{"id":40831809,"url":"https://github.com/sandflysecurity/sandfly-processdecloak","last_synced_at":"2026-01-21T22:26:16.934Z","repository":{"id":57540293,"uuid":"287401004","full_name":"sandflysecurity/sandfly-processdecloak","owner":"sandflysecurity","description":"Sandfly Linux Stealth Rootkit Decloaking Utility","archived":false,"fork":false,"pushed_at":"2023-01-19T14:14:41.000Z","size":55,"stargazers_count":88,"open_issues_count":2,"forks_count":14,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-06-20T01:58:17.567Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sandflysecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2020-08-13T23:41:50.000Z","updated_at":"2024-06-07T07:39:44.000Z","dependencies_parsed_at":"2023-01-30T20:50:14.074Z","dependency_job_id":null,"html_url":"https://github.com/sandflysecurity/sandfly-processdecloak","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/sandflysecurity/sandfly-processdecloak","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-processdecloak","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-processdecloak/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-processdecloak/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-processdecloak/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sandflysecurity","download_url":"https://codeload.github.com/sandflysecurity/sandfly-processdecloak/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sandflysecurity%2Fsandfly-processdecloak/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28645548,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T21:29:11.980Z","status":"ssl_error","status_checked_at":"2026-01-21T21:24:31.872Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-21T22:26:16.205Z","updated_at":"2026-01-21T22:26:16.926Z","avatar_url":"https://github.com/sandflysecurity.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# What is sandfly-processdecloak?\n\n`sandfly-processdecloak` is a utility to quickly scan for Linux Process IDs (PIDs) that\nare hidden by common and not-so-common loadable kernel module stealth rootkits and decloak them so\nthey are visible.\n\n## Features\n\n* Written in Golang and is portable across multiple architectures with no modifications.\n* Standalone binary requires no dependencies and can be used instantly without loading any libraries.\n* Not affected by ld_preload style rootkits or tampered shared libraries on suspect hosts.\n* Works against LKM rootkits such as Diamorphine, Reptile and variants.\n* Very lightweight and will not hook into kernel or cause system instability.\n\n## How Do I Use This?\n\nUsage of `sandfly-processdecloak`:\n\nSimply build and run `sandfly-processdecloak` on the command line. Hidden PIDs will be shown if\nfound.\n\n## Examples\n\nWhen run, the program will show all clean or PIDs that are suspicious:\n\n## Clean System\n\n```bash\nroot@sandfly-clean:~# ./sandfly-processdecloak\nsandfly-processdecloak Version 1.0\nCopyright (c) 2020 Sandfly Security - www.sandflysecurity.com\n\nDecloaking hidden Process IDs (PIDS) on Linux host.\nNo hidden PIDs found.\n```\n\n## Reptile style LKM stealth rootkit\n\n```bash\nroot@sandfly-dirty:~# ./sandfly-processdecloak \nsandfly-processdecloak Version 1.0\n\nCopyright (c) 2020 Sandfly Security - www.sandflysecurity.com\n\nDecloaking hidden Process IDs (PIDS) on Linux host.\nFound hidden PID: 11468 with name: reptile_hidden\nFound hidden PID: 15070 with name: reptile_shell\n```\n\n## Diamorphine style LKM stealth rootkit\n\n```bash\nroot@sandfly-dirty:~# ./sandfly-processdecloak\nsandfly-processdecloak Version 1.0\n\nCopyright (c) 2020 Sandfly Security - www.sandflysecurity.com\n\nDecloaking hidden Process IDs (PIDS) on Linux host.\nFound hidden PID: 7171 with name: diamorphine_hid\n```\n\n## Build\n\n* Install latest version of golang (www.golang.org)\n* Use the following command:\n\n`go get github.com/sandflysecurity/sandfly-processdecloak`\n\n* Or clone the repo under your Golang src directory.\n* Go into the repo directory and build it with instructions below.\n\n## Basic Build\n\nOn the system architecture you want to compile for, copy the sources under your Golang src directory and run:\n\n`go build sandfly-processdecloak`\n\n## Build Scripts\n\nThere are a some basic build scripts that build for various platforms. You can use these to build or\nmodify to suit. For Incident Responders, it might be useful to keep pre-compiled binaries ready to\ngo on your investigation box.\n\n`build.sh` - Generic build for whatever architecture you are on when run.\n\n`build_all.sh` - Builds all binaries for AMD, Intel, MIPS and Arm Linux architectures.\n\n`build_linux_adm64.sh` - Build for AMD64/Intel 64 bit architecture.\n\n`build_linux_386.sh` - Build for 386/32 bit archtecture.\n\n`build_linux_arm.sh` - Build for generic Arm archtecture.\n\n`build_linux_arm5.sh` - Build for Armv5 archtecture.\n\n`build_linux_arm6.sh` - Build for Armv6 archtecture.\n\n`build_linux_arm7.sh` - Build for Armv7 archtecture.\n\n`build_linux_arm64.sh` - Build for Arm 64 bit archtecture.\n\n`build_linux_mips.sh` - Build for MIPS archtecture.\n\n`build_linux_mips64.sh` - Build for MIPS 64 bit archtecture.\n\n## Linux AMD/Intel64 Command Line Build\n\nTo build for basic Linux, go into the files under the Golang src directory and build:\n\n`env GOOS=linux GOARCH=amd64 go build -o sandfly-processdecloak -ldflags=\"-s -w\"`\n\nOr for generic 386:\n\n`env GOOS=linux GOARCH=386 go build -o sandfly-processdecloak -ldflags=\"-s -w\"`\n\nYou can do the same for any supported Golang architecture on Linux. \n\n## False Positives\n\nIt's possible to flag a legitimate PID that is not actually cloaked. You will need to manually\ninvestigate the /proc/PID directory to check if it is legitimate. Please report false positives to\nus if you find them.\n\n## Agentless Linux Security\n\nSandfly Security produces an agentless endpoint detection and incident response platform (EDR) for\nLinux. Automated hidden process checks are just one of thousands of things we search for to find\nintruders without loading any software on your Linux endpoints.\n\nGet a free license and learn more below:\n\n\u003chttps://www.sandflysecurity.com\u003e\n\n@SandflySecurity\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsandflysecurity%2Fsandfly-processdecloak","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsandflysecurity%2Fsandfly-processdecloak","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsandflysecurity%2Fsandfly-processdecloak/lists"}