Secure Linux Kernel Module Analyzer
Memory-safe kernel module inspection with defense-in-depth architecture
Features • Installation • Usage • Security
NullSec KernSpy is a Secure Linux kernel module analyzer written in Go. It provides deep inspection of loaded kernel modules with comprehensive security features to prevent exploitation during analysis.
- 🔍 Module Analysis - Comprehensive kernel module inspection
- 📊 Hash Verification - SHA256 integrity checks for module files
- 🛡️ Privilege Verification - Validates proper permissions before operations
- ⚡ Concurrent Scanning - Go's goroutines for parallel analysis
- 🔒 Memory-Safe - Go runtime prevents memory corruption
- 📝 Detailed Reports - Module metadata, dependencies, and signatures
┌─────────────────────────────────────────────┐
│ NullSec KernSpy v2.0.0 │
├─────────────────────────────────────────────┤
│ ✓ Input Validation & Sanitization │
│ ✓ Privilege Verification │
│ ✓ Rate Limiting on Operations │
│ ✓ Memory-Safe by Design (Go Runtime) │
│ ✓ Defense-in-Depth Architecture │
│ ✓ Path Traversal Protection │
│ ✓ Null Byte Injection Prevention │
└─────────────────────────────────────────────┘
# Clone the repository
git clone https://github.com/bad-antics/nullsec-kernspy.git
cd nullsec-kernspy
# Build with optimizations
go build -ldflags="-s -w" -o nullsec-kernspy kernspy.go
# Install system-wide (optional)
sudo mv nullsec-kernspy /usr/local/bin/- Go 1.21 or later
- Linux kernel with
/proc/modulesaccess - Root privileges for full functionality
# List loaded kernel modules
sudo ./nullsec-kernspy --list
# Analyze specific module
sudo ./nullsec-kernspy --analyze <module_name>
# Generate integrity report
sudo ./nullsec-kernspy --report --output modules.json
# Check module signatures
sudo ./nullsec-kernspy --verify-signatures
# Compare against baseline
sudo ./nullsec-kernspy --baseline baseline.json --diff| Flag | Description |
|---|---|
--list |
List all loaded kernel modules |
--analyze <name> |
Deep analyze specific module |
--report |
Generate comprehensive report |
--verify-signatures |
Check module cryptographic signatures |
--baseline <file> |
Compare against known-good baseline |
--output <file> |
Output file for reports |
--verbose |
Enable verbose output |
--version |
Show version information |
██╗ ██╗███████╗██████╗ ███╗ ██╗███████╗██████╗ ██╗ ██╗
██║ ██╔╝██╔════╝██╔══██╗████╗ ██║██╔════╝██╔══██╗╚██╗ ██╔╝
█████╔╝ █████╗ ██████╔╝██╔██╗ ██║███████╗██████╔╝ ╚████╔╝
██╔═██╗ ██╔══╝ ██╔══██╗██║╚██╗██║╚════██║██╔═══╝ ╚██╔╝
██║ ██╗███████╗██║ ██║██║ ╚████║███████║██║ ██║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝
bad-antics • Kernel Module Analyzer
[*] Scanning /proc/modules...
[+] Found 142 loaded modules
[*] Analyzing module: nvidia
├── Size: 51,396,608 bytes
├── Dependencies: drm, i2c_core
├── State: Live
├── Hash: a7b8c9d0e1f2...
└── Signed: Yes (NVIDIA Corporation)
- Always run with minimal required privileges
- Validate output before automated processing
- Use baselines from trusted sources
- Report suspicious modules to security team
NullSec Proprietary License - See LICENSE file for details.
bad-antics
- GitHub: @bad-antics
- Website: bad-antics.github.io
- Discord: discord.gg/killers
Part of the NullSec Security Framework
"Memory-safe kernel analysis for the paranoid"