Linux.Midrashim: Assembly x64 ELF virus

15 minute read Published:

x64 ELF virus written in Assembly
Overview My interest in Assembly language started when I was a kid, mainly because of computer viruses of the DOS era. I’ve spent countless hours contemplating my first humble collection of source codes and samples (you can find it at and to me, it’s cool how flexible and creative one can get with Assembly, even if its learning curve is steep. I’m an independant malware researcher and wrote this virus to learn and have fun, expanding my knowledge on the several ELF attack/defense techniques and Assembly in general.

Having fun with ANSI codes and x64 Linux Assembly

9 minute read Published:

Using ANSI escape codes with x64 Linux Assembly for command line fun
Overview How can one not find command line art amusing? Specially when we are talking about computer viruses and even more so when referencing MS-DOS ones. The 16 bit era gave us some of the most interesting computer virus payloads of all time, but achieving something like this today is not as “trivial” anymore. As Linux is my OS of choice, I wanted to find something that could get close to these MS-DOS fun payloads for my own modern viruses, and, while it’s possible to write directly to the framebuffer, I wanted to try something related to terminal emulators instead.

Running ELF executables from memory

7 minute read Published:

Executing ELF binary files from memory with memfd_create syscall
Something that always fascinated me was running code directly from memory. From Process Hollowing (aka RunPE) to PTRACE injection. I had some success playing around with it in C in the past, without using any of the previous mentioned methods, but unfortunately the code is lost somewhere in the forums of VXHeavens (sadly no longer online) but the code was buggy and worked only with Linux 32bit systems (I wish I knew about shm_open back then, which is sort of an alternative for the syscall we are using in this post, mainly targeting older systems where memfd_create is not available).