{"id":50620724,"url":"https://github.com/feliux/kscope","last_synced_at":"2026-06-06T11:30:45.145Z","repository":{"id":359642665,"uuid":"1233065669","full_name":"feliux/kscope","owner":"feliux","description":"eBPF-powered offensive runtime discovery and attack surface observability","archived":false,"fork":false,"pushed_at":"2026-05-22T18:38:54.000Z","size":1930,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-22T21:56:09.981Z","etag":null,"topics":["ebpf","kernel","linux","red-team-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/feliux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-08T14:56:09.000Z","updated_at":"2026-05-22T18:38:58.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/feliux/kscope","commit_stats":null,"previous_names":["feliux/kscope"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/feliux/kscope","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/feliux%2Fkscope","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/feliux%2Fkscope/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/feliux%2Fkscope/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/feliux%2Fkscope/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/feliux","download_url":"https://codeload.github.com/feliux/kscope/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/feliux%2Fkscope/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33981122,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-06T02:00:07.033Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","kernel","linux","red-team-tools"],"created_at":"2026-06-06T11:30:44.443Z","updated_at":"2026-06-06T11:30:45.139Z","avatar_url":"https://github.com/feliux.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n    \u003cimg src=\"docs/images/kscope-gopher.png\" alt=\"KScope logo\" style=\"width: 400px; height: 400px;\" /\u003e\n\u003c/p\u003e\n\n\u003c!--\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"docs/images/kscope-gopher.png\" alt=\"KScope logo\" style=\"max-width: 160px; width: 40%; height: auto;\" /\u003e\n\u003c/div\u003e--\u003e\n\nKScope is an eBPF-based offensive discovery tool that observes real process and network behavior (DNS, IP, TCP) and correlates it in real time to reconstruct context and attack surface, in a passive and lightweight way.\n\n### Why kscope?\n\nKScope means kernel vision: a system-level observation and deep introspection tool to see what actually happens in processes and networking, focused on analysis and correlation.\n\n### System requirements\n\n- Linux with eBPF and cgroup v2\n- clang and llvm\n- libbpf and kernel headers\n- bpftool\n- Go and make\n\nInstall on Arch:\n\n```sh\nsudo pacman -S \\\n  base-devel \\\n  clang \\\n  llvm \\\n  libbpf \\\n  linux-headers \\\n  bpf\n```\n\n## Build\n\n```sh\nmake tools\nmake btf\nmake build\nmake run\n```\n\n- `make btf` generates `internal/ebpf/vmlinux.h` using system BTF.\n- The binary is created at `bin/kscope`.\n- Running requires `sudo`.\n- `make run` execute kscope in `observe` mode\n\n## Quick usage\n\n```sh\nsudo ./bin/kscope -h\n\n# observe command\nsudo ./bin/kscope # observe by default\nsudo ./bin/kscope observe\n\n# proxy with redirection:\nsudo ./bin/kscope proxy --cgroup /sys/fs/cgroup --config /dev/null --rule-ip 34.160.111.145:80\n```\n\n#### Observe arguments\n\n```\n- --output human|json (default: human). Output format. human prints readable lines, json prints one object per line.\n- --modules dns,tcp,process,all (default: dns,tcp,process). Select capture and correlation modules.\n- --bus-buffer (default: 4096). Event bus buffer size to absorb bursts.\n- --subscriber-buffer (default: 1024). Correlation subscriber buffer; if full it may block or drop.\n- --engine-buffer (default: 1024). Correlation engine output buffer.\n- --drop-on-full (default: false). If true, drops events on saturation; if false, applies backpressure.\n```\n\n#### Proxy arguments\n\n```\n- --config path to yaml (default: configs/kscope-rules.yaml). Loads proxy rules and overrides from file.\n- --cgroup cgroup v2 path (default: /sys/fs/cgroup). Cgroup where redirection hooks are attached.\n- --proxy-listen-v4 (default: 127.0.0.1:18080). IPv4 address where the proxy listens.\n- --proxy-redirect-v4 (default: 127.0.0.1:18080). Address the kernel rewrites IPv4 connect to.\n- --proxy-listen-v6. IPv6 address where the proxy listens. If not set, IPv6 is not bound.\n- --proxy-redirect-v6. Address the kernel rewrites IPv6 connect to. Used when listen_v6 is set.\n- --rule-pid PID to redirect (repeatable). Redirects only connections from that process.\n- --rule-comm process name to redirect (repeatable). Uses comm, limited to 16 bytes.\n- --rule-ip ip or ip:port to redirect (repeatable). If no port is given, applies to any port.\n- --rule-domain domain or domain:port to redirect (repeatable). Activated by DNS replies and TTL.\n- --bus-buffer (default: 1024). DNS bus buffer for domain rules.\n- --subscriber-buffer (default: 512). DNS subscriber buffer for domain rules.\n- --drop-on-full (default: true). If true, drops DNS events on saturation.\n```\n\nConfiguration precedence:\n- yaml has priority over CLI\n- if yaml does not exist, only CLI is used\n- if yaml exist but you want to use CLI then you can execute with `--config /dev/null`\n\n```sh\nsudo ./bin/kscope proxy --config /dev/null --proxy-listen-v4 127.0.0.1:18080 --proxy-redirect-v4 127.0.0.1:18080\n```\n\n#### Configuration file\n\nSee [configs/kscope-rules.yaml](./configs/kscope-rules.yaml).\n\n### Examples\n\n```sh\n# observe in JSON and only DNS\nsudo ./bin/kscope observe --output json --modules dns\n\n# proxy using config file\nsudo ./bin/kscope proxy --config /configs/kscope-rules.yaml\n\n# proxy with domain redirection\nsudo ./bin/kscope proxy --cgroup /sys/fs/cgroup --config /dev/null --rule-domain ifconfig.me:80 --rule-domain ifconfig.me:443\n\n# proxy using host IP when loopback does not work\nsudo ./bin/kscope proxy --cgroup /sys/fs/cgroup --config /dev/null --proxy-listen-v4 0.0.0.0:18080 --proxy-redirect-v4 192.168.0.166:18080 --rule-ip 34.160.111.145:80\n```\n\n#### bpftool quick guide\n\n```sh\n# show cgroups with attached programs\nsudo bpftool cgroup show /sys/fs/cgroup\nsudo bpftool cgroup show /sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope\n\n# show relevant maps\nsudo bpftool map show | grep proxy_target_v4\nsudo bpftool map show | grep redirect_stats\n\n# dump a map\nsudo bpftool map dump id \u003cID\u003e\n\n# show proxy connections\nss -tnp | grep 18080\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffeliux%2Fkscope","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffeliux%2Fkscope","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffeliux%2Fkscope/lists"}