>_ DevTrendsen

Language

Home

Languages

Sections

Frontend Backend Mobile DevOps AI / ML GameDev Blockchain Security
C

Singularity - How Modern Linux Rootkits Work and Why They're So Hard to Detect

1,699 stars

Imagine this scenario: you log into a server, run ps aux, and everything looks perfectly normal. You check network connections with ss — clean. You review the logs dmesg — no suspicious entries. But at that very moment, a hidden root-level process is running in the system, intercepting your actions and filtering data right in kernel memory.

Sound like something from hacker movies? In reality, this is the reality of modern LKM rootkits (Linux Kernel Modules). Today we'll examine the Singularity project by developer MatheuZSecurity — an advanced tool for researching stealth capabilities in Linux 6.x kernels.

What is Singularity and Why Does a Researcher Need It?

Singularity is not just another toy for changing user UID. It's a full-fledged research project created to test the limits of modern security systems. The author asked the question: "How far can a rootkit go if it has already managed to inject into the kernel?"

The project targets modern kernels (6.x branch) and uses ftrace infrastructure for system call interception. This makes it extremely interesting for systems programmers and information security specialists (DFIR), as it demonstrates bypassing security giants like eBPF (Falco, Tracee) and LKRG (Linux Kernel Runtime Guard).

Key Features: The Art of Staying Invisible

Singularity is a true Swiss Army knife for covert operations. Let's walk through the most impressive capabilities.

1. Ghost-Level Camouflage

The rootkit doesn't just hide files or processes — it does so systematically:

  • Processes: Any PID can be made invisible to ps, top, and even /proc. Moreover, Singularity automatically tracks and hides all child processes.
  • Files: Hiding works by patterns. If you created a directory with a "secret" name, it will disappear from the output of ls and find, although you can still access files inside if you know the path.
  • Network: Connections on specific ports (for example, your reverse shell) won't be seen by either netstat or tcpdump.

2. Bypassing eBPF and Modern EDR

This is probably the most technically complex part. Most modern monitoring systems (like Falco) rely on eBPF for real-time event tracking. Singularity doesn't block eBPF (that would be too noticeable), but carefully filters the data that eBPF programs transmit to user space. It substitutes results in buffers, making hidden resources invisible to the monitoring "eyes."

3. Privilege Manipulation via Signals

Forget about complex exploits. Singularity implements an elegant mechanism:

kill -59 $$

Sending a specific signal (in this case, 59) to the current process instantly elevates its privileges to root. Simple, effective, and very dangerous in the wrong hands.

4. Fighting the Forensics (Forensics Evasion)

The project can even deceive low-level disk analysis tools, such as debugfs. It intercepts read/write system calls and "on the fly" scrubs mentions of itself from output buffers, replacing them with spaces. This allows maintaining filesystem integrity (checksums don't break), while hiding the presence of malicious code.

How Does It Work Internally?

Singularity's architecture is built on a modular system. In the repository, you'll find separate files for each task: hiding_tcp.c for networking, bpf_hook.c for eBPF countermeasures, lkrg_bypass.c for kernel protection bypass.

The logging implementation is interesting. The rootkit hooks the do_syslog function, allowing it to filter the kernel ring buffer. If the system tries to output a message about kernel taint from loading a third-party module, Singularity simply cuts out that string.

Process Hiding Demo

Practical Value for Developers

Why should a developer study rootkit code?

  1. Understanding Linux Internals: The project code is an excellent textbook on working with system calls, task_struct structures, the network stack, and ftrace subsystem.
  2. Designing Security Systems: To build a strong fortress, you need to know how siege weapons work. By studying eBPF bypass methods in Singularity, you can better configure your rules in Falco or Tracee.
  3. Kernel Development: This is a hands-on example of how to write LKM (Linux Kernel Modules) for modern kernel versions, accounting for API changes.

Safety Precautions

Important: Singularity is a powerful tool that hides itself after loading (lsmod won't show it). It has no unload function, as that would create an additional detection vector. To get rid of it, a reboot will be required.

The author strongly recommends testing the project only in virtual machines. And, of course, using it exclusively for educational and research purposes.

Singularity is an impressive example of how sophisticated Linux stealth methods have become. The project shows that even the most modern security tools are not a silver bullet if the attacker has gained a foothold at the kernel level.

For those who want to dive deeper, I recommend checking out include/core.h and seeing how the hooks are implemented. This reading might be more captivating than any detective novel.

Try it (in a VM!): GitHub MatheuZSecurity/Singularity

By the way, what do you think — is using eBPF for security a dead end if rootkits have learned to bypass it? Share your thoughts in the comments!

Related projects