Skip to content
Discussion options

bad-antics
Feb 11, 2026
Maintainer

You must be logged in to vote
Answered by bad-antics Feb 11, 2026

rupurt uses a dedicated eBPF detection module that works on multiple levels:

1. BPF Program Enumeration
We enumerate all loaded BPF programs via bpf(BPF_PROG_GET_NEXT_ID) and check each against our signature database of known malicious eBPF programs.

2. Hook Point Analysis
rupurt maps which kernel functions have BPF programs attached (kprobes, tracepoints, XDP, tc). Suspicious attachment points include:

  • sys_read/sys_write hooks (data exfiltration)
  • sys_getdents hooks (file hiding)
  • packet_rcv hooks (network backdoors)
  • cred_* hooks (privilege escalation)

3. Behavioral Analysis
Even unknown eBPF programs get flagged if they:

  • Modify return values of system calls
  • Access process credentials s…
View full answer

Replies: 1 comment

Comment options

bad-antics
Feb 11, 2026
Maintainer Author

You must be logged in to vote
0 replies
Answer selected by bad-antics
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
1 participant
@bad-antics