Daniel Roberson - unhookinglinuxedrs-matheuzsecurity2025

Daniel Roberson

unhookinglinuxedrs-matheuzsecurity2025

2025-04-03

Unhooking Linux EDRs

by matheuz

https://github.com/MatheuZSecurity/UnhookingLinuxEdr

Notes
insmod
dmesg
EDR
Linux
LKM
Trend Micro
Trend Micro Deep Security
CrowdStrike Falcon
CrowdStrike
eBPF
machine learning
hooks
module_init(), module_exit()
printk
/proc/modules
/sys/module directory
cleanup_module alias
/proc/kallsyms
EDR, rootkits prevent module unloading with rmmod
linked list
tmhook module
bmsensor module

Links to this note

Notes

Recent Posts

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit

Linux Persistence: atd

2025-04-01 DFIR CTF linux persistence at atd

Linux Persistence: SSH

2025-03-29 DFIR CTF SSH hardening hunting persistence linux persistence hunting hardening SSH PAM

Linux Hardening: SSH

2025-03-06 DFIR SSH hardening linux hardening SSH PAM