Caracal

Make your programs stealthier

The caracal cat is one of Africa's ultimate hunters,
a stealthy cat with an exceptional ability to hunt out prey on the savanna

⚡ Powered by Aya🐝

💡 Overview

Caracal is a Rust implementation of eBPF techniques that:

1. hide target bpf programs & maps → won't be visible with bpftop, bpftool ...
2. hide target processes → won't be visible with ps, top, procs, ls /proc ...
3. are resilient to some "unhiding" bruteforce techniques

📚 Documentation

Jump to:

• Focus on 1 & 2
• Focus on 3

🚀 Setup

You need a Linux based OS.

⚒️ Build from source

To build from source, make sure you have:

• bpf-linker installed.
• rust installed with nightly toolchain.

1. Build ebpf program

cd caracal-ebpf && cargo build  --release

2. Build user space program

cargo build --release 

This command will produce caracal executable in target/release that you can add to your$PATH

📥 Binary release

You can download the pre-built binaries from the release page

🪄 Usage

Run caracal with root privileges:

caracal --pid <pids> --bpf-prog-id <bpf-ids> -v

• <pids>: List of process IDs to hide (comma-separated, e.g., 123,456)
• <bpf-ids>: List of eBPF program IDs to hide (comma-separated, e.g., 789,101)
• -v / --verbose: Verbosity

Example:

sudo  caracal --pid $PPID,1337  --bpf-prog-id  23,24,26 -v

will hide:

• caracal launching process & its children
• 1337 process & its children
• caracal eBPF program & maps
• 23,24,26 eBPF programs & maps

⚠️ Disclaimer

caracal is developed for educational purposes only

✍️ Authors

Adrien Gaultier

⚖️ License

GPLv3