asm_tracer is a research and defensive security tool. It is intended for:
- Authorized penetration testing on systems you own or have explicit written permission to test
- Security research in controlled, isolated environments
- Defensive tooling - building EDR agents, sandboxes, and syscall monitors
- Software testing - fault injection, fuzzing, and dynamic analysis of your own programs
- Education - understanding how the Linux kernel, seccomp, and ptrace interact
Use of this library against systems without explicit authorization is illegal under the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent legislation in most jurisdictions. The authors accept no liability for misuse.
These are not bugs - they are documented, intentional behaviours that carry risk if misused:
| Feature | Risk |
|---|---|
| Synthetic return values | Can deceive monitoring software by forging kernel responses |
process_vm_readv during USER_NOTIF |
Reads a frozen child's address space, including secrets in memory |
Survives execve |
Filter persists across exec boundaries, before most sandbox detection runs |
| Hook runs in signal context | Async-signal-unsafe hooks can corrupt process state silently |
Before deploying this library in any context:
- You own the target system, or have written authorisation to test it
- You are operating within a defined rules of engagement
- Any data read from child processes is handled in accordance with applicable privacy law
- You are not deploying this in a production environment without thorough review
- You have read and understood the kernel documentation for
seccomp(2),ptrace(2), andprocess_vm_readv(2)
This software is provided as-is, without warranty of any kind. The author(s) are not responsible for:
- Damage caused by misuse
- Legal consequences arising from unauthorized use
- System instability caused by incorrect hook implementations
- Data loss from unsafe memory operations