0xMatheuZ

Hijacking GCC with LD_PRELOAD Introduction If you’ve ever wondered how it’s possible to inject malicious code into binaries without touching the source code, and using only standard Linux tools, this article is for you. We’ll explore a very cool technique that intercepts the compilation process with LD_PRELOAD, modifying the commands executed and forcing the inclusion of a malicious library during linking. In the end, the compiled binary looks legitimate, but it is infected with embedded malicious code, ready to be executed at the right time. ...

Stealthy Kernel Rootkit: https://github.com/MatheuZSecurity/Singularity Rootkit Researchers: https://discord.gg/66N5ZQppU7 Introduction Security solutions continue to intensify. Modern EDRs like Elastic Security, integrated with Elastic Defend, employ multiple detection layers including YARA signatures and behavioral analysis to identify Linux kernel rootkits, triggering 26+ alerts on a single malicious module. This article demonstrates how to systematically evade these defenses. We present a comprehensive case study of developing a Linux rootkit that successfully bypasses Elastic Security’s detection mechanisms through obfuscation, fragmentation, and staged execution techniques. All content is strictly for educational purposes only. ...

Hello! Welcome to this post! Well, I have a group that is focused on rootkit research, both for Linux and Windows, feel free to come and participate in our community. https://discord.gg/66N5ZQppU7 What is LD_PRELOAD Rootkit? Before we begin, we need to understand what an LD_PRELOAD rootkit is. Is a type of malware that uses the LD_PRELOAD environment variable to load malicious shared libraries. It intercepts and modifies functions, allowing you to hide files, processes and activities. So, an LD_PRELOAD rootkit runs in user space (ring3), because it does not interact directly with the kernel. Introduction A good point about LD_PRELOAD Rootkit is that, unlike LKM (Loadable Kernel Module), they are much more stable, compatible and are also easier to develop. ...

Challenge Description In this challenge, we’re given access to a Linux virtual machine (VM) running Ubuntu. The objective is to exploit a custom kernel module to retrieve a hidden flag. The challenge involves reverse engineering, kernel internals, and crafting a proper exploit. What we have: A hidden kernel module loaded at boot Character device at /dev/ioctl_dev Setup script (device.sh) that loads the module and shreds source files SSH access enabled (username: root, password: ioctl) Important Note: Many participants had difficulties copy-pasting code directly into the VM console. As stated in the challenge description, SSH is enabled for easier interaction! This was a common pain point, so let’s start by addressing it. ...