{"id":27005403,"url":"https://github.com/simpuar/covertd","last_synced_at":"2026-04-28T08:03:03.578Z","repository":{"id":284556913,"uuid":"955313828","full_name":"Simpuar/covertd","owner":"Simpuar","description":"Covert Linux daemon for encrypted file logging, USB tracking, screenshots, and stealth exfiltration","archived":false,"fork":false,"pushed_at":"2025-03-26T13:33:01.000Z","size":33,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-04T07:15:34.916Z","etag":null,"topics":["c","covert","data-exfiltration","file-monitoring","forensics","ld-preload","linux","malware-analysis","red-team","research","screenshot-capture","security-audit","security-tools","systemd","usb-tracker"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Simpuar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-03-26T12:57:15.000Z","updated_at":"2025-04-01T09:04:41.000Z","dependencies_parsed_at":"2025-03-26T14:31:16.397Z","dependency_job_id":"7d32d252-5b66-4a04-8c0a-0f4b353c6625","html_url":"https://github.com/Simpuar/covertd","commit_stats":null,"previous_names":["simpuar/covertd"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Simpuar/covertd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Simpuar%2Fcovertd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Simpuar%2Fcovertd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Simpuar%2Fcovertd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Simpuar%2Fcovertd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Simpuar","download_url":"https://codeload.github.com/Simpuar/covertd/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Simpuar%2Fcovertd/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32371673,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-27T20:07:02.737Z","status":"online","status_checked_at":"2026-04-28T02:00:07.250Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","covert","data-exfiltration","file-monitoring","forensics","ld-preload","linux","malware-analysis","red-team","research","screenshot-capture","security-audit","security-tools","systemd","usb-tracker"],"created_at":"2025-04-04T07:15:37.905Z","updated_at":"2026-04-28T08:03:03.561Z","avatar_url":"https://github.com/Simpuar.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# covertD\n\n```\n ___ ___ __ __ _____ ___ \n / __\\ /___\\/\\ /\\/__\\/__\\/__ \\/ \\\n / / // //\\ \\ / /_\\ / \\// / /\\/ /\\ /\n/ /___/ \\_// \\ V //__/ _ \\ / / / /_// \n\\____/\\___/ \\_/\\__/\\/ \\_/ \\/ /___,' \n```\n\n![Build](https://img.shields.io/badge/build-passing-brightgreen)\n![License](https://img.shields.io/badge/license-educational-blue)\n![Platform](https://img.shields.io/badge/platform-Linux-lightgrey)\n\n# Stealth File Activity Monitor for Linux\n\nA Red Team–oriented proof-of-concept for covert file monitoring and data exfiltration on Linux systems. Developed as a Bachelor's thesis project to explore stealth persistence, forensic evasion, and covert telemetry in secure environments.\n\n## πŸ” Features\n\n- Real-time file monitoring using `inotify`\n- USB device detection via `libudev`\n- AES-encrypted log exfiltration via TCP\n- Screenshot capture on active window change (`libX11`)\n- Optional ARP signaling for covert communication\n- LD_PRELOAD-based stealth (hiding from `/proc`, readdir interception)\n- Deployable via `systemd` service\n- Keylogging module prototype (non-default)\n\n## πŸ§ͺ Security \u0026 Compliance\n\n- Static and dynamic code analysis performed (Clang Analyzer, Valgrind)\n- Manually audited against CWE and logic bugs\n- Complies with Class 3 FSTEC standards for absence of undocumented features\n\n## 🧩 Why This Tool?\n\n| System | USB Detection | Keystroke Logging | Data Exfiltration | Process Hiding | Screenshots |\n| --------------------------- | ------------- | ----------------- | ----------------- | --------------- | ----------- |\n| **Auditd** | βœ… | ❌ | ❌ | ❌ | ❌ |\n| **inotify-tools** | ❌ | ❌ | ❌ | ❌ | ❌ |\n| **Auditbeat** | βœ… | ❌ | βœ… | ❌ | ❌ |\n| **Sysdig** | βœ… | ❌ | ❌ | ❌ | βœ… |\n| **SprutMonitor (Win only)** | βœ… | βœ… | βœ… | βœ… | βœ… |\n| **covertD (this)** | βœ… | βœ… (prototype) | βœ… (AES over TCP) | βœ… (LD_PRELOAD) | βœ… |\n\n## βš™οΈ Dependencies\n\nInstall required libraries (Debian/Ubuntu/Kali):\n\n```bash\nsudo apt update\nsudo apt install libssl-dev libudev-dev libpcap-dev libx11-dev libnet1-dev\n```\n\n## πŸ›  Build\n\n```bash\nmake all\n```\n\nThis builds:\n- `coretaskd` β€” file monitoring daemon\n- `server` β€” log receiver and decryptor\n- `screenshot-decryptor` β€” optional PoC for visual log parsing\n\n## πŸš€ Usage\n\n### 1. Deploy systemd service\n\n```bash\ncp coretaskd /usr/local/bin/\ncp coretaskd.service /etc/systemd/system/\nsystemctl daemon-reexec\nsystemctl enable coretaskd\nsystemctl start coretaskd\n```\n\n### 2. Start receiver\n\n```bash\n./server 9999\n```\n\n### 3. (Optional) Enable process hiding\n\n```bash\ncd processhider\nmake\necho /full/path/to/libprocesshider.so \u003e\u003e /etc/ld.so.preload\n```\n\n## πŸ“ Project Structure\n\n- `main.c` – file and USB monitor\n- `server.c` / `decrypt.c` – listener with AES decryption\n- `coretask.sh` – deployment helper script\n- `processhider/` – LD_PRELOAD stealth library\n- `screenshot-decryptor.c` – GUI window watcher and screenshot handler\n\n## βœ… Tested On\n\n- Astra Linux SE\n- Ubuntu 22.04\n\n## πŸ“ˆ Future Improvements\n\n- Wayland screenshot capture\n- Cross-platform builds (Windows, macOS)\n- Kernel-level rootkit integration\n- Real-time USB block \u0026 alerting\n\n## ⚠ Disclaimer\n\n**Educational use only.** Do not deploy without explicit authorization.\n\n## 🧠 Thesis Origin\n\nOriginally developed as part of a Bachelor's thesis focused on secure file telemetry and stealth persistence mechanisms in hardened Linux environments. Designed for use in Red Team training, malware research, and threat simulation labs.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimpuar%2Fcovertd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimpuar%2Fcovertd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimpuar%2Fcovertd/lists"}