Awesome
Awesome ELF Resources
┌───────────────────────┐
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ │
│ █ █ █ █ █ █ │
│ █ █ █ █ █▀▀▀▀ │
│ █ █ █ █ ▄ │
│ ▄▄▄▄▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄ ▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄▄▄▄▄ │
│ █ │
│ █ │
└───────────────────█ ──┘
TMP.0UT stands on the shoulders of giants, and we lend a hand for the next generation of giants to stand on ours.
This repo contains an appendix of resources and links to our own work and the work of others.
If you see your work cited here and would like us to credit in a more specific way, please let us know!
A collection of awesome ELF resources
Your contributions are always welcome !
Awesome Repositories
ELF binary format
-
Amos on ELF packers
-
Aprodu Andrei Ciprian and ELF linking process
-
Brian Raiter's essays on tiny ELF (1999)
-
Bx and the ELF metadata
-
David Smith and Handmade ELFs
-
elfmaster and everything about ELF
- ELF shared library injection forensics
- Secure ELF parsing/loading library
- ... and examples
- Transform vmlinuz into a fully debuggable vmlinux that can be used with /proc/kcore
- fork-trace
- extended core file snapshot format and exec
- Obfuscates dynamic symbol table
- ftrace and new ftrace
- hidden process /bin/ps
- davinci
- sherlocked
-
Ignacio Sanmillan / Paul Litvak and ELF 101
-
Ignat Korchagin and object files
-
Keith Makan ELF Format Series
- Introduction to the ELF Format (Part I): The ELF Header
- Introduction to the ELF Format (Part II): Understanding Program Headers
- Introduction to the ELF Format (Part III): The Section Headers
- Introduction to the ELF Format (Part IV): Exploring Section Types and Special Sections
- Introduction to the ELF Format (Part V): Understanding C start up .init_array and .fini_array sections
- Introduction to the ELF Format (Part VI): The Symbol Table and Relocations (1)
- Introduction to the ELF Format (Part VI): The Symbol Table and Relocations (2)
- Introduction to the ELF Format (Part VI): More Relocation tricks - r_addend execution (3)
- Introduction to the ELF Format (Part VII): Dynamic Linking / Loading and the .dynamic section
-
Manu Garg and ELF Auxiliary Vectors
-
MaskRay and ELF interposition
-
netspooky and ELF Binary Mangling
-
Orlando Padilla and binary parsers
-
Patrick Horgan and main()
-
Robin Hoksbergen and Manually Creating An ELF
-
Samuel A. Falvo II and ELF
-
Tools
- BioDiff - hex diff viewer
- clodl: self-contained dynamic libraries
- d0zer - ELF infector written in Go
- elfcat - ELF visualizer
- Embuche - Anti reverse compiling tool
- Hellf - ELF patching lib in Python
- Hexyl - hexdumper with colors
- lief
- Macaw - binary analysis framework(ELF/DWARF/more)
- PatchELF - a simple utility for modifying existing ELF executables and libraries
- PLTHook - utility library to hook library function calls
- StaticX
- The Backdoor Factory
- xELFViewer - ELF file viewer
- pyelftools - Parsing ELF and DWARF in Python
- GNU poke - an interactive, extensible editor for binary data
- fq - jq for binary formats
- ImHex - a hex editor for reverse engineers
- Binsider
- Binsider is a TUI tool written in Rust that can perform static and dynamic analysis, inspect strings, examine linked libraries, and perform hexdumps.
ELF VX technology
-
TMZ
-
elfmaster and ELF vx
-
Peter Ferrie and Flibi
-
Shane tully on ELF vx
-
Shreyansh Singh and ELF-Miner
-
TheXcellerator and Linux Rootkits
- Linux Rootkits Part 1: Introduction and Workflow
- Linux Rootkits Part 2: Ftrace and Function Hooking
- Linux Rootkits Part 3: A Backdoor to Root
- Linux Rootkits Part 4: Backdooring PRNGs by Interfering with Char Devices
- Linux Rootkits Part 5: Hiding Kernel Modules from Userspace
- Linux Rootkits Part 6: Hiding Directories
- Linux Rootkits Part 7: Hiding Processes
- Linux Rootkits Part 8: Hiding Open Ports
- Linux Rootkits Part 9: Hiding Logged In Users (Modifying File Contents Without Touching Disk)
- Fancy Bear’s a Lumberjack and It’s Okay - A Dive into the Kernel Component of Drovorub
- Linux Rootkits: New Methods for Kernel 5.7+
-
PoC executable packer that does not use any custom code to unpack binaries at execution time
-
perljam.pl: A Perl x64 ELF virus by isra
-
stelf-loader: stealthy ELF loader - no files, no execve, no RWX
-
Offensive capabilities of eBPF and implementation of a rootkit
-
debugoff - linux anti-debugging and anti-analysis rust library
-
ELF Binaries: One Algorithm to Infect Them All (VXUG Black Mass Volume II)
-
grugq & scut: Armouring the ELF: Binary encryption on the UNIX platform
-
sblip & elfmaster: Secure Code Partitioning With ELF binaries, aka. SCOP (mirror)
ELF header hacks
Debugging Formats
-
DWARF
-
Compact C Type Format
-
Oops Rewind Capability (ORC)
Programming
- The Art of Assembly Programming Language
- Bit twiddling hacks
- Intel® 64 and IA-32 Instruction Set Reference
- Process name stomping
- System call reference tables for x86, x64, arm and arm64
- API for system call references for x86, x64, arm and arm64
- Writing C software without the standard library [Linux Edition] - Franc[e]sco's Gopherspace
Reverse Engineering and Detection
- Intezer Labs and malware analysis
- Lucas Galante + Marcus Botacin and (malware/goodware) binary classification
- Ghidra Patch Diffing
- drgn - a powerful and flexible debugger
- Towards Optimal Use of Exception Handling Information for Function Detection
- Reverse Engineering Ebpfkit Rootkit With BlackBerry's Enhanced IDA Processor Tool
- UPX Recovery Tool
- Userland rootkits are lame
- OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
- elfmaster: Arcana ElfScan
- ESET: Ebury is alive but unseen
ELF Challs and CTFs
- Crack The ELF! by s0lden
Misc
- vxer.io (vxheaven successor)
- ANSIWAVE BBS
- PageBuster
- vx-underground heaven
- WIZARD BIBLE (in Japanese)
- Second Part To Hell
- Lotus 1-2-3 for Linux
- The Decompilation wiki
Polyglots
- αcτµαlly pδrταblε εxεcµταblε
- Architecture Spanning Shellcode
- Doublethink – 8-Architecture Assembly Polyglot
- Polyglottar, an ISO+TAR+ELF polyglot
- tweetable-polyglot-png
Linker Script Tutorials
- Everything You Never Wanted To Know About Linker Script
- Linker Script Guide
- Most Commented Linker Script in the World
macOS - General
macOS - Mach-O binary format
- Mach-O architecture
- Mach-O file builders
- Exploring the Mach-O (4 part series of blogposts)
- Understanding the Mach-O file format
- Mach-O file format reference
macOS - APFS
macOS - Official Apple resources
macOS - Mac-related blogs
- Patrick Wardle Objective-See Blog
- Pedro Vilaca Reverse Engineering
- Howard Oakley (@howardnoakley) - The Eclectic Light Company – Macs, paintings and more
- Jeff Johnson (@lapcatsoftware) - The Desolation of Blog
- Wojciech Reguła (@_r3ggi) Blog
- Scott Knight (@sdotknight) - Reverse engineering and debugging
- Zhi Zhou (@CodeColorist) Blog
- Kai Lu (@K3vinLuSec) - Fortinet’s macOS posts
- Jaron Bradley (@jbradley89) - The Mitten Mac – Mac Incident Response and Threat Hunting
- Cody Thomas (@itsa_feature) – Medium
- Adam Chester (@xpn) Blog
- Alex Plaskett (@alexjplaskett) - Blog
- George Johnson (@GeoSn0w) – Blog
- Harry Moulton (@h3adsh0tzz) - Blog
- Sarah Edwards (@iamevltwin) - Blog
- Saagar Jha - Blog
- LockBoxx (@1njection) - macOS Post Collection
- Brandon Azad (@_bazad) - Blog
- Google Project Zero Bug Tracker - Apple
- Cedric Owens (@cedowens) – Medium
- Christopher Ross (@xorrior) – Medium
- Richie Cyrus (@rrcyrus) – Medium
- Phil Stokes (@philofishal) - SentinelOne
- Jakob Rieck (0xdead10cc) - Blog
- Csaba Fitzl (@theevilbit) - Blog