Lightweight Linux memory auditing tool focused on RWX detection and automated forensic triage.
The name K-Scanner originates from the Linux Kernel — the core layer responsible for process execution, memory management, and system security.
The "K" reflects the project's mission: to inspect volatile memory at runtime, identify anomalous execution permissions, and transform low-level kernel metadata into actionable forensic intelligence.
K-Scanner is a lightweight forensic utility designed to inspect active Linux processes for memory regions that violate the W^X (Write XOR Execute) security principle.
Built in pure C99, it combines a high-performance scanning engine with an interactive ncurses-based Brutalist TUI, enabling real-time process navigation, RWX detection, and immediate forensic extraction.
Common RWX scenarios include:
- Shellcode injection
- Reflective payload loading
- Fileless malware execution
- JIT-compiled engines (Firefox, Python, Node.js, Discord)
Modern Linux systems generate enormous runtime activity, but visibility into executable writable memory remains fragmented.
K-Scanner centralizes this analysis by providing:
- Deterministic RWX detection
- Interactive live process inspection
- Automated forensic evidence collection
- Immediate post-dump triage artifacts
- Minimal operational overhead
It transforms raw /proc telemetry into incident-response-ready intelligence.
K-Scanner continuously parses /proc/[PID]/maps to identify writable and executable memory mappings.
Whenever a region exposes simultaneous Write (W) and Execute (X) permissions, the scanner raises an RWX ALERT.
Not every RWX region is malicious. Context matters.
- Expected JIT Behavior: Browsers, Python interpreters, Node.js, and Electron applications often allocate RWX pages for Just-In-Time compilation.
- Suspicious Activity: Anonymous executable pages, shellcode-like blobs, or RWX mappings in non-JIT processes deserve immediate investigation.
- Forensic Priority: Regions marked as anonymous or unexpected should be dumped and analyzed first.
PID PROCESS STATUS MAP_ADDR
1132 python3 RWX ALERT 7fc163862000
1135 fail2ban-server RWX ALERT 7f59a964f000
1426 Xorg SAFE n/a
[ENTER] ANALYZE | [Q] EXIT | ALERTS: 12
1 - Live Forensic Mode: Real-time process auditing on Arch Linux, identifying memory regions with RWX (Read-Write-Execute) permissions.
2 - Memory Triage: Automated extraction of printable strings from suspicious memory segments for rapid artifact analysis.
3 - Evidence Preservation: Cryptographic integrity verification using SHA-256, ensuring all memory dumps remain untampered.
- Interactive ncurses-based TUI
- Real-time RWX memory detection
- One-key forensic extraction
- Automatic SHA256 integrity hashing
- Automatic strings report generation
- Automatic hexadecimal preview generation
- SAFE / RWX ALERT classification
- Low-overhead live analysis
K-Scanner is designed for forensic stability and safe live-response operations:
- Passive Analysis: Reads metadata directly from
/proc - No Injection: Never modifies target processes
- Controlled Extraction: Prevents unstable full-memory dumping
- Evidence Integrity: Automatically hashes every extracted artifact
# Clone the repository
git clone https://github.com/jeffersoncesarantunes/K-Scanner.git
cd K-Scanner
# Build the project
make clean && make
# Standard execution
sudo ./kscannerAfter detecting an RWX region, analysts can immediately acquire volatile evidence.
Select a suspicious process and press ENTER.
K-Scanner will automatically:
- Dump the RWX region
- Generate SHA256 checksum
- Extract printable strings
- Produce a hexadecimal preview
cd build/dumps
sha256sum -c *.sha256grep -iE "http|ssh|cmd|bash|token|pass" *.strings.txthead -n 20 *.hex.txtEach extracted memory region produces a complete triage package:
- Raw binary dump (
.bin) - SHA256 checksum (
.sha256) - Extracted strings (
.strings.txt) - Hexadecimal preview (
.hex.txt)
sha256sum -c build/dumps/*.sha256strings build/dumps/pid_*.bin | headhexdump -C build/dumps/pid_*.bin | head- Linux Kernel 5.x or newer
- gcc
- make
- ncurses
- binutils
- coreutils
- UTF-8 compatible terminal
- Root privileges
├── bin/
│ └── kscanner
├── build/
│ ├── dumps/
│ └── obj/
├── docs/
│ ├── architecture.md
│ ├── forensic_methodology.md
│ ├── performance_and_limitations.md
│ ├── threat_model.md
│ └── use_cases.md
├── examples/
│ └── usage.md
├── Imagens/
│ ├── kscanner1.png
│ ├── kscanner2.png
│ └── kscanner3.png
├── include/
├── scripts/
├── src/
│ ├── core/
│ ├── modules/
│ └── utils/
├── tests/
│ └── cases.md
├── LICENSE
├── Makefile
└── README.md
- Language: C99
- Interface: ncurses
- Data Source:
/procfilesystem - Hashing: SHA256
- Build Tool: GNU Make
- Target: Linux Kernel 5.x / 6.x
- Modular C Engine
- Interactive ncurses TUI
- Automated Memory Dump
- SHA256 Integrity Validation
- Automated Strings/Hex Triage
- JSON/CSV Export
- Live Regex Memory Hunting
- eBPF Telemetry Integration
This project is licensed under the MIT License.