scales.bpf.c

eBPF rootkit component source filename. Hooks getdents64() to hide PIDs from /proc, filenames from directory listings, and socket inodes from /proc/net/tcp + netlink (NETLINK_SOCK_DIAG). Pinned BPF maps /sys/fs/bpf/hidden_pids, /sys/fs/bpf/hidden_names, /sys/fs/bpf/hidden_inodes. Kills ptrace (PTRACE_ATTACH/PTRACE_SEIZE). IronWorm equivalent was q2.bpf.c.