Detects hidden Loadable Kernel Modules by comparing module visibility across /proc/modules, /sys/module, and /proc/kallsyms. Identifies modules present in kallsyms but missing from procfs/sysfs.
Critical on hidden modules
Discovers hidden processes using multi-view cross-checks: /proc enumeration, kill(0) probing, cgroup task files, and /proc/loadavg analysis. Revalidation snapshots eliminate transient race conditions.
Critical on persistent hidden PIDs
Detects hidden or redirected network sockets by comparing /proc/net tables, netlink diagnostics via ss, and process file descriptor scanning. Two-snapshot validation reduces false positives.
Requires: ss
Critical on hidden sockets
Validates syscall entrypoints by reading MSRs (IA32_LSTAR, IA32_CSTAR, IA32_SYSENTER_EIP) and IDT vectors via /proc/kcore. Detects entrypoint redirection to module code or trampolines. x86_64-specific.
Critical on redirected entrypoints
Analyzes ftrace function hooks for suspicious kernel path redirection. Checks tracer configuration, filter functions against critical patterns covering syscalls, VFS, credentials, and LSM hooks.
Critical on unfiltered active tracing
Discovers kprobe and kretprobe events targeting sensitive kernel functions. Matches against critical patterns including syscalls, credentials, module loading, VFS, network, LSM, and BPF functions.
Warning on sensitive kprobes
Examines syscall table entries by parsing /proc/kcore ELF core image. Verifies each entry resolves to core kernel text or legitimate modules. Detects entries pointing outside kernel memory.
Critical on hijacked entries
Comprehensive eBPF/BPF security scanner analyzing programs, maps, and links via bpftool. Detects ownerless high-risk hooks, suspicious naming patterns, bpffs mount anomalies, and checks hardening sysctls.
Requires: bpftool
Critical on ownerless hooks