README.md

April 16, 2026 · View on GitHub

# rupurt — Advanced eBPF Rootkit Hunter

╚═╝  ╚═╝ ╚═════╝ ╚═╝      ╚═════╝ ╚═╝  ╚═╝   ╚═╝   
              ☠️ Linux Rootkit Hunter

rupurt Version Signatures Modules License

Stars

Comprehensive Linux rootkit detection with modern threat signatures, eBPF analysis, memory forensics, and APT implant detection


🎬 Demo

RKHunt Demo — scanning a Linux system for rootkits
RKHunt quick-scanning a live system — detecting suspicious kernel modules, process anomalies, and tainted kernel flags

💻 Tech Stack

Core

C Linux POSIX

Detection Targets

eBPF Kernel Docker Kubernetes

Platforms

AMD64 ARM64


⚡ Features

🔍 Detection Modules

ModuleDescription
Syscall AnalysisDetects syscall table hijacking and hooking
eBPF ScannerIdentifies malicious eBPF programs
Memory ForensicsScans for hidden processes and injected code
Kernel IntegrityValidates kernel text and module signatures
Network AnalysisDetects hidden network connections
File SystemFinds hidden files and rootkit artifacts
Process ScannerIdentifies process hollowing and hiding
Container EscapeDetects container breakout attempts
APT DetectionSignatures for nation-state implants

📊 Signature Database

  • 280+ rootkit signatures (Diamorphine, Reptile, Drovorub, etc.)
  • APT implant detection (Equation Group, Turla, Lazarus)
  • Cryptominer detection (XMRig, TeamTNT variants)
  • Container-specific threats (Siloscape, cr8escape)

🚀 Installation

# Clone repository
git clone https://github.com/bad-antics/rupurt
cd rupurt

# Build from source
make

# Install system-wide
sudo make install

# Run scan
sudo rupurt --full

📖 Usage

# Quick scan (essential checks)
sudo rupurt --quick

# Full system scan
sudo rupurt --full

# Paranoid mode (everything)
sudo rupurt --paranoid

# Specific modules
sudo rupurt --syscall --ebpf --memory

# JSON output for SIEM integration
sudo rupurt --full --json > report.json

# Continuous monitoring
sudo rupurt --monitor --interval 300

🔧 Command Line Options

OptionDescription
--quickFast essential checks
--fullComplete system scan
--paranoidMaximum detection sensitivity
--syscallSyscall table analysis
--ebpfeBPF program scanner
--memoryMemory forensics
--kernelKernel integrity check
--networkHidden network detection
--processProcess hiding detection
--containerContainer escape detection
--aptAPT implant signatures
--jsonJSON output format
--monitorContinuous monitoring mode
--updateUpdate signature database
--verboseDetailed output with process IDs, file paths, hashes, and confidence scores
--output FILEWrite detailed report to file (supports .json, .csv, .txt)
--threshold NMinimum confidence score to report (0-100, default: 50)
--whitelist FILEPath to whitelist file — skip known-safe processes/files
--exclude PATHExclude specific path from scanning
--no-colorDisable colored output (for piping/logging)

📊 Detailed Reports

For detailed forensic output including process IDs, file paths, hashes, and confidence scores:

# Verbose scan with full details
sudo rupurt --full --verbose

# Save detailed JSON report
sudo rupurt --full --verbose --output report.json

# Example JSON output per finding:
# {
#   "id": "RUPURT-2024-0042",
#   "module": "ebpf",
#   "severity": "warning",
#   "confidence": 72,
#   "description": "Suspicious eBPF program attached to syscall",
#   "process": { "pid": 1842, "name": "bpf_loader", "uid": 0 },
#   "file": { "path": "/sys/fs/bpf/probe", "hash": "sha256:a1b2c3..." },
#   "timestamp": "2026-02-23T10:15:30Z"
# }

⚠️ False Positive Handling

Signature-based detection can flag legitimate software. Here's how to handle false positives:

Adjusting Sensitivity

# Lower sensitivity — only report high-confidence findings (75+)
sudo rupurt --full --threshold 75

# Higher sensitivity — catch more but expect more false positives
sudo rupurt --paranoid --threshold 25

Whitelisting Known-Safe Items

Create a whitelist file to skip known-safe processes and paths:

# Create whitelist
cat > /etc/rupurt/whitelist.conf << 'EOF'
# Format: type:value
# Types: process, path, hash, ebpf_id

# Known-safe eBPF programs (monitoring tools)
ebpf_id:42
ebpf_id:43

# System processes that look suspicious but are legitimate
process:snapd
process:systemd-oomd

# Paths to exclude
path:/opt/monitoring-agent/
path:/snap/

# Known-safe file hashes
hash:sha256:abc123def456...
EOF

# Run with whitelist
sudo rupurt --full --whitelist /etc/rupurt/whitelist.conf

Per-Scan Exclusions

# Exclude specific paths
sudo rupurt --full --exclude /opt/my-monitoring --exclude /snap

# Combine with threshold
sudo rupurt --full --threshold 70 --exclude /opt/security-tools

Reporting False Positives

If you encounter a false positive, please open an issue with:

  1. The --verbose --json output for the finding
  2. What the flagged process/file actually is
  3. Your kernel version (uname -r)

This helps improve detection accuracy for everyone.


🔍 Confidence Scores

Each finding includes a confidence score (0-100):

ScoreLevelMeaning
90-100🔴 CriticalAlmost certainly malicious — known rootkit signature match
70-89🟠 HighStrong indicators — behavioral match + suspicious attributes
50-69🟡 MediumSuspicious — warrants investigation, may be legitimate
25-49🔵 LowUnusual but likely benign — security tools, debuggers, etc.
0-24⚪ InfoInformational — logged but not alarming

Default threshold is 50 (medium+). Use --threshold to adjust.


🎯 What It Detects

Kernel Rootkits

  • Syscall table modifications
  • IDT/GDT hooks
  • Kernel text modifications
  • Hidden kernel modules
  • Malicious eBPF programs

Userspace Threats

  • LD_PRELOAD hijacking
  • Process injection
  • Shared library hooking
  • Hidden processes
  • Memory-resident malware

Container Threats

  • Container escape attempts
  • Privileged container abuse
  • cgroup manipulation
  • Namespace breakouts

APT Implants

  • Equation Group tools
  • Turla Snake/Uroburos
  • Lazarus Group malware
  • Winnti backdoors

📁 Output Example

# rupurt — Advanced eBPF Rootkit Hunter

╚═╝  ╚═╝ ╚═════╝ ╚═╝      ╚═════╝ ╚═╝  ╚═╝   ╚═╝   
              ☠️ Linux Rootkit Hunter v2.5.0

[*] Starting full system scan...
[+] Kernel: Linux 6.5.0-generic x86_64
[+] Scanning syscall table...
[+] Checking eBPF programs...
[!] WARNING: Suspicious eBPF program detected
    Program ID: 42
    Type: tracepoint
    Attach: sys_enter_openat
[+] Memory analysis...
[+] Checking hidden processes...
[+] Network connection analysis...
[+] File system scan...

══════════════════════════════════════════════════════════════════
                         SCAN SUMMARY
══════════════════════════════════════════════════════════════════
  Modules scanned: 15
  Checks performed: 847
  Warnings: 1
  Critical: 0
  Time elapsed: 12.4s
══════════════════════════════════════════════════════════════════

📜 License

MIT License - See LICENSE for details.


bad-antics

Hunt the hunters.