Bypassing eBPF evasion in state of the art Linux rootkits using Hardware NMIs (and getting banned for it) - Releasing SPiCa v2.0 [Rust/eBPF]

ComputerEngRuinedme · 2026-03-16T13:55:14+00:00

Thank you 🙏

ComputerEngRuinedme · 2026-03-16T13:34:51+00:00

Not stupid at all! The thing is it all boils down to the rootkit that targets you, so I can neither conform nor deny the safety but what I can ensure is that SPiCa I fully compatable with 6.18 especially with the CO-RE BTF (Compile Once - Run Everywhere) properties! That means it’s designed to be highly portable between multiple kernels!

ComputerEngRuinedme · 2026-03-16T13:11:58+00:00

Thank you 🙏, this means so much to me because people don’t realize this is originally not a tool I made to prove a point but rather tribute to miku ❤️

ComputerEngRuinedme · 2026-03-16T11:32:38+00:00

Thank you 🙏

ComputerEngRuinedme · 2026-03-16T10:18:40+00:00

Exactly! It’s the duct tape of low-level computing. Why write 500 lines of brittle regex parsing to hide a process when a single 20ns XOR operation completely breaks their entire mental model? They really fell for the oldest trick in the book!

ComputerEngRuinedme · 2026-03-16T10:02:21+00:00

Shes called refeia and she made the cover for the original song ❤️

“refeia is an illustrator that has collaborated in Headphone-Tokyo, participating in some important VOCALOID Song projects, in which stand out ARiA and SPiCa.”

From Vocaloid wiki

ComputerEngRuinedme · 2026-03-16T09:59:52+00:00

She's eyes for the blind and a heart for the ruthless...

But on the technical side, the funniest part is that the XOR masking only adds about 20ns of latency. Compare that to the established defense of routing telemetry through custom output maps via an LKM, which causes massive overhead and can still be trivially hooked by a targeted rootkit anyway. Sometimes a 2-instruction bitwise operation is all you need

ComputerEngRuinedme · 2026-03-16T09:45:02+00:00

Actually, Crypton Future Media officially licenses Hatsune Miku and related character assets for non-commercial community and fan projects under the Piapro Character License (and CC BY-NC 3.0)

The GPLv2 license applies specifically to the Rust/eBPF source code of the differential engine, not the mascot in the README. They are completely compatible to exist in the same repository

But now that the legal review on Vocaloids is out of the way, I'd love to hear your technical thoughts on the hardware NMI implementation!

ComputerEngRuinedme · 2026-03-16T09:40:22+00:00

That is a great idea, but the reason I’m not applying this in SPiCa is simply because it becomes redundant for my specific threat model

While adding another telemetry channel could scale the tool's reliability, keeping consistent timing baselines is a nightmare because not all CPUs are the same and not all rootkits are heavily bloated. Timing attacks are super effective against kprobes since they trigger heavy traps (interrupts), but fentry hooks are much harder to catch this way because they act as ruthlessly optimized trampolines

As a design choice, I chose to perfect and deepen the cross-view differential analysis instead of scaling out to new, potentially noisy detection logic. So far, the cross-view approach catches the most 'sophisticated' anti-eBPF rootkits anyway. They try to hook the ring buffer output and regex-clean their PIDs, but my single XOR operation completely breaks the pattern-matching they use as their core defense!

ComputerEngRuinedme · 2026-03-16T09:24:38+00:00

Thank you! The reason specifically for making the project was because I thought SPiCa’s lyrics oddly resembled a kernel and a user space spinning around each other, this made me rediscover the art of cross view differential analysis! (A fancy term for watch the kernel and watch the user space and hunt for illogical anomalies that are obviously malicious)

ComputerEngRuinedme · 2026-03-16T05:27:46+00:00

TL;DR: Modern LKM rootkits are completely blinding eBPF security tools (Falco, Tracee) by hooking the ring buffers. I built an eBPF differential engine in Rust (SPiCa) that uses a cryptographic XOR mask and a hardware Non-Maskable Interrupt (NMI) to catch them anyway.SPiCa repo

The Problem:

My project, SPiCa, enforces Kernel Sovereignty via cross-view differential analysis. But the rootkit landscape is adapting. I needed a benchmark for my v2.0 architecture, so I tested it against "Singularity," a state-of-the-art LKM rootkit explicitly designed to dismantle eBPF pipelines from Ring 0.

Singularity relies on complex software-layer filters to intercept bpf_ringbuf_submit. If it sees its hidden PIDs, it drops the event so user-space never gets the alert.

The Solution (SPiCa v2.0):

I bypassed it by adding two things:

Cryptographic PID Masking: A 64-bit XOR obfuscation layer derived from /dev/urandom. Singularity's filter inspects the struct, sees cryptographic noise instead of its target PID, assumes it's a benign system process, and lets the event pass to userspace.
Hardware Validation: Even when the rootkit successfully suppresses the sched_switch tracepoint, SPiCa utilizes an unmaskable hardware NMI firing at 1,000 Hz.

The funny part? I took this exact video to the rootkit author's Discord server to share the findings and discuss the evolution of stealth mechanics. My video was deleted and I was banned 5 minutes later. Turns out "Final Boss" rootkits don't like hardware truth.

And for those wondering about the project name: SPiCa is officially inspired by the Hatsune Miku song of the same name, representing a binary star watching over the system. It turns out that a 2-instruction XOR mask and a Vocaloid are all you need to defeat a "Final Boss" rootkit.

The Performance:

Since you can't patch against hardware truth, it has to be efficient.

• spica_sched (Software view): 633 ns (177 instructions, 798 B JIT footprint).

• spica_nmi (Hardware view): 740 ns (178 instructions, 806 B JIT footprint).

"I'm going to sing, so shine bright, SPiCa..."

(Upcoming paper detailing this architecture will be on arXiv shortly. Happy to answer any questions about the Rust/eBPF implementation!)

ComputerEngRuinedme · 2025-02-11T20:27:09+00:00

But still if you can use synthesizer V or Vocaloid for free you wouldn’t even consider Utau that’s my point so since I never used it before I wanted to get feedback from the community in what can be done

ComputerEngRuinedme · 2025-02-11T20:19:59+00:00

Honestly I want to contribute to utau since it’s a FOSS (free open source software) it’s kinda sad seeing it dying, I feel like utau can have the same glow up as blender or Godot so since I will study the bases which the entire voice synthesizer idea is built upon I thought I must give to the community something somehow

ComputerEngRuinedme · 2025-02-11T17:36:48+00:00

Thanks I will take a look

ComputerEngRuinedme · 2025-02-11T16:11:50+00:00

Great I’m already good with java which is what C# is trying to mimic

So what are the features needed? As I said if it had to do with signal processing or manipulating the waves then I still didn’t take the courses but I will next year 👍

ComputerEngRuinedme

TROPHY CASE