FUTo is the successor of FU. Its accompanying research paper can be found at www.uninformed.org. FUTo currently hides from Blacklight and IceSword as of the initial release.

Hides files, directories, and processes.

Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.

The original and first public - has not been updated for many years but is good for ideas.

A portable Win32 userland rootkit. NtIllusion is an userland rootkit for win 2000/XP systems. It uses Dll injection and API entry point rewriting to perform its stealth. This is more a proof of concept than a true hax0r tool.

BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads.

A Cross architecture Solaris rootkit the development of which is aimed to both increase understanding of the Solaris OS and to show that it's not just the external threats that a Solaris Admin should worry about.

This is the Russian rootkit, HE4HOOK. This code is very complete.

IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show. It isn't a "click-here-to-delete-rootkits" product but a sophisticated discovery tool that can protect against sinister rootkits if used before they infect a machine.

Bootkit basic rootkit.

This is proof of concept code with a reusable function for injecting arbitrary functions into a process and then execute that function within the context of the process. This is useful for lots of things, none more obvious than hiding process execution. This code is however specific to NT as it uses functions such as VirtualAllocEx and CreateRemoteThread.

Logoner is first AC application. It hooks winlogon.exe process and captures user/domain/password combination to logfile winlogon.log in the system directory.

Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords.

The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking.

A telnetd backdoor(only works on NT systems).

This program patches Windows API to hide certain objects from being listed. FOR WINDOWS NT/2000/XP/2003 ONLY!

This is the Hacker Defender rootkit for Windows. This is more of a 'blackhat' tool than a training example. It is the most popular and wide spread rootkit today.

Morphine is very unique application for PE files encryption. Unlike other PE encryptors and compressors Morphine includes own PE loader which enables it to put whole source image to the .text section of new PE file. This one is very powerful because you can compress source file with your favourite compressor like UPX and then encrypt its output with Morphine. Another powerful thing here is polymorphic engine which always creates absolutely different decryptor for the new PE file. This mean if your favourite trojan horse is detected by an antivirus you can encrypt it with Morphine. You will not get the virus alert again.