{"id":31722892,"url":"https://github.com/h2337/ghostscan","last_synced_at":"2025-10-09T04:21:52.460Z","repository":{"id":317003189,"uuid":"1065631155","full_name":"h2337/ghostscan","owner":"h2337","description":"A modern, Rust-powered Linux scanner that unmasks hidden rootkits, stealthy eBPF tricks, and ghost processes in one fast sweep (45+ scanners)","archived":false,"fork":false,"pushed_at":"2025-09-28T05:50:12.000Z","size":53,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-09-28T07:22:09.434Z","etag":null,"topics":["antivirus","linux-security","malware-detection","rootkit-detection","scanner","security","security-scanner","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/h2337.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-28T05:45:03.000Z","updated_at":"2025-09-28T07:12:40.000Z","dependencies_parsed_at":"2025-09-28T07:32:20.419Z","dependency_job_id":null,"html_url":"https://github.com/h2337/ghostscan","commit_stats":null,"previous_names":["h2337/ghostscan"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/h2337/ghostscan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h2337%2Fghostscan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h2337%2Fghostscan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h2337%2Fghostscan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h2337%2Fghostscan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/h2337","download_url":"https://codeload.github.com/h2337/ghostscan/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h2337%2Fghostscan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279000754,"owners_count":26082921,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus","linux-security","malware-detection","rootkit-detection","scanner","security","security-scanner","security-tools"],"created_at":"2025-10-09T04:21:49.112Z","updated_at":"2025-10-09T04:21:52.454Z","avatar_url":"https://github.com/h2337.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ghostscan\n\nFast one-shot sweep for Linux incident response. Drop the binary on a host, run it once, and collect actionable leads from the kernel, procfs, bpffs, systemd, cron, sockets, and more.\n\n## Quick start\n\n1. Install a current Rust toolchain.\n2. Build with `cargo build --release`.\n3. Copy `target/release/ghostscan` to the target host.\n4. Run as root (or with equivalent capabilities): `sudo ./ghostscan`.\n5. Optional helpers (`bpftool`, `nft`, `ss`, `journalctl`, `auditctl`) expand coverage; when missing, the output explains what was skipped.\n\n## Reading results\n\n- Each scanner prints a bracketed name followed by either findings, `OK`, or an error string.\n- The process always exits with code `0`; treat the log itself as the verdict.\n- Findings are heuristics designed for triage; validate before acting.\n\n## Available scanners\n\n- **Hidden LKM**: compares procfs/sysfs clusters against `kallsyms` to surface hidden modules.\n- **Kernel taint**: highlights taint flags that lack a visible explanation.\n- **Ftrace redirection**: spots risky `ftrace` hooks on critical kernel paths.\n- **Unknown kprobes**: looks for kprobes attached to sensitive symbols that ghostscan cannot explain.\n- **Syscall table integrity**: verifies syscall table pointers for tampering.\n- **Netfilter hook drift**: finds orphaned or invalid netfilter hook jumps.\n- **Module linkage tamper**: checks module list pointers for manipulation.\n- **Ownerless BPF objects**: reports BPF maps/programs without a backing task.\n- **BPF kprobe attachments**: flags kprobes pointed at high-value kernel routines.\n- **BPF LSM**: notes when BPF LSM programs are active.\n- **Detached XDP/TC programs**: detects XDP or TC programs that no longer have an interface.\n- **Sockmap/Sockhash verdicts**: surfaces sockmap/sockhash programs lacking owners.\n- **Sensitive kfunc usage**: tracks invocations of dangerous `kfunc` targets.\n- **Non-bpffs pins**: finds BPF pins created outside bpffs mounts.\n- **Netlink vs proc**: compares netlink inventories with `/proc/net` to expose hidden sockets.\n- **Task list mismatch**: contrasts BPF snapshots with `/proc` task lists to expose hidden PIDs.\n- **Hidden PIDs**: uses BPF-only views to reveal task IDs invisible to `/proc`.\n- **Kernel thread masquerade**: detects kernel threads spoofing user process metadata.\n- **Suspicious ptrace edges**: reports unusual ptrace parent/child relationships.\n- **Deleted or memfd binaries**: lists processes executing from deleted files or memfd mounts.\n- **Hidden listeners**: identifies listeners seen via netlink vs `/proc` vs BPF.\n- **Ownerless sockets**: reports sockets without an owning task.\n- **Netfilter cloaking**: spots tampering patterns that hide netfilter rules.\n- **Local port backdoors**: highlights sockets bound to deleted or temporary paths.\n- **`ld.so.preload` tamper**: inspects `ld.so.preload` for unexpected entries.\n- **Cron ghosts**: checks cron/anacron/at directories for orphaned or cloaked jobs.\n- **Systemd ghosts**: finds unit files pointing to deleted or temporary executables.\n- **SSH footholds**: surfaces dangerous `authorized_keys` options and forced commands.\n- **OverlayFS whiteouts**: reports suspicious opaque or whiteout entries in OverlayFS.\n- **Hidden bind mounts**: lists bind or immutable mounts likely used for concealment.\n- **PAM/NSS modules**: flags PAM or NSS modules loaded from non-system paths.\n- **Live `LD_PRELOAD`**: notes processes still using deleted or writable preload libraries.\n- **Library search hijack**: checks SUID/privileged binaries for unsafe search paths.\n- **`LD_AUDIT` daemons**: finds daemons configured with `LD_AUDIT` despite lacking TTYs.\n- **Large RX regions**: surfaces non-JIT daemons with large anonymous RX memory.\n- **Kernel text RO**: verifies that kernel text sections remain read-only.\n- **`/etc/scripts.d` provenance**: warns on executable scripts from tmp or non-root owners.\n- **Sudoers**: examines sudoers entries for insecure privilege escalation paths.\n- **Kernel cmdline**: alerts on boot parameters that disable audit, lockdown, or IMA.\n- **Sensitive host mounts**: identifies sensitive host paths exposed inside containers.\n- **Host PID namespace**: reports containers sharing the host PID namespace.\n- **Overlay lowerdir**: catches OverlayFS lowerdirs that escape the storage root.\n- **Audit disabled**: detects when auditd is off or dropping records.\n- **Journal gaps**: looks for missing spans in the current boot's journal.\n- **Kernel message suppression**: notices unusual suppression of kernel logs.\n\n## Development pointers\n\n- Format and lint locally with `cargo fmt \u0026\u0026 cargo check`.\n- New scanners live in `src/scanners/` and expose `pub fn run() -\u003e ScanOutcome` before being registered in `SCANNERS` inside `src/main.rs`.\n\n## Operational notes\n\n- Most modules require elevated privileges to read privileged interfaces, and they report missing access instead of silently failing.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh2337%2Fghostscan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fh2337%2Fghostscan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh2337%2Fghostscan/lists"}