!!!

PS: i use updated blackarch linux

[README Request] Add CentOS Dependencies

Currently we have Debian/Ubuntu/Kali and Arch. Adding CentOS to this list would be beneficial.

[Feature Request] Detect Syscall Hooking by KHOOK

Currently we can't detect if KHOOK has been used to hook kernel functions. This is because it doesn't mess with the pointer, but the function itself by inserting assembly to get it to jump into a custom hook in the LKM.

This should be detectable by (at least in a non-extensible way), comparing the assembly to see if any suspicious jumps are performed immediately in the function.

Doesn't work on macOS

y tho

Running tyton freeze my system

I tried to launch tyton in my VirtualBox system: Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3 (2019-02-02) x86_64 GNU/Linux

I installed dependencies and compiled all.

When I run insmod tyton.ko my system freeze and became unusable.

Build fails

Hi, the build fails with the clear linux kernel.

$ make        
make -C /lib/modules/5.3.7-3-clear/build M=/home/danhyal/tyton modules
make[1]: Entering directory '/usr/lib/modules/5.3.7-3-clear/build'
  CC [M]  /home/danhyal/tyton/src/core.o
  CC [M]  /home/danhyal/tyton/src/util.o
  CC [M]  /home/danhyal/tyton/src/proc.o
  CC [M]  /home/danhyal/tyton/src/module_list.o
  CC [M]  /home/danhyal/tyton/src/syscall_hooks.o
  CC [M]  /home/danhyal/tyton/src/network_hooks.o
  CC [M]  /home/danhyal/tyton/src/netfilter_hooks.o
/home/danhyal/tyton/src/netfilter_hooks.c: In function ‘nf_hook_entry_head’:
/home/danhyal/tyton/src/netfilter_hooks.c:125:15: error: ‘struct net_device’ has no member named ‘nf_hooks_ingress’
  125 |    return &dev->nf_hooks_ingress;
      |               ^~
make[2]: *** [scripts/Makefile.build:281: /home/danhyal/tyton/src/netfilter_hooks.o] Error 1
make[1]: *** [Makefile:1626: _module_/home/danhyal/tyton] Error 2
make[1]: Leaving directory '/usr/lib/modules/5.3.7-3-clear/build'
make: *** [Makefile:19: module] Error 2

Update Syscall Hooks to use hidden module finder

https://github.com/nbulischeck/tyton/blob/master/src/syscall_hooks.c#L31

Currently it just says "Hooked by an unknown module". We can figure that out now.

[Feature Request] non-systemd linux support

Hi, nice idea, I really like it.

I'm trying to test the tool on my Gentoo (Pentoo) Linux where I chose not to use systemd. It currently uses udev with openrc.

Is it possible to use any other available mechanisms and get notifications working?

Thanks

Incorrectly identifying syscall hooks

https://github.com/nbulischeck/tyton/blob/master/src/syscall_hooks.c#L30

There should be a check here to make sure that a name was returned before suggesting that a syscall is hooked.

[Feature Request] Develop an RPM Package

Please

Incorrectly identifying interrupt table hooks

https://github.com/nbulischeck/tyton/blob/master/src/interrupt_hooks.c#L28

Same concept as the syscall hook bug. Easy resolution.

[Dev Request] Integrate Development and CI/CD with Out-of-Tree

Most likely the integration will be modeled off of the work done on Skeleton Tree.

unable to compile with kernel 5.11.x

Hi, I'm using the latest git (20200604) and getting the following error:

make -j12 HOSTCC=x86_64-pc-linux-gnu-gcc CROSS_COMPILE=x86_64-pc-linux-gnu- 'LDFLAGS=-m elf_x86_64' clean module 
make -C /lib/modules/5.11.10-pentoo/build M=/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e clean
make -C ./notify clean
make -C /lib/modules/5.11.10-pentoo/build M=/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e modules
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
make[1]: Entering directory '/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/notify'
make[1]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
make[1]: Entering directory '/usr/src/linux-5.11.10-pentoo'
make[1]: Entering directory '/usr/src/linux-5.11.10-pentoo'
Package libsystemd was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd.pc'
to the PKG_CONFIG_PATH environment variable
Package 'libsystemd', required by 'virtual:world', not found
Package libsystemd-journal was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd-journal.pc'
to the PKG_CONFIG_PATH environment variable
Package 'libsystemd-journal', required by 'virtual:world', not found
rm -f tyton-notify
make[1]: Leaving directory '/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/notify'
  CLEAN   /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/Module.symvers
make[1]: Leaving directory '/usr/src/linux-5.11.10-pentoo'
  CC [M]  /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/core.o
  CC [M]  /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/util.o
  CC [M]  /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/proc.o
  CC [M]  /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/module_list.o
  CC [M]  /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/syscall_hooks.o
  CC [M]  /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/network_hooks.o
  CC [M]  /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.o
In file included from ./include/linux/rbtree.h:22,
                 from ./include/linux/mm_types.h:10,
                 from ./include/linux/mmzone.h:21,
                 from ./include/linux/gfp.h:6,
                 from ./include/linux/mm.h:10,
                 from ./include/linux/bvec.h:14,
                 from ./include/linux/skbuff.h:17,
                 from ./include/linux/netfilter.h:6,
                 from /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:1:
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c: In function ‘analyze_netfilter’:
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:10:48: error: ‘nf_hook_mutex’ undeclared (first use in this function); did you mean ‘nf_hook_entry’?
   10 |  rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
      |                                                ^~~~~~~~~~~~~
./include/linux/rcupdate.h:339:52: note: in definition of macro ‘RCU_LOCKDEP_WARN’
  339 | #define RCU_LOCKDEP_WARN(c, s) do { } while (0 && (c))
      |                                                    ^
./include/linux/rcupdate.h:556:2: note: in expansion of macro ‘__rcu_dereference_protected’
  556 |  __rcu_dereference_protected((p), (c), __rcu)
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:10:2: note: in expansion of macro ‘rcu_dereference_protected’
   10 |  rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:203:8: note: in expansion of macro ‘nf_entry_dereference’
  203 |    p = nf_entry_dereference(*pp);
      |        ^~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:10:48: note: each undeclared identifier is reported only once for each function it appears in
   10 |  rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
      |                                                ^~~~~~~~~~~~~
./include/linux/rcupdate.h:339:52: note: in definition of macro ‘RCU_LOCKDEP_WARN’
  339 | #define RCU_LOCKDEP_WARN(c, s) do { } while (0 && (c))
      |                                                    ^
./include/linux/rcupdate.h:556:2: note: in expansion of macro ‘__rcu_dereference_protected’
  556 |  __rcu_dereference_protected((p), (c), __rcu)
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:10:2: note: in expansion of macro ‘rcu_dereference_protected’
   10 |  rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
/var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.c:203:8: note: in expansion of macro ‘nf_entry_dereference’
  203 |    p = nf_entry_dereference(*pp);
      |        ^~~~~~~~~~~~~~~~~~~~
make[2]: *** [scripts/Makefile.build:279: /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e/src/netfilter_hooks.o] Error 1
make[1]: *** [Makefile:1808: /var/tmp/portage/app-antivirus/tyton-1.2_p20200604/work/tyton-5c19411e181111774c7e2aca2b5c3d6fa6b8fe2e] Error 2
make[1]: Leaving directory '/usr/src/linux-5.11.10-pentoo'
make: *** [Makefile:19: module] Error 2

[Feature Request] Module whitelist for netfilter hook

It would be useful to whitelist the netfilter and iptables modules from the netfilter hook alerts, in order to remove false positives. In an ubuntu 18.04 I have: nf_conntrack_ipv4, iptable_nat, iptable_mangle, iptable_filter, nf_defrag_ipv4 and br_netfilter.

Thanks!