Ezuri: A Simple Linux ELF Runtime Crypter Using memfd_create Syscall
"Even for Elves, they were stealthy little twerps. They'd taken our measure before we'd even seen them." — Marshall Volnikov Last month I wrote a post about the memfd_create syscall and left some ideas in the end. Today I’m here to show an example of such ideas implemented in an ELF runtime crypter (kinda lame, I know, but good for this demonstration).
What is it? Glad you asked.
Executing ELF binary files from memory with memfd_create syscall
Something that always fascinated me was running code directly from memory. From Process Hollowing (aka RunPE) to PTRACE injection. I had some success playing around with it in C in the past, without using any of the previous mentioned methods, but unfortunately the code is lost somewhere in the forums of VXHeavens (sadly no longer online) but the code was buggy and worked only with Linux 32bit systems (I wish I knew about shm_open back then, which is sort of an alternative for the syscall we are using in this post, mainly targeting older systems where memfd_create is not available).
A simple GTK weather indicator written in Go because why not.
Recently I started using Openbox as my WM again (after a long time with KDE, the nostalgia hit me). After I had everything working as I wanted to, I noticed the lack of a weather indicator in my systray.
Usually, the desktop environments I have used (Gnome, KDE, Mate) have some sort of applet for this included and I really never bothered (when I was using Openbox before, I had some hacky script that would display the weather in my tint2, but I can’t find it anymore).
A code cave is a piece of code that is written to a process's memory by another program. The code can be executed by creating a remote thread within the target process. The Code cave of a code is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script.
Now I will show how GoLang interacts with ELF files in a generic example. You could look further into the native module here. I do recommend reading it, I am using some bits of code extracted directly from the module source.
It is basically the same idea as the PE, similar module. You can extend it depending on your needs.
Here you go.
package main import ( "fmt" "io" "os" "debug/elf" ) func check(e error) { if e !
New blog design, new post.
Today I will show how GoLang interacts with PE files in a generic example. You could look further into the native module here or even check its source code here. I do recommend reading it, I am using some bits of code extracted directly from the module source.
Here you go.
package main import ( "fmt" "debug/pe" "os" "io" "encoding/binary" ) func check(e error) { if e !