Malware

Linux.Midrashim: Assembly x64 ELF virus

15 minute read Published:

x64 ELF virus written in Assembly
Overview My interest in Assembly language started when I was a kid, mainly because of computer viruses of the DOS era. I’ve spent countless hours contemplating my first humble collection of source codes and samples (you can find it at https://github.com/guitmz/virii) and to me, it’s cool how flexible and creative one can get with Assembly, even if its learning curve is steep. I’m an independant malware researcher and wrote this virus to learn and have fun, expanding my knowledge on the several ELF attack/defense techniques and Assembly in general.

Linux.Fe2O3: a Rust virus

4 minute read Published:

Simple prepender virus written in Rust
Overview Everytime I try to learn a new programming language, I try by port my prependers (Linux.Zariche, Linux.Liora, Linux.Cephei). Despite the code simplicity , it gives me the chance to understand very useful things in a language, like error handling, file i/o, encryption, memory and a few of its core libraries. This time, Rust is the language and I must say that I was impressed by its compiler and error handling, but the syntax is still not 100% clear to me (as you can see from my rudimentar code in Linux.

Linux ELF Runtime Crypter

5 minute read Published:

Ezuri: A Simple Linux ELF Runtime Crypter Using memfd_create Syscall
"Even for Elves, they were stealthy little twerps. They'd taken our measure before we'd even seen them." — Marshall Volnikov Last month I wrote a post about the memfd_create syscall and left some ideas in the end. Today I’m here to show an example of such ideas implemented in an ELF runtime crypter (kinda lame, I know, but good for this demonstration). What is it? Glad you asked.

Running ELF executables from memory

7 minute read Published:

Executing ELF binary files from memory with memfd_create syscall
Something that always fascinated me was running code directly from memory. From Process Hollowing (aka RunPE) to PTRACE injection. I had some success playing around with it in C in the past, without using any of the previous mentioned methods, but unfortunately the code is lost somewhere in the forums of VXHeavens (sadly no longer online) but the code was buggy and worked only with Linux 32bit systems (I wish I knew about shm_open back then, which is sort of an alternative for the syscall we are using in this post, mainly targeting older systems where memfd_create is not available).

More fun with ELF files and GoLang - Code Caves

2 minute read Published:

Finding code caves in ELF binaries with GoLang
A code cave is a piece of code that is written to a process's memory by another program. The code can be executed by creating a remote thread within the target process. The Code cave of a code is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script.

Win32.Liora.B

5 minute read Published:

Windows version of Linux.Liora
So I decided to port my Linux.Liora (https://github.com/guitmz/go-liora) Go infector to Win32 and it worked great. Minor tweaks were needed in the code, you can run a diff between both and check it out. EDIT: Fixed the PE verification routine, it checks for a proper PE file now. Thanks hh86! Virus source: /* * Win32.Liora.B - This is a POC PE prepender written in Go by TMZ (2015). * * Win32.