Module bpf 

Linux eBPF program enumeration from kernel memory.

eBPF is a modern rootkit vector – malicious BPF programs can intercept syscalls, modify network packets, hide processes, and exfiltrate data. The kernel tracks BPF programs via bpf_prog_idr (an IDR/radix tree). This module enumerates loaded eBPF programs and flags suspicious ones.

Re-exports

pub use crate::heuristics::classify_bpf_program;

Structs

BpfProgramInfo

Information about a loaded eBPF program extracted from kernel memory.

Functions

walk_bpf_programs

Enumerate loaded eBPF programs by walking bpf_prog_idr in kernel memory.