-orange?style=for-the-badge){kind=icon}
A zero-overhead, kernel-level behavioral analysis tool designed to detect ransomware encryption patterns in real-time.
Traditional antivirus solutions often rely on static file signatures, which are easily bypassed by new malware variants. This project takes a different approach: Behavioral Profiling.
Using eBPF (Extended Berkeley Packet Filter), this tool hooks directly into the Linux kernel's vfs_write syscall. It analyzes the velocity and volume of filesystem writes to identify malicious actors. By performing in-kernel aggregation using BPF Hash Maps, we filter out ~95% of benign system noise (logs, flag updates) to focus purely on high-throughput anomalies characteristic of ransomware encryption.
- ⚡ Zero-Copy Profiling: Uses
BPF_HASHmaps to count syscalls in kernel space, avoiding expensive context switches. - 🔍 Noise Filtering: Automatically ignores tiny system writes (logs, GUI updates), isolating "heavy" I/O operations.
- 📊 Live TUI Dashboard: A terminal-based UI that visualizes write intensity in real-time.
- 🛡️ Evasion Resistant: Since it hooks the kernel syscall interface, it catches activity even if the malware tries to hide its process name or use unbuffered I/O.
You need a Linux kernel with eBPF support (4.4+) and the BCC tools installed.
Ubuntu / Debian
sudo apt-get update
sudo apt-get install bpfcc-tools linux-headers-$(uname -r) python3-bpfcc
pip3 install richsudo python3 main.pysudo python3 test.py