计算机安全超级工具（十）－Rootkit

Hacker Defender
http://www.rootkit.com/board_project_fused.php?did=proj5
short description This is the Hacker Defender rootkit for Windows.

long description: Hacker Defender was a very common rootkit in the wild. It sports a user friendly inifile that controls its behaviour. It is 98% userland rootkit and some source-code is available. There are also commercial versions of Hacker Defender that brings new functionality together with protection against antivirus products and rootkit detectors.

Linux Rootkit: Adore-ng

Linux Rootkit检测器——kstat
http://docs.sun.com/app/docs/doc/816-5166/kstat-1m?a=view
The kstat
utility examines the available kernel statistics, or kstats,
on the system and reports those statistics which match the criteria specified
on the command line. Each matching statistic is printed with its module, instance,
and name fields, as well as its actual value.

Kernel statistics may be published by various kernel subsystems, such
as drivers or loadable modules; each kstat has a module field that denotes
its publisher. Since each module might have countable entities (such as multiple
disks associated with the sd(7D)
driver) for which it wishes to report statistics, the kstat also has an instance
field to index the statistics for each entity; kstat instances are numbered
starting from zero. Finally, the kstat is given a name unique within its module.

Each kstat may be a special kstat type, an array of name-value pairs,
or raw data. In the name-value case, each reported value is given a label,
which we refer to as the statistic. Known raw and special kstats are given
statistic labels for each of their values by kstat
; thus,
all published values can be referenced as module
:instance
:name
:statistic
.

When invoked without any module operands or options, kstat will match
all defined statistics on the system. Example invocations are provided below.
All times are displayed as fractional seconds since system boot.