Small proof of concept to show how easy it is to break static compilation of binaries with gcc, and also execution of popular statically compiled programs, such as sash. By default, gccfk also breaks execution of nasm, since nasm is used to compile assembly.
gccfk can coexist with LD_PRELOAD malware to prevent detection/removal by use of statically compiled C programs. You can add your own blacklisted programs in gccfk.c @ static char blacklisted_progs.
# ./install.sh
That's it.
Any shells opened subsequent to installing gccfk will be unable to run sash, nasm, and will be unable to compile C source files with the "-static" flag.
# chattr -ia /etc/ld.so.preload && rm /etc/ld.so.preload /lib/gccfk.so
Statically compiling programs is the opposite of dynamically compiling programs. Statically compiled programs don't load any userland libraries, which the LD_PRELOAD attack relies on, and instead just call machine and kernel specific system calls.
Statically or dynamically compiled binaries don't matter when it comes to the kernel, so any system calls manipulated on a kernel level won't change regardless of binary compilation.
Python os.exec* functions
Any function that isn't execve will be able to do everything normally, since gccfk by default doesn't hook the other exec* functions, due to this just being a proof of concept.