TMZ Lair - Underground Coding

More fun with ELF files and GoLang - Code Caves

2 minute read Published:

Finding code caves in ELF binaries with GoLang
A code cave is a piece of code that is written to a process's memory by another program. The code can be executed by creating a remote thread within the target process. The Code cave of a code is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script.

Linux.Cephei: a Nim virus

3 minute read Published:

Simple prepender virus written in Nim
Nim is a systems and applications programming language. It has nice features such as producing dependency-free binaries, running on a huge list of operating systems and architectures and compiling to C, C++ or JavaScript. I’ve been messing with it for a while and I am very pleased with it. To be honest, Nim and Go have been my choices when I need to start a new project (goodbye Python, at least for now).

From Ghost To Hugo (with Netlify)

3 minute read Published:

Migrating blog from Ghost to Hugo with some nice extra touches.
For a while now I have been thinking in migrating this blog to Hugo (from Ghost), mainly because I wanted save 10 bucks a month that were being spent on my DigitalOcean VPS that I was using to run the website (with Docker + Nginx + Let’s Encrypt SSL). DigitalOcean is great, but I simply lack the time to manage the installation, updating the OS, updating Ghost itself, renewals of the SSL certificate, etc.

Having fun with ELF files and GoLang

2 minute read Published:

Opening ELF files with GoLang
Now I will show how GoLang interacts with ELF files in a generic example. You could look further into the native module here. I do recommend reading it, I am using some bits of code extracted directly from the module source. It is basically the same idea as the PE, similar module. You can extend it depending on your needs. Here you go. package main import ( "fmt" "io" "os" "debug/elf" ) func check(e error) { if e !

Having fun with PE files and GoLang

2 minute read Published:

Opening PE files with GoLang
New blog design, new post. Today I will show how GoLang interacts with PE files in a generic example. You could look further into the native module here or even check its source code here. I do recommend reading it, I am using some bits of code extracted directly from the module source. Here you go. package main import ( "fmt" "debug/pe" "os" "io" "encoding/binary" ) func check(e error) { if e !

Win32.Liora.B

5 minute read Published:

Windows version of Linux.Liora
So I decided to port my Linux.Liora (https://github.com/guitmz/go-liora) Go infector to Win32 and it worked great. Minor tweaks were needed in the code, you can run a diff between both and check it out. EDIT: Fixed the PE verification routine, it checks for a proper PE file now. Thanks hh86! Virus source: /* * Win32.Liora.B - This is a POC PE prepender written in Go by TMZ (2015). * * Win32.