Nekit is a FreeBSD 5.X rootkit. It has been developped and tested on 5.4 and should work on 6.X with some hacks.
Nekit *should* be stable, except if you try to unload it via make unload. It causes the kernel to trap fault. I haven't yet found out why but it's a very minor bug since it has to be unloaded via ./necall -u.
- Pids hiding. fork()ed pids inherit invisibility.
- Files/directories hiding. The flag is set on inode's permanent data so the file will be hidden even after a reboot and/or a rootkit reload.
- Connections hiding. accept()ed connections from hidden listening connections inherit invisibility.
- Special flag (P_LEET) making a process able to see hidden stuff and unload the rootkit.
- User interface with the rootkit is done via an added syscall (there are no magic values for syscall like setuid() to make you root etc).
- The rootkit can give root privileges to a process asking it via the interfacing syscall.
- The KLD is removed from kldstat list and returns EBUSY if a non-leet process try to unload it.
Edit : Well, according to some crash reports, nekit is unstable. When you send a bug report, please tell me exactly what you were doing and what you had done (necall usage, etc.).
Download nekit v0.01 : http://target0.be/dev/code/nekit-0.01.tar.gz
Browse source tree : http://target0.be/dev/code/nekit
Any comment/bug report/suggestion : target0-at-geeknode-dot-org