GPL v3 Early Development Linux Python KVM/QEMU

Quartzine

// USB interception & sandboxed analysis for malware labs

What is Quartzine?

When a USB drive is plugged into a Linux machine, Quartzine intercepts the event before the OS mounts anything — and asks what you want to do with it.

Designed for malware analysis labs that handle physically untrusted media.

How it works

USB plugged in
├─ udev intercepts (before udisks2 mounts)
├─ Mount normally? ──────────────────── normal OS behavior
└─ Analyze (mount with VM)?
├─ Clean VM snapshot spun up
├─ USB passthrough → VM
├─ VM opens & navigates the drive
├─ eBPF + network tap observe everything
├─ Report generated (optional)
└─ VM destroyed. Nothing persists.

Stack

USB Detection udev rules pyudev
VM Orchestration Python QEMU/KVM
Host Observation eBPF bpftrace
Network Simulation INetSim tcpdump

Requirements

# Host OS
Linux x86_64 with KVM support — Python 3.10+

Installation

$ git clone https://github.com/Mathos6/Quartzine
$ chmod +x Quartzine/configd/install.sh
$ sudo ./Quartzine/configd/install.sh

Status

Early development. Not ready for production use.

Planned milestones
✓  udev interception + user prompt
✓  USB passthrough to VM
○  QEMU snapshot lifecycle management
○  eBPF observation layer
○  Network isolation + INetSim integration
○  JSON report generation
○  Anti-evasion VM hardening
⚠ Warning This tool is intended for controlled lab environments only. Never use on production machines or with drives from untrusted sources outside a properly isolated network.