Tyton – Kernel-Mode Rootkit Hunter


Loadable kernel modules, LKMs for short, are an integral companion to the Linux kernel. Typically, LKMs are used to add support for new hardware (as device drivers) or file systems or add additional system calls. Without LKMs, an operating system would have to include all possible anticipated functionality. This is borderline impossible to do when developing a platform to be used with everything from a smartphone to a server. LKMs provide additional functionality to the kernel, and by extension the user of the computer, and can be safely added or removed when they are needed or not needed.

Tyton Detected Attacks:

  • Hidden Modules
  • Syscall Table Hooking
  • Network Protocol Hooking
  • Netfilter Hooking
  • Zeroed Process Inodes
  • Process Fops Hooking
  • Interrupt Descriptor Table Hooking


  • Linux Kernel 4.4.0-31 or greater
  • Corresponding Linux Kernel Headers
  • GCC
  • Make
  • Libnotify
  • Libsystemd
  • Package Config
  • GTK3



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.