Linux Kernel Security Scanner A single-binary, one-shot incident response scanner written in C++23. Deploy into restricted environments with zero dependencies and detect hidden kernel modules, rootkits, compromised syscall tables, and more. Built for real-world incident response 8 self-registering scanners covering kernel modules, processes, network, syscalls, entrypoints, and BPF. Add new scanners with zero framework changes. Machine-readable JSON and human-friendly colored text output. Structured findings with severity levels, details, and key-value evidence. Each scanner runs in a forked child process with a configurable timeout. One hung scanner never blocks the rest of the assessment. Build a fully static binary with no runtime dependencies beyond libc. Deploy via SCP into compromised environments with no package manager needed. Requires root privileges for deep kernel inspection. Accesses /proc/kcore, kernel symbol tables, cgroups, and raw network socket state. Exit 0 when clean, 1 when findings detected, 2 on errors. Designed for automation, CI pipelines, and scripted incident response workflows. 8 specialized detectors for kernel-level threats Detects hidden Loadable Kernel Modules by comparing module visibility across/proc/modules,/sys/module, and/proc/kallsyms. Identifies modules present in kallsyms but missing from procfs/sysfs. Discovers hidden processes using multi-view cross-checks:/procenumeration,kill(0)probing, cgroup task files, and/proc/loadavganalysis. Revalidation snapshots eliminate transient race conditions. Detects hidden or redirected network sockets by comparing/proc/nettables, netlink diagnostics viass, and process file descriptor scanning. Two-snapshot validation reduces false positives. Validates syscall entrypoints by reading MSRs (IA32_LSTAR,IA32_CSTAR,IA32_SYSENTER_EIP) and IDT vectors via/proc/kcore. Detects entrypoint redirection to module code or trampolines. x86_64-specific. Analyzes ftrace function hooks for suspicious kernel path redirection. Checks tracer configuration, filter functions against critical patterns covering syscalls, VFS, credentials, and LSM hooks. Discovers kprobe and kretprobe events targeting sensitive kernel functions. Matches against critical patterns including syscalls, credentials, module loading, VFS, network, LSM, and BPF functions. Examines syscall table entries by parsing/proc/kcoreELF core image. Verifies each entry resolves to core kernel text or legitimate modules. Detects entries pointing outside kernel memory. Comprehensive eBPF/BPF security scanner analyzing programs, maps, and links viabpftool. Detects ownerless high-risk hooks, suspicious naming patterns, bpffs mount anomalies, and checks hardening sysctls. Simple CLI for rapid deployment and scripting Designed for reliability in hostile environments