Ghost Shell is a secure, stealthy shell implementation in Rust designed for privacy and low-profile operations. It features process masking, secure memory handling, and built-in "ghost" commands for covert utilities.
โ ๏ธ Educational Tool: This project is designed for security research, red-team exercises, and understanding shell internals. See Threat Model below.
- Process Masking (Linux): Automatically disguises the process name as
systemd-journaldupon initialization to blend in with system processes. - Secure Memory: Utilizes the
zeroizecrate to ensure input buffers and sensitive data are scrubbed from memory when dropped. - Volatile History: Command history is kept strictly in RAM and is never written to disk (
.bash_historyetc.), ensuring no forensic trace remains after exit. - Ghost Commands (
::): A set of internal, prefixed commands that never touch the underlying system shell history. - Clipboard Injection: Securely copy text to the system clipboard directly from the shell without trace files.
- Dynamic Prompt: Displays your current directory context
gsh <dir>>>while keeping a low profile.
- Rust and Cargo (latest stable version)
- Linux environment (recommended for full feature support like process masking)
- System dependencies for clipboard support (e.g.,
libxcb,libx11on Linux might be required byarboard)
git clone git@github.com:ind4skylivey/Ghost-intheShell.git
cd ghost-shell
cargo build --releaseRun the shell:
cargo run --release
# or directly execute the binary
./target/release/ghost-shell$ ./target/release/ghost-shell
Initializing Ghost Shell protocol...
gsh ghost-shell>> ::status
GHOST MODE ACTIVE. MEMORY SECURE. TRACE: NONE.
gsh ghost-shell>> ::cp my-super-secret-token-12345
DATA INJECTED TO CLIPBOARD. TRACES REMOVED.
gsh ghost-shell>> ls -la
total 48
drwxr-xr-x 6 user user 4096 Dec 8 03:45 .
drwxr-xr-x 3 user user 4096 Dec 8 01:30 ..
...
gsh ghost-shell>> ::history
Command History (RAM only):
1: ::status
2: ::cp my-super-secret-token-12345
3: ls -la
gsh ghost-shell>> ::purge-history
HISTORY PURGED. 3 COMMANDS ZEROIZED FROM MEMORY.
gsh ghost-shell>> ::exit
[!] INITIATING SECURE SHUTDOWN...
[*] Overwriting memory buffers... DONE.
[*] All systems clear. Ghost Shell terminated.- CD: Native support for
cdto change directories (e.g.,cd /tmp,cd ..,cd ~). - Cursor: Use
โ/โarrows to edit your command line. - History: Use
โ/โarrows to cycle through previous commands (RAM only). - Autocomplete: Press
Tabto auto-complete filenames in the current directory. - Clear:
Ctrl+Lorclearto clean the screen.
Ghost commands are special instructions processed internally by the shell. They are prefixed with ::.
| Command | Description | Security Notes |
|---|---|---|
::status |
Displays the current security status of the shell. | Informational only |
::security-status |
Advanced: Shows detailed security analysis (swap, monitoring, etc.) | Detects threats |
::history |
Shows command history stored in RAM. | Reveals what you've typed this session |
::purge-history |
Securely wipes all command history from memory. | Zeroizes strings before clearing |
::cp <text> |
Encrypted Copy: Copies <text> to clipboard with ChaCha20Poly1305 encryption. |
Auto-clears in 30s, returns decryption key |
::decrypt <key> |
Decrypts encrypted clipboard content using the provided key. | Requires key from ::cp output |
::anti-debug |
Checks if a debugger/tracer is attached to the process. | Detects ptrace, auto-panics in paranoid mode |
::paranoid on|off |
Paranoid Mode: Auto-panic on debugger + periodic checks every 5 commands. | Maximum security, zero tolerance |
::clear |
Clears the terminal screen securely. | Visual only, doesn't affect memory |
::exit |
Terminates the Ghost Shell session. | Triggers secure shutdown |
::panic |
NUCLEAR OPTION: Simulates a crash, wipes memory, and exits immediately. | Emergency exit with fake kernel panic |
Example - Encrypted Clipboard:
gsh ~/secrets>> ::cp my-super-secret-password-123
ENCRYPTED DATA INJECTED. KEY: a3F5dGhpcyBpcyBhIHJhbmRvbSBrZXk=
AUTO-CLEAR IN 30s.
Use ::decrypt to recover.
# Later, to decrypt:
gsh ~/secrets>> ::decrypt a3F5dGhpcyBpcyBhIHJhbmRvbSBrZXk=
Decrypted: my-super-secret-password-123Example - Security Status:
gsh ~/secrets>> ::security-status
=== GHOST SHELL SECURITY STATUS ===
Memory Locked: โ NO
Swap Disabled: โ NO (RISK: Memory may be swapped to disk)
Core Dumps Blocked: โ NO
Monitoring Detected: โ NOExample - Paranoid Mode:
gsh ~/secrets>> ::paranoid on
โ PARANOID MODE ENABLED
- Auto-panic on debugger detection
- Periodic security checks every 5 commands
- Enhanced threat monitoring
gsh ~/secrets>> ::anti-debug
โ No debugger detected.
# If a debugger attaches:
gsh ~/secrets>> ls
โ PERIODIC CHECK: DEBUGGER DETECTED
PARANOID MODE - INITIATING EMERGENCY SHUTDOWN...
[Process exits with code 137]- Disk-based history forensics: No
.bash_history,.zsh_history, or similar files are created. - Casual process inspection: Process name appears as
systemd-journaldinps,top, etc. - Accidental command logging: Ghost commands (
::) never touch the system shell. - Memory residue (limited): Sensitive buffers are zeroized on drop.
- Clipboard snooping (mitigated): Clipboard data is encrypted with ChaCha20Poly1305 and auto-cleared after 30s.
- Monitoring detection: Detects
ptrace,strace,gdb,auditd, and other common monitoring tools. - Debugger attachment:
::anti-debugcommand detects if the process is being traced.
- Swap files: Detects if swap is enabled and warns user. Memory locking functions available for future use.
- Core dumps: Functions to exclude memory from core dumps (via
madvise) are implemented but not yet active by default. - Clipboard monitoring: While clipboard is encrypted, the key is displayed on screen. Use carefully.
- Root/privileged access: Root can inspect
/proc/<pid>/exe, memory dumps, etc. - Memory forensics (advanced): RAM dumps can still reveal command history before zeroization.
- Swap files (if enabled): The OS may have swapped memory pages to disk before detection.
- Screen recording/keyloggers: If your terminal is being recorded, all commands are visible.
- Advanced process hiding: Only the process name is masked;
/proc/<pid>/cmdline, parent PID, and binary path are still visible. - Kernel-level monitoring (sophisticated): Custom kernel modules or eBPF programs can bypass user-space detection.
- Security research & education: Understanding shell internals and memory management.
- Red-team exercises: Practicing operational security in controlled environments.
- Privacy-conscious workflows: Avoiding accidental command history leaks.
- Malware analysis labs: Isolated environments where you want minimal traces.
- Rust 2021 Edition
- crossterm: Terminal manipulation and raw mode
- zeroize: Secure memory scrubbing
- arboard: Cross-platform clipboard access
- chacha20poly1305: Authenticated encryption
- prctl (Linux): Process name masking
- Modular implementation:
main.rs,security.rs,clipboard.rs - SecureBuffer: Custom Drop for complete memory zeroization
- CommandResult enum: Type-safe command execution flow
- Raw mode terminal: Full control over input/output
This tool is for educational and ethical testing purposes only. The authors are not responsible for misuse. Always obtain proper authorization before using security tools in any environment.
- Process masking (Linux) as
systemd-journald - Volatile command history (RAM only)
- Ghost commands:
::status,::cp,::clear,::exit,::panic - Secure memory handling with
zeroize - Raw mode terminal with crossterm
- Basic autocomplete (single match)
- Command history navigation with arrow keys
- Dynamic prompt with current directory
- Fix
::exitbug with proper enum handling - Add
::historycommand to view RAM-stored commands - Add
::purge-historycommand with secure zeroization - Remove unused dependencies (reduced binary size)
- CommandResult enum for type-safe execution flow
- Comprehensive threat model documentation
- Modularize code into separate files (
security.rs,clipboard.rs) - Encrypted clipboard with ChaCha20Poly1305 (AEAD)
- Auto-clear clipboard after 30 seconds
-
::decrypt <key>command to recover encrypted data -
::security-statuscommand with detailed analysis - Swap detection (warns if memory may be swapped to disk)
- Monitoring tool detection (strace, gdb, auditd, eBPF, etc.)
- ptrace detection (debugger attachment)
-
::paranoid on|offcommand for maximum security - Auto-panic when debugger is detected
- Periodic security checks every 5 commands
- Enhanced
::anti-debugwith auto-exit in paranoid mode - Command counter for security monitoring
- Custom Drop for complete history zeroization on exit
- Base64 key zeroization after display
- Comprehensive security audit (92% score)
- SECURITY_AUDIT.md documentation
- Unit tests for security functions
- Memory locking (
mlock) for sensitive buffers - Core dump prevention (
madvise(MADV_DONTDUMP)) - Clipboard clear command (
::clear-clipboard) - Session key for persistent encryption
- Configuration file support (colors, prompt, timeout)
- Improved autocomplete (show multiple matches)
- Better UTF-8/grapheme cluster support
- Timing attack detection
- String obfuscation for sensitive constants
- Self-integrity checks (detect binary modification)
- Anti-VM/sandbox detection
- Network-based threat intelligence
- Plugin system for custom ghost commands
This is a personal project for educational purposes. See LICENSE file for details.
