Skip to content

bcoles/rootkit-signal-hunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github/workflows
.github/workflows
 
 
assets
assets
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Rootkit Signal Hunter

Build Status Release License: MIT

Rootkit Signal Hunter

Detect Linux rootkits which use signals to elevate process privileges.

Some rootkits install signal handlers which listen for specific signals to elevate privileges. This tool can identify these rootkits by sending signals and observing UID switching to root. Optionally spawns a root shell.

Rootkit Signal Hunter

Tested with:

  • Singularity 5b6c4b6 (2025-10-19) on Ubuntu 24.04 kernel 6.8.0-31-generic (x64)
  • Diamorphine 2337293 (2023-09-20) on Ubuntu 22.04 kernel 5.19.0-38-generic (x64)
  • Codeine 9644336 (2025-09-02) on Ubuntu 22.04 kernel 5.19.0-38-generic (x64)
  • KoviD 9b67e46 (2025-10-14) on Ubuntu 24.04 kernel 6.8.0-31-generic (x64)
    • (successful detection requires knowledge of hardcoded target PID 666)

Installation

You can download the latest pre-built binaries from the Releases page; or build the latest pre-release version from source:

git clone https://github.com/bcoles/rootkit-signal-hunter && \
cd rootkit-signal-hunter && \
cargo build --release

Usage

rootkit-signal-hunter -- [OPTIONS]

Options

  • --min <MIN>: Minimum signal number (default: 0)
  • --max <MAX>: Maximum signal number (default: 64)
  • -s, --shell: Launch a root shell (if detected)
  • -t, --threads: Number of worker threads (default: 16)
  • -p, --pid: Process ID to send signals to (default: $$)
  • -v, --verbose: Enable verbose output

Note

The --pid implementation uses $$ to represent the process ID of a newly spawned process. This will fail on non-POSIX compliant shells such as Fish.

Example

Rootkits such as Singularity and Diamorphine allow privilege escalation using any process ID and can be trivially detected with default options (-s spawns a root shell):

rootkit-signal-hunter -s

Rootkits such as KoviD require a specific process ID to be provided with the -p / --pid flag:

rootkit-signal-hunter -s --pid 666

Note

This risks terminating the legitimate process with ID 666 (if the current user has the necessary permission).

License

This project is licensed under the MIT License. See the LICENSE file for details.

Acknowledgements

Shoutout to David Reguera Garcia (Dreg) who implemented similar signal-based detection as part of lsrootkit.

Copyright

Copyright © 2025, bcoles

About

Detect Linux rootkits which use signals to elevate process privileges.

Topics

security privilege-escalation-linux rootkit-hunter rootkit-detection

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

rootkit-signal-hunter-0.2.0 Latest
Oct 22, 2025
+ 1 release

Packages

No packages published

Languages