.png)
7 hours ago
3
The caracal cat is one of Africa's ultimate hunters,
a stealthy cat with an exceptional ability to hunt out prey on the savanna
Caracal is a rust implementation of known eBPF techniques that:
- hide target bpf programs & maps → won't be visible with bpftop, bpftool ...
- hide target procesess → won't be visible with ps, top, procs, ls /proc ...
It targets specifically bpf and getdents64 syscalls
You need a Linux based OS.
To build from source, make sure you have:
- bpf-linker installed.
- rust installed with nightly toolchain.
cd caracal-ebpf && cargo build --release
This command will produce caracal executable in target/release that you can add to your$PATH
You can download the pre-built binaries from the release page release page
Run caracal with root privileges:
caracal --pid <pids> --bpf-prog-id <bpf-ids>
- <pids>: List of process IDs to hide (comma-separated, e.g., 123,456)
- <bpf-ids>: List of eBPF program IDs to hide (comma-separated, e.g., 789,101)
Example:
RUST_LOG=info sudo -E caracal --pid $PPID,1337 --bpf-prog-id 23,24,26
will hide:
- caracal launching process & its children
- 1337 process & its children
- caracal eBPF program & maps
- 23,24,26 eBPF programs & maps
caracal is developed for educational purposes only
GPLv3
