██████╗ ██╗ ██╗██████╗ ██╗ ██╗██████╗ ████████╗
██╔══██╗██║ ██║██╔══██╗██║ ██║██╔══██╗╚══██╔══╝
██████╔╝██║ ██║██████╔╝██║ ██║██████╔╝ ██║
██╔══██╗██║ ██║██╔═══╝ ██║ ██║██╔══██╗ ██║
██║ ██║╚██████╔╝██║ ╚██████╔╝██║ ██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
☠️ Linux Rootkit Hunter
Comprehensive Linux rootkit detection with modern threat signatures, eBPF analysis, memory forensics, and APT implant detection
| Module | Description |
|---|---|
| Syscall Analysis | Detects syscall table hijacking and hooking |
| eBPF Scanner | Identifies malicious eBPF programs |
| Memory Forensics | Scans for hidden processes and injected code |
| Kernel Integrity | Validates kernel text and module signatures |
| Network Analysis | Detects hidden network connections |
| File System | Finds hidden files and rootkit artifacts |
| Process Scanner | Identifies process hollowing and hiding |
| Container Escape | Detects container breakout attempts |
| APT Detection | Signatures for nation-state implants |
- 280+ rootkit signatures (Diamorphine, Reptile, Drovorub, etc.)
- APT implant detection (Equation Group, Turla, Lazarus)
- Cryptominer detection (XMRig, TeamTNT variants)
- Container-specific threats (Siloscape, cr8escape)
# Clone repository
git clone https://github.com/bad-antics/rupurt
cd rupurt
# Build from source
make
# Install system-wide
sudo make install
# Run scan
sudo rupurt --full# Quick scan (essential checks)
sudo rupurt --quick
# Full system scan
sudo rupurt --full
# Paranoid mode (everything)
sudo rupurt --paranoid
# Specific modules
sudo rupurt --syscall --ebpf --memory
# JSON output for SIEM integration
sudo rupurt --full --json > report.json
# Continuous monitoring
sudo rupurt --monitor --interval 300| Option | Description |
|---|---|
--quick |
Fast essential checks |
--full |
Complete system scan |
--paranoid |
Maximum detection sensitivity |
--syscall |
Syscall table analysis |
--ebpf |
eBPF program scanner |
--memory |
Memory forensics |
--kernel |
Kernel integrity check |
--network |
Hidden network detection |
--process |
Process hiding detection |
--container |
Container escape detection |
--apt |
APT implant signatures |
--json |
JSON output format |
--monitor |
Continuous monitoring mode |
--update |
Update signature database |
- Syscall table modifications
- IDT/GDT hooks
- Kernel text modifications
- Hidden kernel modules
- Malicious eBPF programs
- LD_PRELOAD hijacking
- Process injection
- Shared library hooking
- Hidden processes
- Memory-resident malware
- Container escape attempts
- Privileged container abuse
- cgroup manipulation
- Namespace breakouts
- Equation Group tools
- Turla Snake/Uroburos
- Lazarus Group malware
- Winnti backdoors
██████╗ ██╗ ██╗██████╗ ██╗ ██╗██████╗ ████████╗
██╔══██╗██║ ██║██╔══██╗██║ ██║██╔══██╗╚══██╔══╝
██████╔╝██║ ██║██████╔╝██║ ██║██████╔╝ ██║
██╔══██╗██║ ██║██╔═══╝ ██║ ██║██╔══██╗ ██║
██║ ██║╚██████╔╝██║ ╚██████╔╝██║ ██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
☠️ Linux Rootkit Hunter v2.5.0
[*] Starting full system scan...
[+] Kernel: Linux 6.5.0-generic x86_64
[+] Scanning syscall table...
[+] Checking eBPF programs...
[!] WARNING: Suspicious eBPF program detected
Program ID: 42
Type: tracepoint
Attach: sys_enter_openat
[+] Memory analysis...
[+] Checking hidden processes...
[+] Network connection analysis...
[+] File system scan...
══════════════════════════════════════════════════════════════════
SCAN SUMMARY
══════════════════════════════════════════════════════════════════
Modules scanned: 15
Checks performed: 847
Warnings: 1
Critical: 0
Time elapsed: 12.4s
══════════════════════════════════════════════════════════════════
MIT License - See LICENSE for details.
Hunt the hunters.
