{"id":39862375,"url":"https://github.com/bcoles/rootkit-signal-hunter","last_synced_at":"2026-01-18T14:02:12.614Z","repository":{"id":322804309,"uuid":"1079069226","full_name":"bcoles/rootkit-signal-hunter","owner":"bcoles","description":"Detect Linux rootkits which use signals to elevate process privileges.","archived":false,"fork":false,"pushed_at":"2025-11-06T12:17:01.000Z","size":968,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-06T13:14:53.397Z","etag":null,"topics":["privilege-escalation-linux","rootkit-detection","rootkit-hunter","security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bcoles.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-19T03:00:01.000Z","updated_at":"2025-11-06T12:17:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"bb50b50a-1720-45f1-a3ad-3d9789fa6104","html_url":"https://github.com/bcoles/rootkit-signal-hunter","commit_stats":null,"previous_names":["bcoles/rootkit-signal-hunter"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/bcoles/rootkit-signal-hunter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Frootkit-signal-hunter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Frootkit-signal-hunter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Frootkit-signal-hunter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Frootkit-signal-hunter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bcoles","download_url":"https://codeload.github.com/bcoles/rootkit-signal-hunter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Frootkit-signal-hunter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28537484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T13:04:05.990Z","status":"ssl_error","status_checked_at":"2026-01-18T13:01:44.092Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["privilege-escalation-linux","rootkit-detection","rootkit-hunter","security"],"created_at":"2026-01-18T14:02:11.836Z","updated_at":"2026-01-18T14:02:12.593Z","avatar_url":"https://github.com/bcoles.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/logo.png\" alt=\"Rootkit Signal Hunter\" width=\"300\" /\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/bcoles/rootkit-signal-hunter/actions/workflows/tests.yml/badge.svg\" alt=\"Build Status\"/\u003e\n  \u003cimg src=\"https://img.shields.io/github/v/release/bcoles/rootkit-signal-hunter\" alt=\"Release\"/\u003e\n  \u003cimg src=\"https://img.shields.io/badge/License-MIT-blue.svg\" alt=\"License: MIT\"/\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eRootkit Signal Hunter\u003c/h1\u003e\n\u003cp align=\"center\"\u003e\u003ci\u003eDetect Linux rootkits which use signals to elevate process privileges.\u003c/i\u003e\u003c/p\u003e\n\n---\n\nSome rootkits install signal handlers which listen for specific signals to elevate privileges.\nThis tool can identify these rootkits by sending signals and observing UID switching to root.\nOptionally spawns a root shell.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/output.gif\" alt=\"Rootkit Signal Hunter\" /\u003e\n\u003c/p\u003e\n\nTested with:\n\n* [Singularity](https://github.com/MatheuZSecurity/Singularity) 5b6c4b6 (2025-10-19) on Ubuntu 24.04 kernel 6.8.0-31-generic (x64)\n* [Diamorphine](https://github.com/m0nad/Diamorphine) 2337293 (2023-09-20) on Ubuntu 22.04 kernel 5.19.0-38-generic (x64)\n* [Codeine](https://github.com/diego-tella/Codeine) 9644336 (2025-09-02) on Ubuntu 22.04 kernel 5.19.0-38-generic (x64)\n* [KoviD](https://github.com/carloslack/KoviD) 9b67e46 (2025-10-14) on Ubuntu 24.04 kernel 6.8.0-31-generic (x64)\n  * (successful detection requires knowledge of hardcoded target PID `666`)\n\n\n## Installation\n\nYou can download the latest pre-built binaries from the [Releases page](https://github.com/bcoles/rootkit-signal-hunter/releases);\nor build the latest pre-release version from source:\n\n```sh\ngit clone https://github.com/bcoles/rootkit-signal-hunter \u0026\u0026 \\\ncd rootkit-signal-hunter \u0026\u0026 \\\ncargo build --release\n```\n\n## Usage\n\n```sh\nrootkit-signal-hunter -- [OPTIONS]\n```\n\n## Options\n\n- `--min \u003cMIN\u003e`: Minimum signal number (default: `0`)\n- `--max \u003cMAX\u003e`: Maximum signal number (default: `64`)\n- `-s`, `--shell`: Launch a root shell (if detected)\n- `-t`, `--threads`: Number of worker threads (default: `16`)\n- `-p`, `--pid`: Process ID to send signals to (default: `$$`)\n- `-v`, `--verbose`: Enable verbose output\n\n\u003e [!NOTE]\n\u003e The `--pid` implementation uses `$$` to represent the process ID of a newly\n\u003e spawned process. This will fail on non-POSIX compliant shells such as Fish.\n\n## Example\n\nRootkits such as [Singularity](https://github.com/MatheuZSecurity/Singularity)\nand [Diamorphine](https://github.com/m0nad/Diamorphine) allow privilege\nescalation using any process ID and can be trivially detected with default options\n(`-s` spawns a root shell):\n\n```sh\nrootkit-signal-hunter -s\n```\n\nRootkits such as [KoviD](https://github.com/carloslack/KoviD) require a specific\nprocess ID to be provided with the `-p` / `--pid` flag:\n\n```sh\nrootkit-signal-hunter -s --pid 666\n```\n\n\u003e [!NOTE]\n\u003e This risks terminating the legitimate process with ID `666`\n\u003e (if the current user has the necessary permission).\n\n## License\n\nThis project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.\n\n## Acknowledgements\n\nShoutout to David Reguera Garcia ([Dreg](https://github.com/therealdreg)) who implemented similar\nsignal-based detection as part of [lsrootkit](https://github.com/therealdreg/lsrootkit).\n\n## Copyright\n\nCopyright © 2025, bcoles\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbcoles%2Frootkit-signal-hunter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbcoles%2Frootkit-signal-hunter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbcoles%2Frootkit-signal-hunter/lists"}