██████╗ ██╗ ██╗██████╗ ██╗ ██╗██████╗ ████████╗
██╔══██╗██║ ██║██╔══██╗██║ ██║██╔══██╗╚══██╔══╝
██████╔╝██║ ██║██████╔╝██║ ██║██████╔╝ ██║
██╔══██╗██║ ██║██╔═══╝ ██║ ██║██╔══██╗ ██║
██║ ██║╚██████╔╝██║ ╚██████╔╝██║ ██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
☠️ Linux Rootkit Hunter
Comprehensive Linux rootkit detection with modern threat signatures, eBPF analysis, memory forensics, and APT implant detection
| Module | Description |
|---|---|
| Syscall Analysis | Detects syscall table hijacking and hooking |
| eBPF Scanner | Identifies malicious eBPF programs |
| Memory Forensics | Scans for hidden processes and injected code |
| Kernel Integrity | Validates kernel text and module signatures |
| Network Analysis | Detects hidden network connections |
| File System | Finds hidden files and rootkit artifacts |
| Process Scanner | Identifies process hollowing and hiding |
| Container Escape | Detects container breakout attempts |
| APT Detection | Signatures for nation-state implants |
- 280+ rootkit signatures (Diamorphine, Reptile, Drovorub, etc.)
- APT implant detection (Equation Group, Turla, Lazarus)
- Cryptominer detection (XMRig, TeamTNT variants)
- Container-specific threats (Siloscape, cr8escape)
# Clone repository
git clone https://github.com/bad-antics/rupurt
cd rupurt
# Build from source
make
# Install system-wide
sudo make install
# Run scan
sudo rupurt --full# Quick scan (essential checks)
sudo rupurt --quick
# Full system scan
sudo rupurt --full
# Paranoid mode (everything)
sudo rupurt --paranoid
# Specific modules
sudo rupurt --syscall --ebpf --memory
# JSON output for SIEM integration
sudo rupurt --full --json > report.json
# Continuous monitoring
sudo rupurt --monitor --interval 300| Option | Description |
|---|---|
--quick |
Fast essential checks |
--full |
Complete system scan |
--paranoid |
Maximum detection sensitivity |
--syscall |
Syscall table analysis |
--ebpf |
eBPF program scanner |
--memory |
Memory forensics |
--kernel |
Kernel integrity check |
--network |
Hidden network detection |
--process |
Process hiding detection |
--container |
Container escape detection |
--apt |
APT implant signatures |
--json |
JSON output format |
--monitor |
Continuous monitoring mode |
--update |
Update signature database |
--verbose |
Detailed output with process IDs, file paths, hashes, and confidence scores |
--output FILE |
Write detailed report to file (supports .json, .csv, .txt) |
--threshold N |
Minimum confidence score to report (0-100, default: 50) |
--whitelist FILE |
Path to whitelist file — skip known-safe processes/files |
--exclude PATH |
Exclude specific path from scanning |
--no-color |
Disable colored output (for piping/logging) |
For detailed forensic output including process IDs, file paths, hashes, and confidence scores:
# Verbose scan with full details
sudo rupurt --full --verbose
# Save detailed JSON report
sudo rupurt --full --verbose --output report.json
# Example JSON output per finding:
# {
# "id": "RUPURT-2024-0042",
# "module": "ebpf",
# "severity": "warning",
# "confidence": 72,
# "description": "Suspicious eBPF program attached to syscall",
# "process": { "pid": 1842, "name": "bpf_loader", "uid": 0 },
# "file": { "path": "/sys/fs/bpf/probe", "hash": "sha256:a1b2c3..." },
# "timestamp": "2026-02-23T10:15:30Z"
# }Signature-based detection can flag legitimate software. Here's how to handle false positives:
# Lower sensitivity — only report high-confidence findings (75+)
sudo rupurt --full --threshold 75
# Higher sensitivity — catch more but expect more false positives
sudo rupurt --paranoid --threshold 25Create a whitelist file to skip known-safe processes and paths:
# Create whitelist
cat > /etc/rupurt/whitelist.conf << 'EOF'
# Format: type:value
# Types: process, path, hash, ebpf_id
# Known-safe eBPF programs (monitoring tools)
ebpf_id:42
ebpf_id:43
# System processes that look suspicious but are legitimate
process:snapd
process:systemd-oomd
# Paths to exclude
path:/opt/monitoring-agent/
path:/snap/
# Known-safe file hashes
hash:sha256:abc123def456...
EOF
# Run with whitelist
sudo rupurt --full --whitelist /etc/rupurt/whitelist.conf# Exclude specific paths
sudo rupurt --full --exclude /opt/my-monitoring --exclude /snap
# Combine with threshold
sudo rupurt --full --threshold 70 --exclude /opt/security-toolsIf you encounter a false positive, please open an issue with:
- The
--verbose --jsonoutput for the finding - What the flagged process/file actually is
- Your kernel version (
uname -r)
This helps improve detection accuracy for everyone.
Each finding includes a confidence score (0-100):
| Score | Level | Meaning |
|---|---|---|
| 90-100 | 🔴 Critical | Almost certainly malicious — known rootkit signature match |
| 70-89 | 🟠 High | Strong indicators — behavioral match + suspicious attributes |
| 50-69 | 🟡 Medium | Suspicious — warrants investigation, may be legitimate |
| 25-49 | 🔵 Low | Unusual but likely benign — security tools, debuggers, etc. |
| 0-24 | ⚪ Info | Informational — logged but not alarming |
Default threshold is 50 (medium+). Use --threshold to adjust.
- Syscall table modifications
- IDT/GDT hooks
- Kernel text modifications
- Hidden kernel modules
- Malicious eBPF programs
- LD_PRELOAD hijacking
- Process injection
- Shared library hooking
- Hidden processes
- Memory-resident malware
- Container escape attempts
- Privileged container abuse
- cgroup manipulation
- Namespace breakouts
- Equation Group tools
- Turla Snake/Uroburos
- Lazarus Group malware
- Winnti backdoors
██████╗ ██╗ ██╗██████╗ ██╗ ██╗██████╗ ████████╗
██╔══██╗██║ ██║██╔══██╗██║ ██║██╔══██╗╚══██╔══╝
██████╔╝██║ ██║██████╔╝██║ ██║██████╔╝ ██║
██╔══██╗██║ ██║██╔═══╝ ██║ ██║██╔══██╗ ██║
██║ ██║╚██████╔╝██║ ╚██████╔╝██║ ██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝
☠️ Linux Rootkit Hunter v2.5.0
[*] Starting full system scan...
[+] Kernel: Linux 6.5.0-generic x86_64
[+] Scanning syscall table...
[+] Checking eBPF programs...
[!] WARNING: Suspicious eBPF program detected
Program ID: 42
Type: tracepoint
Attach: sys_enter_openat
[+] Memory analysis...
[+] Checking hidden processes...
[+] Network connection analysis...
[+] File system scan...
══════════════════════════════════════════════════════════════════
SCAN SUMMARY
══════════════════════════════════════════════════════════════════
Modules scanned: 15
Checks performed: 847
Warnings: 1
Critical: 0
Time elapsed: 12.4s
══════════════════════════════════════════════════════════════════
MIT License - See LICENSE for details.
Hunt the hunters.
