Elf

More fun with ELF files and GoLang - Code Caves

2 minute read Published:

Finding code caves in ELF binaries with GoLang
A code cave is a piece of code that is written to a process's memory by another program. The code can be executed by creating a remote thread within the target process. The Code cave of a code is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script.

Linux.Cephei: a Nim virus

3 minute read Published:

Simple prepender virus written in Nim
Nim is a systems and applications programming language. It has nice features such as producing dependency-free binaries, running on a huge list of operating systems and architectures and compiling to C, C++ or JavaScript. I’ve been messing with it for a while and I am very pleased with it. To be honest, Nim and Go have been my choices when I need to start a new project (goodbye Python, at least for now).

Having fun with ELF files and GoLang

2 minute read Published:

Opening ELF files with GoLang
Now I will show how GoLang interacts with ELF files in a generic example. You could look further into the native module here. I do recommend reading it, I am using some bits of code extracted directly from the module source. It is basically the same idea as the PE, similar module. You can extend it depending on your needs. Here you go. package main import ( "fmt" "io" "os" "debug/elf" ) func check(e error) { if e !

Linux.Liora: a Go virus

5 minute read Published:

Simple prepender virus written in GoLang
So this guy asks me in a job interview last week “Have you ever developed in Go?” and well what’s best to learn a language than writting a prepender (probably a lot of things but don’t kill my thrill)? There you have it, the probably first ever binary infector written in GoLang (SPTH LIP hxxp://spth.virii.lu/LIP.html “outdately” confirms that - replace hxxp with http, this website is wrongly classified as malicious for some security tools).

Linux.Zariche: a Vala virus

9 minute read Published:

Simple prepender virus written in Vala
Vala is an object-oriented programming language with a self-hosting compiler that generates C code and uses the GObject system. Vala is syntactically similar to C# and and rather than being compiled directly to assembly or to another intermediate language, Vala is source-to-source compiled to C, which is then compiled with a platform’s standard C compiler, such as GCC. You can also create VAPI files which are basically native C (not C++) functions you can import to Vala code (I will show an example later).