pamspy leverage eBPF technologies to achieve an equivalent work of 3snake.
It will track a particular userland function inside the PAM (Pluggable Authentication Modules) library, used by many critical applications to handle authentication.
pamspy will load a userland return probe eBPF program to hook the
libpam.so. PAM stands for ‘Pluggable Authentication Modules’, and have a flexible design to manage a different kind of authentication on Linux.
Each time an authentication process tries to check a new user, It will call
pam_get_authtok, and will be here to dump the content of the critical secrets! pamspy - Credentials Dumper for Linux
Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer