Stealth or anti-debug?

Posted Jan 17, 2026 22:39 UTC (Sat) by matheuz (subscriber, #181907)
In reply to: Stealth or anti-debug? by tux3
Parent article: A free and open-source rootkit for Linux

The hook in finit and init_module that returns -ENOEXEC is temporary. It exists only to block LKRG. However, a new feature will be committed to GitHub in the coming days or possibly within a week, which will bypass LKRG for privilege escalation.

Another point is that previously there was only a hook on finit and init_module to prevent other rootkit scanners that look for gaps in kernel memory from detecting it. In practice, they still fail to detect it. Even so, I will further improve module hiding using a technique that also avoids detection by LKM-based rootkit scanners.

The blocking of new modules is temporary, and this hook will be removed soon. The same applies to blocking certain eBPF operations. This is also temporary. Once I have more time to work on Singularity, eBPF operations that attempt to detect hidden processes or files will be bypassed as well.

That said, there will no longer be any behavioral changes related to these two modules.

Additionally, Singularity can bypass EDRs such as CrowdStrike Falcon, which is eBPF-based, Trend Micro EDR, which is LKM-based, Kaspersky, also LKM-based, Elastic Security (there is an article in the Singularity README explaining how to bypass it), and some other EDRs that I tested in my virtual machine.