0xMatheuZ / red team notes / offensive security research / pentest

0xMatheuZ

Red Team Operator, Offensive Security Researcher, and Pentester

Linux-focused offensive security research, evasion notes, pentest experiments, and post-exploitation write-ups.

Discord Join Rootkit Researchers
Read write-ups Search research GitHub

Recent posts

Research notes

Technical write-ups on red team operations, offensive security research, Linux internals, persistence, and detection-aware offense.

01 2026-06-03 Trend Micro

Trend Micro Deep Security Agent Research: Forcing bmhook/tmhook Reloads to Open a Protection Bypass Window

Research scope: This is security research on Trend Micro Deep Security Agent on Linux. The finding is not remote code execution and it is not a persistent kill switch. It is a forced security-control gap. A local unprivileged event storm can make the agent unload and reload its own behavior-monitoring kernel modules. During that window, protection behavior changes, and an artifact that was normally blocked was written to disk successfully. ...

#Trend Micro #Deep Security Agent #Linux Kernel
02 2025-05-14 Rootkit

Bypassing LD_PRELOAD Rootkits Is Easy

Introduction In this post, I’m going to get into a really cool topic, which is how to bypass the hooks used by LD_PRELOAD rootkits, a technique that is effective against most, if not all, of them. LD_PRELOAD LD_PRELOAD is an environment variable used by dynamic linkers on Unix-like systems (such as /lib64/ld-linux-x86-64.so.2 on x86_64 Linux) to force specific shared libraries to be loaded before any others during program execution. ...

#Rootkit
03 0001-01-01 Rootkit

A simple way to detect and remove LKM rootkit KoviD (Outdated)

Hello everyone, welcome to this post where I will cover the easiest way on how to detect and remove LKM KoviD rootkit. But first of all, we need to understand how the KoviD works. What is KoviD? KoviD is a Linux kernel rootkit, containing several features that make it difficult to detect and remove, in my opinion KoviD is the best open source LKM rootkit today, you can see more about it on github. ...

#Rootkit
04 0001-01-01 eBPF

Breaking eBPF Security: How Kernel Rootkits Blind Observability Tools

Stealthy Kernel Rootkit: https://github.com/MatheuZSecurity/Singularity Rootkit Researchers: https://discord.gg/66N5ZQppU7 Me: https://www.linkedin.com/in/mathsalves/ Introduction Linux security tooling has leaned heavily into eBPF. Projects like Falco, Tracee, and Tetragon made kernel-level telemetry feel like a step change: richer context, low overhead, and visibility that’s difficult to evade from user space. But that promise quietly depends on a threat model: the kernel is assumed to be a trustworthy observer. This article explores what happens when that assumption breaks, specifically, when an attacker can execute code in the kernel (e.g., via a loaded module). In that world, the most valuable targets aren’t the eBPF programs themselves, but the plumbing around them: iterators, event delivery paths (ring buffer / perf buffer), perf submission, and map operations that turn kernel activity into user-space signals. ...

#eBPF #Kernel Security #Evasion
05 0001-01-01 Rootkit

breaking ld_preload rootkit hooks

This article explores a technique to bypass Userland based hooks, such as those implemented via LD_PRELOAD by leveraging io_uring, a modern Linux kernel interface for asynchronous I/O. By bypassing traditional libc wrappers, such as open(), write(), and close(), which are commonly intercepted in LD_PRELOAD based hooks, it’s possible to evade detection or interference by such malicious userspace mechanisms. We demonstrate this by comparing a simple LD_PRELOAD rootkit that hooks the open() call with a program that uses io_uring to interact with the file system while still leveraging syscalls internally, io_uring minimizes user‑kernel transitions by batching operations through shared memory queues, issuing only a few essential syscalls (e.g., io_uring_enter, io_uring_setup) for coordination. ...

#Rootkit