Caracal

Make your programs stealthier

The caracal cat is one of Africa's ultimate hunters,
a stealthy cat with an exceptional ability to hunt out prey on the savanna

⚡ Powered by Aya🐝

Caracal is a Rust implementation of eBPF techniques that:

1. hide target bpf programs & maps → won't be visible with bpftop, bpftool ...
2. hide target processes → won't be visible with ps, top, procs, ls /proc ...
3. are resilient to some "unhiding" bruteforce techniques

Jump to:

• Focus on 1 & 2
• Focus on 3

You need a Linux based OS.

To build from source, make sure you have:

• bpf-linker installed.
• rust installed with nightly toolchain.

cd caracal-ebpf && cargo build  --release

cargo build --release 

This command will produce caracal executable in target/release that you can add to your$PATH

You can download the pre-built binaries from the release page

Run caracal with root privileges:

caracal --pid <pids> --bpf-prog-id <bpf-ids> -v

• <pids>: List of process IDs to hide (comma-separated, e.g., 123,456)
• <bpf-ids>: List of eBPF program IDs to hide (comma-separated, e.g., 789,101)
• -v / --verbose: Verbosity

Example:

sudo  caracal --pid $PPID,1337  --bpf-prog-id  23,24,26 -v

will hide:

• caracal launching process & its children
• 1337 process & its children
• caracal eBPF program & maps
• 23,24,26 eBPF programs & maps

caracal is developed for educational purposes only

Adrien Gaultier

GPLv3