godshell is an innovative tool designed to enhance access to kernel-level information utilizing Local Language Models (LLMs). By integrating directly with the kernel through eBPF (Extended Berkeley Packet Filter), this tool facilitates seamless observation of system events from boot time, producing a structured snapshot that LLMs can query directly. This approach eliminates the cumbersome processes of command probing and log parsing, allowing users to interact with their system states more effectively than traditional methods.

Key Features

• Natural Language Queries: Enable intuitive interactions by asking questions about the current or historical system state, providing the LLM with comprehensive structured context that goes beyond simple command output.
• Snapshots: Capture manual or automated snapshots of system states for later queries to facilitate detailed before-and-after comparisons.
• Ghost Processes: Track and analyze exited processes, enabling investigation even when traditional command outputs (like ps) show no active processes.
• Detailed Process Panel: Visualize process trees and easily identify potentially suspicious activities to hand over to the LLM agent for analysis.
• Agent Toolset: Comes with basic observability and analysis tools to support various use cases such as fileless malware detection, memory string extraction, process lineage tracking, and network connection analysis.

Architecture

godshell is composed of two primary components:

• godshell-daemon: A Go service managed by systemd, continuously collecting events through eBPF tracepoints and storing them in a SQLite database. It exposes a UNIX socket over HTTP for integration with the TUI.
• godshell-tui: Built with the BubbleTea framework, this user interface reads the daemon's state, displays a process tree and event timeline, and allows users to perform natural language queries.

Installation Requirements

The usage of godshell requires a Linux kernel version of 5.8 or later with BTF (BPF Type Format) enabled. Ensure that strace is installed for tracing functionality, although future versions aim to eliminate this dependency.

Examples of Usage

sudo godshell daemon   # Start the daemon if it's not already running
godshell               # Launch the TUI interface

Future Enhancements

The development roadmap for godshell includes enhancements such as improved graph modeling for richer snapshots, compatibility with multiple LLM providers, additional kernel tracepoints, and the integration of YARA for memory scanning against malware signatures.

godshell is an experimental tool that offers groundbreaking solutions for system observation and analysis, making it a powerful asset for developers and security professionals alike.