# LOKI3

This code was stolen from Phrack magazine. It is a 20+ year old backdoor
for Linux, BSD, Solaris, ... which works over icmp.

http://www.phrack.org/issues/49/6.html
http://www.phrack.org/issues/51/6.html

This code no longer compiled as of ~2016 I made it compile on modern
systems with musl-gcc, so it will "just work".

## Building

### Install musl-gcc

I use musl because the objects reusulting from static linking using
gcc or clang do not work on older kernels.

Installing is easy on Ubuntu 20.04:
```
apt install musl-tools
```

Cross compilers can be found here: https://musl.cc/

### Building
`make` will list the available targets.

#### Linux
`make linux`

## Persistence

If compiled with PERSISTENCE defined, lokid will install a SysV init
script when SIGTERM is recieved. This signal is typically sent when
the system is rebooted or the process is killed with `kill` or
`killall` without specifying which signal to send (ex: kill -9 or kill
-HUP send the SIGKILL and SIGHUP signals, respectively).

When lokid is ran, it removes this persistence to avoid detection.

## Process Masquerading

This process masquerades itself as a kernel thread. See prochide.c for
more details.