Caracal
Make your programs stealthier
The caracal cat is one of Africa's ultimate hunters,
a stealthy cat with an exceptional ability to hunt out prey on the savanna
โก Powered by Aya๐
๐ก Overview
Caracal is a Rust implementation of eBPF techniques that:
- hide target bpf programs & maps โ won't be visible with
bpftop,bpftool... - hide target processes โ won't be visible with
ps,top,procs,ls /proc... - are resilient to some "unhiding" bruteforce techniques
๐ Documentation
Jump to:
๐ Setup
You need a Linux based OS.
โ๏ธ Build from source
To build from source, make sure you have:
- bpf-linker installed.
- rust installed with
nightlytoolchain.
1. Build ebpf program
cd caracal-ebpf && cargo build --release
2. Build user space program
This command will produce caracal executable in target/release that you can add to your$PATH
๐ฅ Binary release
You can download the pre-built binaries from the release page
๐ช Usage
Run caracal with root privileges:
caracal --pid <pids> --bpf-prog-id <bpf-ids> -v
<pids>: List of process IDs to hide (comma-separated, e.g., 123,456)<bpf-ids>: List of eBPF program IDs to hide (comma-separated, e.g., 789,101)-v / --verbose: Verbosity
Example:
sudo caracal --pid $PPID,1337 --bpf-prog-id 23,24,26 -v
will hide:
caracallaunching process & its children- 1337 process & its children
caracaleBPF program & maps- 23,24,26 eBPF programs & maps
โ ๏ธ Disclaimer
caracal is developed for educational purposes only
โ๏ธ Authors
โ๏ธ License
GPLv3