🐧 K-Scanner

Lightweight Linux memory auditing tool focused on RWX detection and forensic triage.

---

● Etymology & Origin

The name K-Scanner was born from the project's focus on the Kernel (the heart of the Linux Operating System).

The "K" symbolizes the tool's mission to dive deep into system-level configurations, permissions, and sensitive files. It acts as a sentinel, scanning the "foundations" (Kernel-space and System-space) to ensure that the base of the OS is hardened against potential threats.

---

● Overview

K-Scanner is a minimal forensic utility designed to audit memory protection flags of active Linux processes.

It analyzes the /proc virtual filesystem to identify memory regions that violate the W^X (Write XOR Execute) security principle — a condition commonly associated with:

• Shellcode injection
• JIT-compiled regions
• Packed executables
• Fileless malware techniques

The project is written in pure C (C99) with emphasis on performance, clarity, and forensic integrity.

---

● Why

Modern Linux systems rely heavily on memory protection mechanisms. However, visibility into runtime RWX memory regions is not centralized.

K-Scanner provides:

• Deterministic RWX detection
• System-wide process inspection
• Live forensic triage support
• Lightweight incident response tooling

It focuses strictly on observable memory metadata.

---

● How It Works

K-Scanner parses the virtual maps of active processes:

/proc/[PID]/maps

For each running process, it inspects memory segments and evaluates their permission flags. If a memory segment contains both Write (W) and Execute (X) permissions simultaneously, an RWX alert is triggered.

The scanner operates through read-only metadata inspection and does not rely on intrusive debugging mechanisms such as ptrace.

---

● Example Output

+--------+----------------------------------+--------------------+--------------------+
|  PID   | PROCESS NAME                     | STATUS             | INFO / PATH        |
+--------+----------------------------------+--------------------+--------------------+
| 102109 | wireshark                        | RWX ALERT          | 01x ANON_BLOB      |
| 102174 | Discord                          | RWX ALERT          | 02x MAPPED_FILE    |
| 102388 | Discord                          | RWX ALERT          | 05x MAPPED_FILE    |
+--------+----------------------------------+--------------------+--------------------+

---

● Project in Action

1 - Initial System Mapping. Startup of the Live Forensic Process Analysis Mode, performing real-time memory scanning of core system processes.

2 - Behavioral Analysis & Contextual Detection. K-Scanner categorizes suspicious regions as ANON_BLOB (common in shellcodes) or MAPPED_FILE (common in JIT engines like Firefox/Discord).

3 - Forensic Workflow via Tmux. Demonstrates memory extraction, integrity verification with SHA256, and inspection via strings/hex.

---

● Features

• System-wide PID scanning
• RWX memory detection engine
• SAFE / ALERT classification
• Clean terminal output
• Low memory footprint
• Designed for forensic triage scenarios

---

● Operational Integrity

K-Scanner is built for stability and forensic neutrality:

1. Simplicity: No kernel modules, no injection, no process suspension
2. Forensic Integrity: Does not modify process memory or execution state
3. Performance: Optimized C implementation for minimal overhead
4. Passive Inspection: Uses read-only metadata via /proc

---

● Build and Run

# 1. Clone & Enter the repository
git clone https://github.com/jeffersoncesarantunes/K-Scanner.git
cd K-Scanner

# 2. Compile the project
make clean && make

# 3. Execute the scanner
sudo ./bin/kscanner

---

● Investigation Workflow

After detecting an RWX region, analysts may proceed with:

1. Binary Validation

sha256sum /proc/[PID]/exe

2. Advanced Memory Extraction

sudo dd if=/proc/[PID]/mem of=dump.bin bs=1 skip=<offset> count=<size>

3. Artifact Inspection

Use strings or hexdump on the generated dump to identify suspicious payloads.

---

● Post-Analysis of Forensic Dumps

Once K-Scanner identifies a suspicious RWX region, it automatically extracts its raw content to the build/dumps/ directory.

1. Integrity Verification (Hashing)

sha256sum build/dumps/*.bin

2. Example for a specific dump

sha256sum build/dumps/pid_101554_2dace8f1b000.bin

3. String Extraction

strings build/dumps/pid_*.bin | less

Targeted example

strings build/dumps/pid_101554_2dace8f1b000.bin | head -n 15

4. Hexadecimal Analysis

hexdump -C build/dumps/pid_101554_2dace8f1b000.bin | head -n 10

---

● Deployment

Requirements

• Linux OS (Tested on Arch Linux 6.x)
• gcc & make
• sudo privileges

---

● Repository Structure

├── bin/
├── build/
│   ├── obj/
│   └── dumps/
├── docs/
│   ├── architecture.md
│   ├── forensic_methodology.md
│   ├── performance_and_limitations.md
│   ├── threat_model.md
│   └── use_cases.md
├── examples/
├── Imagens/
├── include/
├── scripts/
├── src/
│   ├── core/
│   ├── modules/
│   └── utils/
├── tests/
├── .gitignore
├── LICENSE
├── Makefile
└── README.md

---

● Tech Stack

• Language: C (C99)
• Data Source: /proc filesystem
• Build Tool: GNU Make
• Target: Linux Kernel 4.x / 5.x / 6.x

---

● Roadmap

• Modular C Engine
• Advanced Build System
• Structured Output
• Automated Memory Dump
• JSON/CSV Export
• Interactive TUI
• Kernel Module (LKM)

---

● Documentation

● License

This project is licensed under the MIT License.