Skip to content

Armur-Ai/killswitch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

killswitch

eBPF rootkit detection. A userspace Rust tool that flags processes, files, and network connections being hidden from ordinary admin tooling — the tell-tale sign of a syscall-filtering rootkit (often implemented as an eBPF program).

How detection works

A rootkit that hides something must lie to userspace while the kernel still knows the truth. killswitch reads both:

Vantage Module Source
Ground truth groundtruth /proc, /proc/net/* (→ raw syscalls / BPF iters later)
Userspace view userview shells out to ps, ls, ss

detect diffs the two sets:

  • in ground truth but not in the userspace view → HiddenFromUserspace (rootkit signature)
  • in the userspace view but not in ground truth → PhantomInUserspace

In parallel, enumerate lists loaded eBPF programs (BPF syscall id-walk, /sys/fs/bpf pins, tracefs probes), since the hiding logic itself usually lives in one.

Layout

src/
  main.rs        CLI dispatch + scan orchestration
  cli.rs         clap definitions (enumerate / scan / report)
  types.rs       shared types: BpfProgram, Entity, Discrepancy, Severity
  enumerate.rs   eBPF program enumeration (multi-source)
  groundtruth.rs direct kernel-state reads
  userview.rs    what ps/ls/ss report
  detect.rs      the diff/detection engine (+ unit tests)
  report.rs      text & JSON report rendering

Build & run

cargo build
cargo run -- enumerate
cargo run -- scan --watch-dir /tmp --watch-dir /etc
cargo run -- scan --format json

scan exits non-zero (2) when a critical discrepancy is found, so it drops into cron/CI cleanly.

The bpf feature (Linux only)

The real libbpf-backed syscall enumeration is gated behind a cargo feature so the scaffold compiles and runs anywhere (including macOS) with placeholder data:

cargo build --features bpf      # Linux + libbpf installed

Status

Userspace scaffold with placeholder enumeration. Not yet built: the in-kernel eBPF detector programs, full hex address decoding for connections, inode→pid correlation, and the BPF syscall id-walk.

TODO (grep the source for TODO:)

  • BPF_PROG_GET_NEXT_ID + BPF_OBJ_GET_INFO_BY_FD syscall walk
  • Resolve bpffs pins to real program ids/info
  • Parse kprobe_events/uprobe_events, correlate with the id-walk
  • Stronger process ground truth (pid brute-force / BPF task iterator)
  • Decode /proc/net/tcp hex addrs; map socket inode → pid; parse ss
  • Persist scan results so report re-renders instead of re-scanning

About

an eBPF rootkit detector

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages