GasparVardanyan/awesome-elf

Awesome ELF Resources

                       ┌───────────────────────┐                            
                       ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄       │                            
                       │ █   █ █ █ █   █       │                            
                       │ █   █ █ █ █▀▀▀▀       │                            
                       │ █   █   █ █     ▄     │                            
                       │                 ▄▄▄▄▄ │                            
                       │                 █   █ │                            
                       │                 █   █ │                            
                       │                 █▄▄▄█ │                            
                       │                 ▄   ▄ │                            
                       │                 █   █ │                            
                       │                 █   █ │                            
                       │                 █▄▄▄█ │                            
                       │                 ▄▄▄▄▄ │                            
                       │                   █   │                            
                       │                   █   │                            
                       └───────────────────█ ──┘ 

TMP.0UT stands on the shoulders of giants, and we lend a hand for the next generation of giants to stand on ours.

This repo contains an appendix of resources and links to our own work and the work of others.

If you see your work cited here and would like us to credit in a more specific way, please let us know!

A collection of awesome ELF resources

Your contributions are always welcome !

Awesome Repositories

ELF binary format

• Amos on ELF packers

  • Making your own executable packer - 18 part series

• Aprodu Andrei Ciprian and ELF linking process

  • Interactive Exploration of the Process of Linking Executables
  • ELF_Detective

• Brian Raiter's essays on tiny ELF (1999)

  • Guide about creating tiny ELF
  • Return 42 collection
  • Usefull tiny programs

• Bx and the ELF metadata

  • Returning from ELF to Libc by Bx
  • “Weird Machines” in ELF by Bx

• David Smith and Handmade ELFs

  • Handmade Linux x86 executables

• Robin Hoksbergen and Manually Creating An ELF

  • Manually Creating An ELF Executable

• elfmaster and everything about ELF

  • ELF shared library injection forensics
  • Secure ELF parsing/loading library
  • ... and examples
  • Transform vmlinuz into a fully debuggable vmlinux that can be used with /proc/kcore
  • fork-trace
  • extended core file snapshot format and exec
  • Obfuscates dynamic symbol table
  • ftrace and new ftrace
  • hidden process /bin/ps
  • davinci
  • sherlocked

• Ignacio Sanmillan / Paul Litvak and ELF 101

  • Executable and Linkable Format 101 - Part 1 Sections and Segments
  • Executable and Linkable Format 101. Part 2: Symbols
  • Executable and Linkable Format 101 Part 3: Relocations
  • Executable and Linkable Format 101 Part 4: Dynamic Linking

• Ignat Korchagin and object files

  • How to execute an object file: Part 1
  • How to execute an object file: Part 2
  • How to execute an object file: Part 3

• Manu Garg and ELF Auxiliary Vectors

  • About ELF Auxiliary Vectors

• MaskRay and ELF interposition

  • ELF interposition and -Bsymbolic

• netspooky and ELF Binary Mangling

  • ELF Binary Mangling Part 1: Concepts
  • Elf Binary Mangling Pt. 2: Golfin'
  • Elf Binary Mangling Pt. 3: Weaponization
  • Elf Binary Mangling Pt. 4: Limit Break

• Orlando Padilla and binary parsers

  • Analyzing Common Binary Parser Mistakes

• Patrick Horgan and main()

  • How the heck do we get to main()?

• Samuel A. Falvo II and ELF

  • On ELF, Part 1
  • On ELF, Part 2

• Tools

  • BioDiff - hex diff viewer
  • clodl: self-contained dynamic libraries
  • d0zer - ELF infector written in Go
  • elfcat - ELF visualizer
  • Embuche - Anti reverse compiling tool
  • Hellf - ELF patching lib in Python
  • Hexyl - hexdumper with colors
  • lief
  • Macaw - binary analysis framework(ELF/DWARF/more)
  • PatchELF - a simple utility for modifying existing ELF executables and libraries
  • PLTHook - utility library to hook library function calls
  • StaticX
  • The Backdoor Factory
  • xELFViewer - ELF file viewer

ELF VX technology

• TMZ

  • Linux.Midrashim: Assembly x64 ELF virus
  • Linux.Nasty: Assembly x64 ELF virus
  • Ezuri: Linux ELF Runtime Crypter
  • Running ELF executables from memory
  • Linux.Fe2O3: a Rust virus
  • Linux.Cephei: a Nim virus
  • Linux.Liora: a Go virus
  • Linux.Zariche: a Vala virus

• elfmaster and ELF vx

  • Devestating and awesome Linux X86_64 ELF Virus
  • ELF Shared library injector using DT_NEEDED precedence infection
  • SCOP ELF vx
  • Saruman - ELF anti-forensics exec
  • AV prototype - 32bit
  • LK rootkit

• Intezer Labs and malware analysis

  • ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
  • ELF Malware Analysis 101 Part 2: Initial Analysis
  • ELF Malware Analysis 101: Part 3 - Advanced Analysis

• Lucas Galante + Marcus Botacin and (malware/goodware) binary classification

  • Forseti
  • Machine Learning for Malware Detection

• Peter Ferrie and Flibi

  • FLIBI: EVOLUTION
  • FLIBI: RELOADED

• Shane tully on ELF vx

  • Writing a Self-Mutating x86_64 C Program

• Shreyansh Singh and ELF-Miner

  • Paper: ELF-Miner: using structural knowledge and data mining methods to detect new (Linux) malicious executables
  • Code

• TheXcellerator and Linux Rootkits

  • Linux Rootkits Part 1: Introduction and Workflow
  • Linux Rootkits Part 2: Ftrace and Function Hooking
  • Linux Rootkits Part 3: A Backdoor to Root
  • Linux Rootkits Part 4: Backdooring PRNGs by Interfering with Char Devices
  • Linux Rootkits Part 5: Hiding Kernel Modules from Userspace
  • Linux Rootkits Part 6: Hiding Directories
  • Linux Rootkits Part 7: Hiding Processes
  • Linux Rootkits Part 8: Hiding Open Ports
  • Linux Rootkits Part 9: Hiding Logged In Users (Modifying File Contents Without Touching Disk)
  • Fancy Bear’s a Lumberjack and It’s Okay - A Dive into the Kernel Component of Drovorub
  • Linux Rootkits: New Methods for Kernel 5.7+

• Becoming a rat in your system

• Kernel mode hooking [EN]

• Last Digital Common Ancestor (LDCA)

• (nearly) Complete Linux Loadable Kernel Modules

• Reflections on Trusting Trust

• Static linked ELF infecting

ELF header hacks

DWARF stuff

PROGRAMMING

• The Art of Assembly Programming Language
• Bit twiddling hacks
• Intel® 64 and IA-32 Instruction Set Reference
• System call reference tables for x86, x64, arm and arm64
• API for system call references for x86, x64, arm and arm64

MISC

• vxer.io (vxheaven successor)
• ANSIWAVE BBS
• PageBuster
• vx-underground heaven
• WIZARD BIBLE (in Japanese)

Polyglots

• αcτµαlly pδrταblε εxεcµταblε
• Architecture Spanning Shellcode
• Doublethink – 8-Architecture Assembly Polyglot
• tweetable-polyglot-png

Linker Script Tutorials

• Everything You Never Wanted To Know About Linker Script
• Linker Script Guide
• Most Commented Linker Script in the World