ebpfkit is a powerful eBPF-based rootkit designed to implement advanced offensive security techniques including stealth, persistence, and network reconnaissance.
ebpfkit is a rootkit powered by eBPF
This tool is primarily used by penetration testers and red team operators to simulate advanced persistent threats by leveraging eBPF for stealthy rootkit capabilities. It enables users to perform container breakouts, network scanning, command and control, and bypass runtime protections, making it ideal for testing and demonstrating kernel-level attack vectors.
ebpfkit requires root privileges and a compatible Linux environment (Ubuntu Focal with kernel 5.4) with necessary kernel headers and dependencies installed. It is intended solely for educational and ethical penetration testing purposes; misuse for illegal activities is strongly discouraged and may lead to criminal charges.
Ensure golang 1.13+ is installed
Install clang & llvm version 11.0.1
Install Graphviz for graph generation
Install go-bindata via 'go get -u github.com/shuLhan/go-bindata/...'
Ensure Linux kernel headers are installed in /lib/modules/$(uname -r)
Clone the repository
Run 'make' to build the entire project
Run 'make install_client' to install the ebpfkit-client binary to /usr/bin/sudo ./bin/ebpfkit -h
Displays help and usage information for ebpfkit
sudo ./bin/ebpfkit
Starts the rootkit with default parameters, requires root privileges
--disable-bpf-obfuscation
Disables hiding the rootkit from the bpf syscall
--disable-network-probes
Prevents loading of network-related probes
-e, --egress string
Specifies the egress network interface name (default 'enp0s3')
-i, --ingress string
Specifies the ingress network interface name (default 'enp0s3')
-p, --target-http-server-port int
Sets the target HTTP server port used for Command and Control (default 8000)
--src string and --target string
Used for file override feature to specify source and target files