Current
mquire - github.com/trailofbits/mquire
A memory forensics tool for Linux that can analyze kernel memory snapshots without needing external debug symbols. It uses BTF type information and kallsyms data already embedded in the kernel to let you query running processes, open files, network connections, and kernel modules from a memory dump using SQL. It also supports recovering deleted files from the kernel’s file cache.
btfparse - github.com/alessandrogario/btfparse
A Rust library for parsing BTF (BPF Type Format), the format Linux uses to store type information for BPF programs. It lets you look up types and memory layout of kernel data structures. This is a rewrite of the original C++ library.
ebpf-common - github.com/trailofbits/ebpf-common
A C++ utility library for building BPF tools. It provides shared building blocks used across several BPF-based projects, including osquery.
Prototypes
podcell - github.com/alessandrogario/podcell
A personal tool for managing rootless Podman containers as isolated development environments. It was built out of the need to run AI agents in a contained space without worrying about what they might do to the host. It creates containers with a fixed security profile: most capabilities dropped, sensitive /proc and /sys paths masked, pasta networking, and user namespace mapping so file ownership works without friction. The podcell binary mounts itself into the container and acts as the entrypoint, handling both first-run initialization (creating a matching user, installing sudo and bash) and subsequent starts. Entering a container drops you into a login shell as your own user.
linuxevents - github.com/trailofbits/linuxevents
A C++ library for monitoring process execution events on Linux using eBPF, with no dependency on BCC or external compiler tooling. The key idea was to eliminate all external build-time requirements by driving the entire BPF compilation pipeline from within the process itself. At startup, it reads the kernel’s BTF data from /sys/kernel/btf/vmlinux using the C++ btfparse library, generates a complete kernel types header entirely in memory, and feeds that header alongside the BPF C source directly into an embedded Clang compiler instance. The compiler produces LLVM IR and then BPF bytecode without ever writing a file to disk. The result is a library that compiles and loads its own BPF probes at runtime using only libclang and LLVM as dependencies.
Past
btfparse (C++) - github.com/trailofbits/btfparse
The original C++ library for parsing BTF debug symbols from the Linux kernel. Includes a dump-btf command line tool compatible with bpftool output. Superseded by the Rust rewrite.
ebpfault - github.com/trailofbits/ebpfault
A syscall fault injector built on eBPF. It lets you configure system calls to fail at a given probability, which is useful for testing how applications handle error conditions. Works on any machine with a compatible kernel, no other requirements.
ebpfpub - github.com/trailofbits/ebpfpub
A Linux function tracing library built on eBPF. It was purpose-built to support system call tracing on older distributions with limited BPF kernel implementations, covering a wide range of kernels that more modern BPF tools could not run on. Still used by osquery. Now considered legacy as the older kernel constraints it was designed around are no longer relevant.
IDA Function Tagger - github.com/alessandrogario/IDA-Function-Tagger
An IDAPython script for IDA Pro that automatically tags subroutines based on which imported functions they call. It helps quickly identify the purpose of functions during reverse engineering without having to inspect each one manually.
Zeek Agent - github.com/zeek/zeek-agent
An endpoint monitoring tool and enrichment addon for Zeek. It collects file, socket, and process events from Linux and macOS endpoints and reports them to Zeek, giving the network security monitor visibility into endpoint activity. Uses osquery for scheduled endpoint queries. Archived in 2022, superseded by zeek-agent-v2.