Drop a single binary. Find the attacker. Live forensic analysis for Linux — zero dependencies, zero installation.
scp innerwarden-forensic root@suspect:/tmp/
ssh root@suspect /tmp/innerwarden-forensic| Category | What | How |
|---|---|---|
| Hidden processes | Processes hidden by rootkits | Brute-force /proc/[PID] vs readdir comparison |
| Fileless malware | Deleted binaries still running | /proc/PID/exe → "(deleted)" |
| LD_PRELOAD injection | Library hijacking | /proc/PID/environ scanning |
| C2 connections | Backdoor network connections | /proc/net/tcp direct parsing (bypasses hooked netstat) |
| Suspicious listeners | Backdoor ports | LISTEN on known bad ports (4444, 6667, 31337...) |
| memfd payloads | In-memory execution | /proc/PID/fd → memfd: links |
| RWX memory | Shellcode regions | /proc/PID/maps with rwxp permissions |
| Rootkit modules | Known LKM rootkits | /proc/modules vs known names (Diamorphine, Reptile...) |
| File tampering | Modified system files | mtime on /etc/passwd, shadow, sudoers, sshd_config |
| LD preload global | System-wide hijack | /etc/ld.so.preload non-empty |
| Packed binaries | Encrypted malware in /tmp | Shannon entropy > 7.5 on executables |
| Temp executables | Malware drop location | Executable files in /tmp, /dev/shm, /var/tmp |
ps, netstat, lsof, ls — rootkits hook all of these via getdents syscall manipulation. This tool reads /proc entries directly, bypassing userspace hooks.
╔══════════════════════════════════════════════╗
║ InnerWarden Forensic — Live System Analysis ║
╚══════════════════════════════════════════════╝
Host: compromised-server
Processes: 142 visible, 1 hidden
Connections: 47
Suspicious: 3
── CRITICAL (2) ──
✗ [hidden_process] Hidden process PID 4321
Process 4321 exists in /proc but is NOT listed by readdir.
A rootkit is hiding it. comm=kworker_evil, exe=/tmp/.x (deleted)
✗ [suspicious_connection] Connection to suspicious port 4444
tcp4 ESTABLISHED → remote port 4444 (Metasploit default).
Local: 10.0.0.5:38271, Remote: 185.x.x.x:4444
Use --json for machine-readable output.
# Build static binary
cargo build --release --target x86_64-unknown-linux-musl
# Or for ARM
cargo build --release --target aarch64-unknown-linux-muslThe resulting ~2MB binary has zero runtime dependencies.
Part of the InnerWarden security ecosystem.