Linux Incident Response

Find the ghosts
hiding in your kernel

A fast, single-binary incident response scanner for Linux. Detects rootkits, hidden processes, kernel tampering, and persistence mechanisms in one sweep.

Get Started View on GitHub
ghostscan — bash
root@host:~# ./ghostscan

[Syscall Table] OK
[Hidden LKM] OK
[Kernel Taint] OK
[Ftrace Hooks] OK
[BPF Kprobes] FINDING: kprobe on do_exit owned by pid 0 (orphan)
[Hidden PIDs] FINDING: PID 31337 visible to BPF but missing from /proc
[Deleted Binaries] OK
[Hidden Listeners] OK
[SSH Footholds] OK
[ld.so.preload] OK
... 42 more scanners ...

Completed 52 scanners in 1.4s — 2 findings, 50 clear
52
Security Scanners
10
Attack Categories
1
Single Binary
<2s
Full Scan Time
Features

Deep forensics,
zero footprint

Ghostscan inspects kernel structures, BPF programs, network sockets, and filesystem artifacts to surface threats that traditional tools miss.

Single Binary Deploy

Drop one static binary onto the target host. No dependencies, no installation, no agents. Build once with Rust and go.

One-Shot Scan

Run once, get results. No daemons, no persistent state. Every scan is a fresh, complete sweep with immediate findings.

eBPF-Powered Detection

Embedded BPF programs inspect kernel data structures directly, finding hidden processes and listeners invisible to procfs.

Kernel Integrity Checks

Validates syscall tables, ftrace hooks, kprobes, and kernel text sections to detect runtime tampering and rootkit hooks.

Network Anomaly Detection

Cross-references netlink sockets, /proc/net, and netfilter hooks to find hidden listeners, orphaned sockets, and backdoor ports.

Persistence Hunting

Scans cron jobs, systemd units, SSH configs, ld.so.preload, PAM modules, sudoers, and more for backdoor persistence mechanisms.

52 Scanners

Comprehensive coverage
across the attack surface

Every scanner cross-references multiple data sources to detect discrepancies that indicate active compromise.

Kernel Modules

  • Hidden LKM detection (procfs/sysfs/kallsyms)
  • Module list linkage tampering
  • Kernel taint analysis with attribution

Kernel Integrity

  • Syscall table pointer verification
  • Ftrace redirection on critical paths
  • Unknown kprobes on sensitive symbols
  • Kernel text RO enforcement

BPF Programs

  • Ownerless BPF objects
  • BPF kprobe on sensitive symbols
  • BPF LSM & XDP/TC detached programs
  • Sockmap/sockhash & sensitive kfuncs

Process Hiding

  • Hidden PIDs (BPF-only visibility)
  • Task list mismatch (BPF vs /proc)
  • Kernel thread masquerade
  • Deleted/memfd binary execution

Network Tampering

  • Netfilter hook drift & cloaking
  • Hidden listeners (netlink-only)
  • Ownerless sockets & port backdoors
  • Netlink vs /proc discrepancies

Persistence

  • Ghost cron/systemd jobs
  • ld.so.preload & ld_audit daemons
  • SSH footholds & core dump pipelines
  • PAM/NSS from non-system paths

Privilege Escalation

  • modprobe helper tampering
  • Sudoers dangerous entries
  • Library search hijack (SUID binaries)
  • Live LD_PRELOAD to deleted libraries

Container Escape

  • OverlayFS whiteouts & lowerdir escape
  • Hidden bind/immutable mounts
  • Sensitive host mounts into containers
  • Host PID/net namespace sharing

Monitoring Bypass

  • Fanotify on sensitive mounts
  • Seccomp user-notify responders
  • Audit disabled/dropping detection
  • Journal gaps & kernel message suppression
How It Works

Three steps to clean

No configuration. No tuning. Drop, run, read.

Deploy

Copy the single binary to your target host. No runtime dependencies required.

Scan

Run as root. All 52 scanners execute automatically in under 2 seconds.

Triage

Color-coded findings with actionable context. Red means investigate, green means clear.

Quickstart

Up and running
in 60 seconds

Build from source with the Rust toolchain, then deploy anywhere.

1

Clone & Build

Clone the repository and build a release binary.

git clone https://github.com/h2337/ghostscan
cd ghostscan && cargo build --release
2

Deploy

Copy the binary to the target host.

scp target/release/ghostscan root@host:/tmp/
3

Scan

Run as root and review findings.

sudo ./ghostscan
Architecture

Built for depth

Modular scanner architecture with multi-source cross-referencing for high-confidence detections.

User Space
52 Rust Scanners procfs parser sysfs parser netlink client
eBPF Layer
task_snapshot.bpf.c hidden_listeners.bpf.c libbpf-rs
Data Sources
/proc /sys kallsyms netlink systemd cron
Kernel
syscall table ftrace kprobes netfilter task_struct

Ready to hunt ghosts?

Open source. MIT licensed. Built in Rust.

View on GitHub Read the Docs