MatheuZ
Red Team Operator, Offensive Security Researcher, and Pentester
Linux-focused offensive security research: evasion, rootkits, telemetry bypass, and post-exploitation write-ups.
Writing
- 2025-07-04 · 14 minRed Team Tactics: Evading EDR on Linux with io_uring
Full source: https://github.com/MatheuZSecurity/RingReaper Table of Contents Introduction What is io_uring? The Agent Code Analysis How Does the EDR Typically Fail Here? Practical EDR Bypass Python C2 Server Flow Defensive Reflections Conclusion Introduction Each year, new security solutions emerge to protect Linux systems against increasingly sophisticated threats. Technologies such as EDR (Endpoint Detection and Response) evolve rapidly, making the work of an attacker more challenging. We, as red teamers, we need to stay one step ahead, seeking to understand not only the defenses, but also how to creatively circumvent them.
- 2025-06-21 · 9 minbreaking ld_preload rootkit hooks
This article explores a technique to bypass Userland based hooks, such as those implemented via LD_PRELOAD by leveraging io_uring, a modern Linux kernel interface for asynchronous I/O. By bypassing traditional libc wrappers, such as open(), write(), and close(), which are commonly intercepted in LD_PRELOAD based hooks, it’s possible to evade detection or interference by such malicious userspace mechanisms. We demonstrate this by comparing a simple LD_PRELOAD rootkit that hooks the open() call with a program that uses io_uring to interact with the file system while still leveraging syscalls internally, io_uring minimizes user‑kernel transitions by batching operations through shared memory queues, issuing only a few essential syscalls (e.g., io_uring_enter, io_uring_setup) for coordination.
- 2025-05-14 · 5 minBypassing LD_PRELOAD Rootkits Is Easy
Introduction In this post, I’m going to get into a really cool topic, which is how to bypass the hooks used by LD_PRELOAD rootkits, a technique that is effective against most, if not all, of them. LD_PRELOAD LD_PRELOAD is an environment variable used by dynamic linkers on Unix-like systems (such as /lib64/ld-linux-x86-64.so.2 on x86_64 Linux) to force specific shared libraries to be loaded before any others during program execution.
- 2025-04-13 · 6 minElfDoor-gcc
Hijacking GCC with LD_PRELOAD Introduction If you’ve ever wondered how it’s possible to inject malicious code into binaries without touching the source code, and using only standard Linux tools, this article is for you. We’ll explore a very cool technique that intercepts the compilation process with LD_PRELOAD, modifying the commands executed and forcing the inclusion of a malicious library during linking. In the end, the compiled binary looks legitimate, but it is infected with embedded malicious code, ready to be executed at the right time.
- 2024-12-26 · 2 minDetecting rootkits based on ftrace hooking.
Hello! Welcome to this post! Well, I have a server that is focused on rootkit research, both for Linux and Windows, feel free to come and participate in our community. https://discord.gg/66N5ZQppU7 What is Ftrace? ftrace (Function tracing) is a kernel function tracer. It helps a lot with debugging the Linux kernel, tracing functions, events, and of course, you can use ftrace to do hooking, etc. Main Features: Function Tracing: Records kernel function calls, including order and execution time. Event Tracing: Monitors system events. Custom Filters: Focus on specific functions or events via configuration files. Support for dynamic tracers like kprobes and integration with tools like perf. On more current systems, tracing is enabled by default, but if not, simply set it: