Hacker Defender
http://www.rootkit.com/board_project_fused.php?did=proj5
short description This is the Hacker Defender rootkit for Windows.
long description: Hacker Defender was a very common rootkit in the wild. It sports a user friendly inifile that controls its behaviour. It is 98% userland rootkit and some source-code is available. There are also commercial versions of Hacker Defender that brings new functionality together with protection against antivirus products and rootkit detectors.
Linux Rootkit: Adore-ng
Linux Rootkit检测器——kstat
http://docs.sun.com/app/docs/doc/816-5166/kstat-1m?a=view
The kstat utility examines the available kernel statistics, or kstats, on the system and reports those statistics which match the criteria specified on the command line. Each matching statistic is printed with its module, instance, and name fields, as well as its actual value.
Kernel statistics may be published by various kernel subsystems, such as drivers or loadable modules; each kstat has a module field that denotes its publisher. Since each module might have countable entities (such as multiple disks associated with the sd(7D) driver) for which it wishes to report statistics, the kstat also has an instance field to index the statistics for each entity; kstat instances are numbered starting from zero. Finally, the kstat is given a name unique within its module.
Each kstat may be a special kstat type, an array of name-value pairs, or raw data. In the name-value case, each reported value is given a label, which we refer to as the statistic. Known raw and special kstats are given statistic labels for each of their values by kstat ; thus, all published values can be referenced as module :instance :name :statistic .
When invoked without any module operands or options, kstat will match all defined statistics on the system. Example invocations are provided below. All times are displayed as fractional seconds since system boot.