SOCAT-based network relay with kernel-level process masquerading.
Full bidirectional relay with 50+ channel types. Process name manipulation via prctl/setproctitle. Argument memory zeroing across /proc boundaries. Zero configuration stealth.
Authorization Required: Designed exclusively for authorized security testing with explicit written permission.
Prerequisites: GCC, GNU Make, OpenSSL (optional)
git clone https://github.com/Real-Fruit-Snacks/Conduit.git
cd Conduit
makeVerify:
./conduit --help
./conduit --list-masqHide in plain sight. Choose a preset identity or define your own.
./conduit -Mk TCP-LISTEN:8080,fork TCP:10.0.0.5:80 # kernel worker [kworker/0:1]
./conduit -Ms TCP-LISTEN:8080,fork TCP:backend:80 # systemd-logind
./conduit -MS TCP-LISTEN:2222 TCP:internal-ssh:22 # /usr/sbin/sshd
./conduit -Mn UDP-LISTEN:53,fork UDP:8.8.8.8:53 # NetworkManager
./conduit -Mc 'nginx: worker process' TCP-LISTEN:443 TCP:app:8443 # custom nameCommand-line arguments erased from /proc after parsing. Survives ps, top, htop inspection.
./conduit -Mk TCP-LISTEN:8080,fork TCP:10.0.0.5:80 &
ps aux | grep conduit # arguments hidden
ps aux | grep kworker # appears as kernel workerPID targeting, OOM immunity, port range control, environment sanitization, and time namespace matching.
sudo ./conduit -Ms -Mp 500 TCP-LISTEN:8080 TCP:target:80 # target specific PID
sudo ./conduit -Ms -Mo TCP-LISTEN:443,fork TCP:backend:443 # OOM immune
sudo ./conduit -Ms -MP 49152-65535 -Me TCP-LISTEN:8080 TCP:target:80 # port range + env clean
sudo ./conduit -Ms -Mt 500 TCP-LISTEN:8080 TCP:target:80 # match process start time100+ configuration options. TCP, UDP, UNIX, SSL/TLS, SOCKS, file, PTY — all 50+ channel types work unchanged. No functionality sacrificed for stealth.
./conduit -Ms OPENSSL:server:443,verify=0 TCP-LISTEN:8080,fork # SSL/TLS
./conduit -Mk SOCKS4A:proxy:target:80 TCP-LISTEN:1080 # SOCKS proxy
./conduit -Ms UNIX-CONNECT:/var/run/docker.sock TCP-LISTEN:2375 # UNIX socketConduit/
├── socat-repo/
│ ├── socat.c # Main relay + masquerading (-Mk, -Ms, -MS, -Mn, -Md, -Mr, -Mc)
│ ├── xio-tcp.c # TCP channels
│ ├── xio-openssl.c # SSL/TLS channels
│ ├── xio-socks.c # SOCKS proxy
│ └── [48 more xio-*] # Other channel types
├── Makefile
└── docs/
Three-stage execution: parse masquerade flag → apply identity via platform-native API (prctl on Linux, setproctitle on BSD, argv zeroing as fallback) → start SOCAT relay. Masquerading is transparent to relay logic.
| Linux | FreeBSD | OpenBSD | macOS | |
|---|---|---|---|---|
| Process masquerade | prctl | setproctitle | setproctitle | Limited |
| Argument hiding | Full | Full | Full | Full |
| Relay | Full | Full | Full | Full |
| PID targeting | Root | — | — | — |
| OOM immunity | Root | — | — | — |
| Time matching | Kernel 5.6+ | — | — | — |
Report vulnerabilities via GitHub Security Advisories. 90-day responsible disclosure.
Conduit does not:
- Evade strace, dtrace, or eBPF syscall tracing
- Hide network traffic patterns or connection metadata
- Defeat EDR/XDR behavioral analysis
- Bypass kernel security modules (SELinux, AppArmor)
GPLv2 with OpenSSL exception — Copyright 2026 Real-Fruit-Snacks. Based on SOCAT 1.7.3.3 by Gerhard Rieger.