rupurt is a Linux rootkit detection tool that uses eBPF for kernel-level behavioral monitoring alongside traditional signature scanning. With 280+ signatures and 15 detection modules, it's designed to find threats that other tools miss.
The Rootkit Problem in 2026
Rootkits have evolved. The classic LKM rootkit (load a kernel module, hook system calls, hide everything) is well-understood. Modern rootkits use eBPF programs, modify kernel data structures without hooking, or live entirely in memory.
Traditional tools like rkhunter and chkrootkit rely primarily on file-based signatures. They're great at finding known rootkits that leave files on disk, but they struggle with:
- Memory-only rootkits that never touch the filesystem
- eBPF rootkits like TripleCross that use legitimate kernel mechanisms
- DKOM attacks that manipulate kernel data structures directly
- Custom implants that don't match known signatures
rupurt's 15 Detection Modules
| # | Module | What It Checks |
|---|---|---|
| 1 | kernel-check | Kernel symbol table integrity |
| 2 | syscall-table | System call hooking |
| 3 | hidden-files | Files hidden from readdir() |
| 4 | hidden-procs | Processes hidden from /proc |
| 5 | hidden-ports | Network ports hidden from netstat |
| 6 | module-check | Malicious kernel modules |
| 7 | memory-scan | In-memory artifacts |
| 8 | ebpf-monitor | Malicious eBPF programs |
| 9 | binary-check | Modified system binaries |
| 10 | log-check | Tampered log files |
| 11 | network-check | Suspicious connections |
| 12 | persistence | Boot persistence mechanisms |
| 13 | container-check | Container escape indicators |
| 14 | apt-implants | Known APT implant signatures |
| 15 | integrity | File integrity verification |
eBPF: The Double-Edged Sword
eBPF is incredibly powerful. It lets you run sandboxed programs in the kernel with minimal overhead. Security tools love it for tracing and monitoring. But attackers love it too.
rupurt's ebpf-monitor module enumerates all loaded eBPF programs and checks for suspicious behavior:
// Simplified eBPF program enumeration
void check_ebpf_programs(void) {
uint32_t id = 0;
int fd;
struct bpf_prog_info info = {};
while (bpf_prog_get_next_id(id, &id) == 0) {
fd = bpf_prog_get_fd_by_id(id);
bpf_obj_get_info_by_fd(fd, &info, sizeof(info));
// Check for suspicious program types
if (info.type == BPF_PROG_TYPE_KPROBE ||
info.type == BPF_PROG_TYPE_TRACEPOINT) {
// Verify against allowlist
if (!is_known_program(info.name, info.tag)) {
report_suspicious_ebpf(&info);
}
}
close(fd);
}
}rupurt requires root privileges to perform kernel-level checks. Always run as sudo ./rupurt --full-scan for complete detection coverage.
Signature Database
The 280+ signatures cover:
- 45 LKM rootkits — Diamorphine, Reptile, Kovid, and more
- 20 eBPF rootkits — TripleCross, pamspy, ebpfkit
- 35 userland rootkits — Azazel, Jynx2, Vlany
- 40 APT implants — Drovorub (GRU), Winnti, Rekoobe
- 50+ backdoors — Turla, cd00r, Prism
- 90+ generic patterns — Suspicious behaviors
Signatures are JSON-based and community-contributed. Adding your own is as simple as dropping a JSON file in signatures/custom/.
Full source and documentation at github.com/bad-antics/rupurt.