I wanted to share a project I have been working on for the last ~3 months, an open source eBPF malware analysis framework called Kairos.

A few key features:

- Automatic capturing of relevant eBPF tracepoints

- LLM analysis of the eBPF events

- C2 traffic capturing

- SSL data capture before encryption using eBPF uprobes

- File-less malware support

- Golang based system

- SQLite DB for portability

- Svelte UI for easy interaction

(demos are available on the repo)

Background:

A few months ago I was curious to see how well a LLM could be used to provide human readable summaries about malware behavior and started developing Kairos as I have had some free time having been laid off towards the beginning of the year.

eBPF seemed like the natural path to chose given it's monitoring capabilities, but none of the existing eBPF malware analysis projects such as ELFEN were Golang based. So I started learning eBPF and developing a Golang framework for eBPF using AquaSecurity's libbpfgo library. After creating a small test project and hand feeding the events into a LLM, I was pleasantly surprised on how well the existing LLM's do at providing context and summaries for the eBPF events.

I have also not yet found an analysis system which supports file-less malware such as pyloose, so I build this system to support file-less exploits as well as regular file uploads.

There are also several projects which use mitm network attacks to capture SSL data, but I wanted to see if using eBPF uprobes in the libssl, gnutls, and nss libraries was possible to integrate and it is, so that is supported as well.