{"id":13640522,"url":"https://github.com/ex0dus-0x/ward","last_synced_at":"2025-08-15T03:32:02.612Z","repository":{"id":118784478,"uuid":"283902814","full_name":"ex0dus-0x/ward","owner":"ex0dus-0x","description":"Simple ELF runtime packer for creating self-protecting binaries","archived":false,"fork":false,"pushed_at":"2023-08-16T22:59:16.000Z","size":112,"stargazers_count":17,"open_issues_count":1,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-11-09T10:39:12.959Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://codemuch.tech/2021/04/28/unpacking-in-memory-malware/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ex0dus-0x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-07-31T00:13:40.000Z","updated_at":"2024-11-02T19:17:20.000Z","dependencies_parsed_at":null,"dependency_job_id":"29c6e982-375e-4960-aabb-17ccbe293a78","html_url":"https://github.com/ex0dus-0x/ward","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ex0dus-0x%2Fward","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ex0dus-0x%2Fward/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ex0dus-0x%2Fward/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ex0dus-0x%2Fward/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ex0dus-0x","download_url":"https://codeload.github.com/ex0dus-0x/ward/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229890095,"owners_count":18140042,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T01:01:12.002Z","updated_at":"2024-12-15T23:45:03.650Z","avatar_url":"https://github.com/ex0dus-0x.png","language":"Go","funding_links":[],"categories":["Anti Cheat",":package: Packers"],"sub_categories":["After 2010"],"readme":"# ward\n\nELF runtime packer for creating self-protecting binaries\n\n## intro\n\nThis is a simple implementation of an ELF packer that creates stealthy droppers for loading\nmalicious ELFs in-memory. Useful for red teamers trying to proliferate a payload while evading\ndetection.\n\n## features\n\n* Stealthy - payload is injected in ELF format, and loaded through `memfd`-based execution\n* Zlib compression for packed executables\n* Anti-tampering with code injection prevention\n\n## how it works\n\n__ward__ compresses a target ELF executable and injects it into a stub program,\nwhich uses a modified `PT_NOTE` infection technique to execute it in-memory with `memfd_create`\nand `fexec`.\n\nFor instance, run __ward__ on a copy of `ls`:\n\n```\n$ ward ./ls\n2021/04/14 20:26:07 Starting up ward\n2021/04/14 20:26:07 Checking if valid ELF binary\n2021/04/14 20:26:07 Provisioning stub program for packing\n2021/04/14 20:26:07 Packing original executable into stub ./ls\n2021/04/14 20:26:07 Finding PT_NOTE segment for injecting metadata\n2021/04/14 20:26:07 Offset: 828304 Size: 141936\n2021/04/14 20:26:07 Writing (not yet encoded) ELF to stub\n2021/04/14 20:26:07 Done! Find the packed application at /home/alan/Code/ward/ls.packed\n```\n\nWhen you execute it now, the stub program will read the compressed executable from itself,\nand create an anonymous file descriptor for execution. Once executed, the file will disappear\nfrom the disk:\n\n```\n$ ./ls.packed\nexample  go.mod  go.sum  injector.go  ls  ls.packed  main.go  Makefile  README.md  stub  ward\n```\n\n## license\n\n[mit](https://github.com/ex0dus-0x/ward/blob/main/LICENSE.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fex0dus-0x%2Fward","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fex0dus-0x%2Fward","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fex0dus-0x%2Fward/lists"}