{"id":18035808,"url":"https://github.com/echo-devim/nocrypt","last_synced_at":"2025-03-27T08:30:34.825Z","repository":{"id":169337245,"uuid":"641994588","full_name":"echo-devim/NoCrypt","owner":"echo-devim","description":"AntiRansomware Linux Kernel Module","archived":false,"fork":false,"pushed_at":"2023-05-25T13:51:13.000Z","size":13,"stargazers_count":36,"open_issues_count":0,"forks_count":7,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-23T10:35:50.178Z","etag":null,"topics":["antimalware","antiransomware","defense","kernelmodule","linux","ransomware"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/echo-devim.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-05-17T15:35:04.000Z","updated_at":"2024-12-22T09:09:46.000Z","dependencies_parsed_at":"2023-07-13T05:45:30.759Z","dependency_job_id":null,"html_url":"https://github.com/echo-devim/NoCrypt","commit_stats":null,"previous_names":["niveb/nocrypt","echo-devim/nocrypt"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/echo-devim%2FNoCrypt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/echo-devim%2FNoCrypt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/echo-devim%2FNoCrypt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/echo-devim%2FNoCrypt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/echo-devim","download_url":"https://codeload.github.com/echo-devim/NoCrypt/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245809564,"owners_count":20676008,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antimalware","antiransomware","defense","kernelmodule","linux","ransomware"],"created_at":"2024-10-30T12:10:20.948Z","updated_at":"2025-03-27T08:30:34.502Z","avatar_url":"https://github.com/echo-devim.png","language":"C","readme":"# NoCrypt - AntiRansomware Linux Kernel Module\nA small experimental project to make a defense tool to prevent ransomware attacks on Linux systems.\n\nThe module hooks the system call `sys_rename` using ftrace to monitor all the files renamed on the system.\n\nRansomware often encrypt a lot of files renaming them with the same suffix.\nNoCrypt checks if a process renames a file with a known ransomware suffix, killing the process and printing a log in JSON format in the message buffer of the kernel (use dmesg to view it).\n\nNoCrypt has also a small behaviour check, if the same process starts to rename many files, after 12 renamed files by default, it'll be killed.\n\nThe module has also a self-protection mechanism, in fact it hides from the system avoiding to be unloaded. Providing the right password it is possible to make it visible and then unload it.\n\n**Consider this project a proof-of-concept you can easily customize for your needs. I don't take any responsibility.**\n\n\nThanks to Immutable-file-linux project of Shubham Dubey\n\nReference for: https://nixhacker.com/hooking-syscalls-in-linux-using-ftrace\n\n\n## Instructions\n* Run `make` from terminal\n* Load the module using `sudo insmod nocrypt.ko \"max_rename=20\" \"behaviour_detection=true\" \"password=your-P4ss\"`\n\n**Note:** `insmod` loads the kernel module until the system is rebooted. If you want to make this module persistent, ask to your sysadmins.\n\nThe module prints all its logs into the kernel message buffer (use `dmesg` command to see them). When a ransomware attack is detected, the module will print event logs in JSON format to be more parsable by other systems.\nNocrypt will start hiding the module frome the system and creating a sys file into `/sys/kernel/.nocrypt/nocrypt` with only root rw permissions.\n\nIf you try to execute the command `lsmod | grep nocrypt` or `rmmod nocrypt`, you'll fail. In order to unlock the module, making it visible again, run this command:\n```sh\n# echo -n \"your-P4ss\" \u003e /sys/kernel/.nocrypt/nocrypt\n```\n\nThe default password is `n0Cr1pt`. After that command you can perform `rmmod`.\n\nThe attackers can find the module (for example viewing the dmesg), but they shouldn't be able to unload it so easily.\nSee the end notes for further possible improvements.\n\n## Example\nCompile the example program `gcc -o example example.c`.\n\nNow running `.\\example`, the program will try to rename several (non-existent) test files into .lockbit.\nEven if the input files don't exist, NoCrypt will kill the process because it's trying to rename files with a blacklisted extension.\nCheck the module output with `sudo dmesg`.\n\nFull example output:\n```sh\n# insmod nocrypt.ko \"max_rename=20\" \"behaviour_detection=true\" \"password=n0Cr1pt\"\n$ ./example\n[1]    35452 killed     ./example\n# rmmod nocrypt\nrmmod: ERROR: could not remove 'nocrypt': No such file or directory\n# echo -n 'n0Cr1pt' \u003e /sys/kernel/.nocrypt/nocrypt\n# rmmod nocrypt\n# dmesg | grep nocrypt | tail -4                                              \n[25705.710774] nocrypt: nocrypt loaded (max_rename=20,behaviour_detection=1)\n[25710.226666] nocrypt: {\"program\":\"example\",\"pid\":35462,\"status\":\"detected\",\"type\":\"lockbit\",\"reason\":\"known extension\",\"details\":\"renaming test0 to test0.lockbit\"}\n[25783.850022] nocrypt: Module unlocked\n[25790.640147] nocrypt: nocrypt unloaded\n```\n\n# Notes\nPossible improvements that are unlikely will be implemented in this PoC project:\n- Dump process memory\n- Print logs into a internal buffer accessible via sysfs (partially implemented)\n- Hide completely the module from the system, thus attackers won't know if there is installed nocrypt\n- Add more self-protection mechanisms\n- Hook more syscalls, perform more checks\n\nIf you use this project or you extend it, please cite or link this repo and its original author.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecho-devim%2Fnocrypt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fecho-devim%2Fnocrypt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecho-devim%2Fnocrypt/lists"}