{"id":13449228,"url":"https://github.com/michalmalik/linux-re-101","last_synced_at":"2025-04-09T03:12:39.145Z","repository":{"id":25354683,"uuid":"28782360","full_name":"michalmalik/linux-re-101","owner":"michalmalik","description":"A collection of resources for linux reverse engineering ","archived":false,"fork":false,"pushed_at":"2022-06-02T17:39:32.000Z","size":87,"stargazers_count":2028,"open_issues_count":2,"forks_count":361,"subscribers_count":117,"default_branch":"master","last_synced_at":"2025-04-02T02:12:24.392Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/michalmalik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-01-04T18:33:20.000Z","updated_at":"2025-04-01T11:37:48.000Z","dependencies_parsed_at":"2022-07-13T15:31:01.749Z","dependency_job_id":null,"html_url":"https://github.com/michalmalik/linux-re-101","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michalmalik%2Flinux-re-101","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michalmalik%2Flinux-re-101/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michalmalik%2Flinux-re-101/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michalmalik%2Flinux-re-101/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/michalmalik","download_url":"https://codeload.github.com/michalmalik/linux-re-101/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247968374,"owners_count":21025823,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T06:00:33.844Z","updated_at":"2025-04-09T03:12:39.127Z","avatar_url":"https://github.com/michalmalik.png","language":null,"readme":"linux-re-101\n============\n\nWork in progress as I am actively collecting these.\n\n#### Keep these handy\n\n- Describes how all syscalls for all architectures work (what registers are for input, output, error, ..) http://man7.org/linux/man-pages/man2/syscall.2.html\n- \"Executable and Linkable Format (ELF)\" http://www.skyfree.org/linux/references/ELF_Format.pdf or http://www.muppetlabs.com/~breadbox/software/ELF.txt (I like .txt more)\n- \"Linux Cross Reference\" http://lxr.free-electrons.com/\n- \"Syscall table reference\" https://w3challs.com/syscalls/\n- \"System V ABI x86-64 Linux\" https://web-beta.archive.org/web/20160801075139/http://www.x86-64.org/documentation/abi.pdf\n- \"MIPS documentation\" http://www.linux-mips.org/pub/linux/mips/doc/ABI/\n- \"ELF for the ARM\" http://infocenter.arm.com/help/topic/com.arm.doc.ihi0044e/IHI0044E_aaelf.pdf\n- \"ELF for the ARM64\" http://infocenter.arm.com/help/topic/com.arm.doc.ihi0056b/IHI0056B_aaelf64.pdf\n- \"How to write shared libraries\" by Ulrich Drepper http://www.akkadia.org/drepper/dsohowto.pdf    \n\n#### Must read\n\n- \"The 101 of ELF Binaries on Linux: Understanding and Analysis\" https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/\n- ELF101 from Corkami (Ange Albertini) http://imgur.com/a/JEObT\n- \"How programs get run: ELF binaries\" https://lwn.net/Articles/631631/\n- \"How statically linked programs run on Linux\" http://eli.thegreenplace.net/2012/08/13/how-statically-linked-programs-run-on-linux\n- \"A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux\" http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html\n- \"The Definitive Guide to Linux System Calls\" https://blog.packagecloud.io/eng/2016/04/05/the-definitive-guide-to-linux-system-calls/\n- \"LINUX ANTI-DEBUGGING TECHNIQUES (FOOLING THE DEBUGGER)\" http://www.ouah.org/linux-anti-debugging.txt\n- \"UNIX ELF PARASITES AND VIRUS\" http://ouah.org/elf-pv.txt\n- \"Linux on the Half-ELF\" http://mammon.github.io/tales/linux_re.txt\n- \"Learning Linux Binary Analysis\" by Ryan O'Neill\n- https://www.cs.stevens.edu/~jschauma/631/elf.html\n- \"LD_NOT_PRELOADED_FOR_REAL\" http://haxelion.eu/article/LD_NOT_PRELOADED_FOR_REAL/\n- \"Understanding Linux Malware\" http://www.s3.eurecom.fr/docs/oakland18_cozzi.pdf (good paper!)\n\n#### 101\n\n- *Optional*: \"Guide to x86 assembly\" http://www.cs.virginia.edu/~evans/cs216/guides/x86.html\n- *Optional*: \"Assembly x86_64 programming for Linux\" http://0xax.blogspot.sk/p/assembly-x8664-programming-for-linux.html\n- *Optional*: x64 assembly http://rayseyfarth.com/asm/pdf/index.html\n- *Optional*: \"Step by step to MIPS assembly\" http://winfred-lu.blogspot.sk/2010/06/step-by-step-to-mips-assembly.html\n- *Optional*: FreeBSD Assembly Language Programming http://www.int80h.org/bsdasm/\n- *Optional*: \"Linux MIPS ELF reverse engineering tips\" https://www.cr0.org/paper/mips.elf.external.resolution.txt\n- \"The dissection of a simple hello world ELF file\" https://github.com/mewrev/dissection and \"ELF101\" http://imgur.com/a/JEObT\n- https://www.cs.stevens.edu/~jschauma/631/elf.html\n- \"The 101 of ELF Binaries on Linux: Understanding and Analysis\" http://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/\n- \"A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux\" http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html\n- \"The definitive guide to linux system calls\" http://blog.packagecloud.io/eng/2016/04/05/the-definitive-guide-to-linux-system-calls/\n- \"Anatomy of a system call, part 1\" http://lwn.net/Articles/604287/\n- \"Anatomy of a system call, part 2\" http://lwn.net/SubscriberLink/604515\n- \"About ELF auxiliary vectors\" http://articles.manugarg.com/aboutelfauxiliaryvectors.html\n- \"How programs get run: ELF binaries\" https://lwn.net/Articles/631631/\n- \"Linux x86 Program Start Up\" http://dbp-consulting.com/tutorials/debugging/linuxProgramStartup.html\n- \"How statically linked programs run on Linux\" http://eli.thegreenplace.net/2012/08/13/how-statically-linked-programs-run-on-linux\n- \"Startup state of a Linux/i386 ELF binary\" http://asm.sourceforge.net/articles/startup.html and http://dbp-consulting.com/tutorials/debugging/linuxProgramStartup.html\n- \"Stack frame layout on x86-64\" http://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64\n- \"What is linux-gate.so.1?\" http://www.trilithium.com/johan/2005/08/linux-gate/\n- \"Understanding ld-linux.so.2 \" http://www.cs.virginia.edu/~dww4s/articles/ld_linux.html\n- \"Linux process states\" https://idea.popcount.org/2012-12-11-linux-process-states/\n\n#### 201\n\n- *Optional*: \"Linkers - 20 parts\" http://www.airs.com/blog/page/4?s=linkers\n- \"Static linking (x86) internals\" http://sploitfun.blogspot.sk/2013/02/linking-with-static-library-internals.html\n- \"Static linking (x86_64) internals\" http://sploitfun.blogspot.sk/2013/07/static-linking-x8664-internals.html\n- \"Dynamic linking and x86_64 internals\" http://sploitfun.blogspot.sk/2013/07/dynamic-linking-x8664-internals.html\n- \"Dynamic linking (x86) internals\" http://sploitfun.blogspot.sk/2013/06/dynamic-linking-internals.html\n- \"PLT and GOT - they key to code sharing and dynamic libraries\" https://www.technovelty.org//linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html\n- \"Understanding x64 code models\" http://eli.thegreenplace.net/2012/01/03/understanding-the-x64-code-models/\n- \"Load-time relocation of shared libraries \" http://eli.thegreenplace.net/2011/08/25/load-time-relocation-of-shared-libraries\n- \"Position Independent Code (PIC) in shared libraries \" http://eli.thegreenplace.net/2011/11/03/position-independent-code-pic-in-shared-libraries/\n- \"Position Independent Code (PIC) in shared libraries x64\" http://eli.thegreenplace.net/2011/11/11/position-independent-code-pic-in-shared-libraries-on-x64/\n- \"Relocations, relocations\" http://www.mindfruit.co.uk/2012/06/relocations-relocations.html\n-  \"DT_GNU_HASH\" http://deroko.phearless.org/dt_gnu_hash.txt\n- *Good night reading*: \"Linux on the Half-ELF\" http://mammon.github.io/tales/linux_re.txt\n\n#### Packers, obfuscation, and encryption\n\n- \"Runtime binary encryption\" http://phrack.org/issues/58/5.html\n- \"Next-Gen Runtime Binary Encryption\" http://phrack.org/issues/63/13.html\n- \"Binary Protection Schemes\" http://indra.linuxstudy.pe.kr/study/Binary%20Protection%20Schemes.pdf\n- \"Shiva - Advances in ELF Binary Encryption\" https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-mehta/bh-us-03-mehta.pdf\n- \"Burneye protector\" http://packetstormsecurity.com/files/30648/burneye-1.0.1-src.tar.bz2.html\n- \"ELF Encrypter\" http://elf-encrypter.sourceforge.net/\n- \"midgetpack is a multiplatform secure ELF packer\" https://github.com/arisada/midgetpack\n- \"ELF Binary Code Injection, Loader/'Decrypter'\" http://www.pinkstyle.org/elfcrypt.html\n- \"Linux ELF Runtime Crypter\" https://www.guitmz.com/linux-elf-runtime-crypter/\n- \"Linux Based Inter-Process Code Injection Without Ptrace(2)\" https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html\n- \"ELF in-memory execution\" https://blog.fbkcs.ru/elf-in-memory-execution/\n- \"Super Stealthy Droppers\" https://0x00sec.org/t/super-stealthy-droppers/3715\n- \"Running ELF executables from memory\" https://www.guitmz.com/running-elf-from-memory/\n- \"Detecting Linux memfd_create() Fileless Malware with Command Line Forensics\" https://www.sandflysecurity.com/blog/detecting-linux-memfd_create-fileless-malware-with-command-line-forensics/\n- \"Using eBPF to uncover in-memory loading\" https://blog.tofile.dev/2021/02/15/ebpf-01.html\n\n#### Exploitation\n\n- \"Linux x86 Reverse Engineering - Shellcode Disassembling and XOR decryption\" https://www.exploit-db.com/docs/33429.pdf\n- \"Shellcoding in Linux\" https://www.exploit-db.com/docs/21013.pdf\n- \"Linux (x86) Exploit Development Series\" https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/\n- \"Linux 64-bit Return Oriented Programming\" https://crypto.stanford.edu/~blynn/rop/\n- \"Introduction to Return Oriented Programming (ROP)\" https://ketansingh.net/Introduction-to-Return-Oriented-Programming-ROP/\n- \"Linux x64 Infection for Lamers (by a Lamer)\" http://vxheaven.org/lib/vjp01.html\n- \"Linux Kernel ROP - Ropping your way to # (Part 1) \"https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/\n- \"Linux Kernel ROP - Ropping your way to # (Part 2)\" https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-2)/\n- \"Practice and learning in the world of C RE and exploit analysis\" https://github.com/211217613/C-Hacking\n- \"Modern Binary Exploitation\" http://security.cs.rpi.edu/courses/binexp-spring2015/ (not strictly related to Linux)\n- \"Advanced exploitation on Linux: ROP and infoleaks\" https://speakerdeck.com/milkmix/advanced-exploitation-on-linux-rop-and-infoleaks\n\n#### Anti techniques\n\n- \"LINUX ANTI-DEBUGGING TECHNIQUES (FOOLING THE DEBUGGER)\" http://www.ouah.org/linux-anti-debugging.txt\n- \"Beginners guide to basic Linux anti anti debugging techniques\" http://www.stonedcoder.org/~kd/lib/14-61-1-PB.pdf\n- \"Kickers of ELF\" http://www.muppetlabs.com/~breadbox/software/elfkickers.html\n- \"ELF header abuse\" https://github.com/strazzere/IDAnt-wanna\n- \"Toolkit to detect/crash/attack GNU debugging-related tools\" https://github.com/jvoisin/pangu\n- \"ELF: dynamic struggles\" \"http://michalmalik.github.io/elf-dynamic-segment-struggles\"\n- \"ptrace() tutorial\" http://mikecvet.wordpress.com/2010/08/14/ptrace-tutorial/\n- \"ptrace() on 64-bit system\" http://theantway.com/2013/01/notes-for-playing-with-ptrace-on-64-bits-ubuntu-12-10/\n- \"Linux x86 run-time process manipulation\" http://hick.org/code/skape/papers/needle.txt\n- \"Cheating the ELF Subversive Dynamic Linking to Libraries\" http://www.ouah.org/subversiveld.pdf\n- \"LD_NOT_PRELOADED_FOR_REAL\" http://haxelion.eu/article/LD_NOT_PRELOADED_FOR_REAL/\n- https://github.com/antire-book/dont_panic\n- \"gdb leaves file descriptors open in debugee\" https://silviocesare.wordpress.com/2008/05/13/gdb-leaves-file-descriptors-open-in-debugee/\n- \"More GDB Anti-Debugging\" https://xorl.wordpress.com/2009/01/05/more-gdb-anti-debugging/\n- \"How to detect virtualization on Linux\" http://www.dmo.ca/blog/detecting-virtualization-on-linux/\n- \"Mechanisms to determine VMWare VM\" http://kb.vmware.com/selfservice/microsites/search.do?language=en_US\u0026cmd=displayKC\u0026externalId=1009458\n\n#### Viruses \u0026 infection techniques\n\n- \"UNIX VIRUSES\" http://ouah.org/unix-viruses.txt \n- \"UNIX ELF PARASITES AND VIRUS\" http://ouah.org/elf-pv.txt\n- \"Linux viruses - ELF file format\" by Marius Van Oers http://www.mcafee.com/us/resources/white-papers/wp-linux-viruses-elf-file-format.pdf\n- \"Abusing .CTORS and .DTORS for fun 'n profit\" http://vxer.org/lib/viz00.html\n- \"The WIT virus\" http://vanilla47.com/PDFs/Viruses In Linux PDFs/The WIT Virus.pdf\n- \"Caveat virus\" http://vxer.org/herm1t/caveat_en.html\n- \"Reverse of a coin: A short note on segment alignment\" http://vxheavens.com/lib/vhe04.html\n- \"INT 0x80? No, thank you! aka Pilot\" http://vxer.org/herm1t/pilot_en.html\n- \"Infecting ELF-files using function padding for Linux\" http://vxer.org/lib/vhe00.html\n- \"Injected Evil (executable files infection)\" http://vxheaven.org/lib/vzo08.html\n- \"An unofficial analysis of the Retaliation Virus (Authored by JPanic)\" http://vxer.org/lib/vrn01.html or http://www.bitlackeys.org/papers/retaliation.txt\n- \"Skeksi virus\" https://github.com/elfmaster/skeksi_virus\n- \"Modern Day ELF Runtime infection via GOT poisoning\" http://vxheaven.org/lib/vrn00.html\n- \"From position-independent to self-relocatable viral code\" http://vxer.org/lib/vhe08.html\n- \"The Cerberus ELF interface\" http://phrack.org/issues/61/8.html#article\n- \"Malicious Code Injection via /dev/mem\" http://www.blackhat.com/presentations/bh-europe-09/Lineberry/BlackHat-Europe-2009-Lineberry-code-injection-via-dev-mem.pdf\n- VX Heaven collection of viruses http://vxer.org/vl.php?dir=Virus.Linux\n- http://vxer.org/herm1t/\n- Source code of infection techniques http://vxer.org/herm1t/examples.tar.gz by herm1t\n- \"PT_NOTE to PT_LOAD Injection in ELF\" https://www.symbolcrash.com/2019/03/27/pt_note-to-pt_load-injection-in-elf/\n\n#### Linux kernel, rootkits, and LKM development\n\n- *Optional*: \"A series of posts about the linux kernel and its insides.\" http://0xax.gitbooks.io/linux-insides/content/index.html\n- *Optional*: \"Kernel hacking HOWTO\" http://kernelnewbies.org/New_Kernel_Hacking_HOWTO\n- \"Anatomy of the Linux kernel\" http://www.ibm.com/developerworks/linux/library/l-linux-kernel/index.html\n- \"Linux process management\" http://www.ibm.com/developerworks/linux/library/l-linux-process-management/index.html\n- \"Linux processes\" http://www.cs.columbia.edu/~junfeng/10sp-w4118/lectures/l07-proc-linux.pdf\n- \"Kernel hacking\" http://info.fs.tum.de/images/2/21/2011-01-19-kernel-hacking.pdf\n- \"Be a kernel hacker\" http://www.linuxvoice.com/be-a-kernel-hacker/?pk_campaign=hn\u0026pk_kwd=3\n- \"Day 5: I wrote a kernel module\" http://jvns.ca/blog/2013/10/07/day-5-i-wrote-a-kernel-module/\n- \"Linux Rootkits 101\" http://turbochaos.blogspot.sk/2013/09/linux-rootkits-101-1-of-3.html\n- \"Linux Rootkits 201\" http://turbochaos.blogspot.sk/2013/10/writing-linux-rootkits-201-23.html\n- \"Linux Rootkits 301\" http://turbochaos.blogspot.sk/2013/10/writing-linux-rootkits-301_31.html \n- \"Handling Interrupt Descriptor Table for fun and profit\" http://www.phrack.org/issues.html?issue=59\u0026id=4\n- \"Intercepting System Calls and Dispatchers – Linux\" https://ruinedsec.wordpress.com/2013/04/04/modifying-system-calls-dispatching-linux/\n- \"Linux Kernel Rootkits\" http://www.la-samhna.de/library/rootkits/index.html\n- \"Linux Kernel Debugging using KGDB/GDB\" http://sploitfun.blogspot.sk/2013/06/linux-kernel-debugging-using-kgdbgdb.html\n- \"Kernel instrumentation using kprobes\" http://phrack.org/issues.html?issue=67\u0026id=6#article\n- \"Infecting loadable kernel modules versions 2.6.x/3.0.x\" http://phrack.org/issues/68/11.html#article\n- \"(nearly) Complete Linux Loadable Kernel Modules\" https://www.thc.org/papers/LKM_HACKING.html\n- Check the README for more https://github.com/citypw/citypw-SCFE/tree/master/security/rootkit/hide_file\n- \"UNIX and Linux based rootkits\" http://www.kernelhacking.com/rodrigo/docs/StMichael/BuntenSlides.pdf\n- \"Sample rootkit for linux\" https://github.com/ivyl/rootkit/\n- \"Writing a LKM rootkit that uses LSM hooks\" http://vladz.devzero.fr/015_lsm-backdoor.html\n- \"TCP/UDP symmetric encryption tunnel wrapper\" https://github.com/chokepoint/CryptHook\n- \"Userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit\" https://github.com/chokepoint/azazel\n- \"an experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot\" https://github.com/bones-codes/the_colonel\n- \"An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM\" https://github.com/mncoppola/suterusu\n- \"Linux rootkit adapted for 2.6 and 3.x\" https://github.com/trimpsyw/adore-ng\n- https://github.com/mfontanini/Programs-Scripts/blob/master/rootkit/rootkit.c\n- \"Linux: Creating an entry in /proc file system (Part 1: The hello_proc pseudo file)\" http://pointer-overloading.blogspot.in/2013/09/linux-creating-entry-in-proc-file.html\n- Answer to \"Ripping out the hidden kernel module by reading kernel memory directly?\" http://stackoverflow.com/a/18464599\n- \"User space memory access from the Linux kernel\" http://www.ibm.com/developerworks/library/l-kernel-memory-access/\n- \"get_user_pages example\" http://krishnamohanlinux.blogspot.sk/2015/02/getuserpages-example.html\n- \"Horse Pill: A New Type Of Linux Rootkit\" https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf\n- \"vlany, Linux (LD_PRELOAD) rootkit\" https://github.com/mempodippy/vlany\n- \"Hacking the wholism of GNU/Linux net*\" http://kernelnewbies.org/Networking?action=AttachFile\u0026do=get\u0026target=hacking_the_wholism_of_linux_net.txt\n- \"Linux Device Drivers\" https://lwn.net/Kernel/LDD3/\n- \"Linux Data Structures\" http://tldp.org/LDP/tlk/ds/ds.html\n- \"Status of the Kernel Self Protection Project\" https://outflux.net/slides/2016/lss/kspp.pdf\n- \"The Proc Connector and Socket Filters\" http://netsplit.com/the-proc-connector-and-socket-filters\n- \"Linux Rootkits: New Methods for Kernel 5.7+\" https://xcellerator.github.io/posts/linux_rootkits_11/\n\n#### Crackmes and challenges\n\n- \"Exercises for learning Reverse Engineering and Exploitation.\" https://github.com/wapiflapi/exrs\n- \"IOLI crackme\" http://dustri.org/b/files/IOLI-crackme.tar.gz\n- http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/2/challenges.zip from \"Modern Binary Exploitation\"\n- \"Exercises\" section in http://beginners.re/Reverse_Engineering_for_Beginners-en.pdf\n\n#### Analyzes, \"hands-on\", analysis techniques\n\n- \"100 GDB tips\" https://github.com/hellogcc/100-gdb-tips/tree/master/src\n- \"Defeating IOLI with Radare2\" http://dustri.org/b/defeating-ioli-with-radare2.html\n- \"Using radare2 to pwn things\" http://radare.today/using-radare2/\n- \"Pwning With Radare2\" http://crowell.github.io/blog/2014/11/23/pwning-with-radare2/\n- \"At Gunpoint Hacklu 2014 With Radare2\" http://crowell.github.io/blog/2014/11/23/at-gunpoint-hacklu-2014-with-radare2/\n- \"manual binary mangling with radare\" http://phrack.org/issues/66/14.html#article\n- \"Analysis of an unknown binary, for the HoneyNet Reverse Challenge\" http://old.honeynet.org/reverse/results/sol/sol-06/analysis.html\n- \"Reversing GO binaries like a pro\" http://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/\n- \"Reversing Golang\" https://2016.zeronights.ru/wp-content/uploads/2016/12/GO_Zaytsev.pdf\n- \"Reversing Linux Malware\" https://github.com/radareorg/r2con/blob/master/2016/talks/11-ReversingLinuxMalware/r2con_SergiMartinez_ReversingLinuxMalware.pdf (includes Golang reversing with radare2)\n- https://samsymons.com/blog/reverse-engineering-with-radare2-part-1/\n- \"Reverse Engineering With Radare2 – Part 2\" https://insinuator.net/2016/08/reverse-engineering-with-radare2-part-2/\n- \"Reverse Engineering With Radare2 – Part 3\" https://insinuator.net/2016/10/reverse-engineering-with-radare2-part-3/\n- \"Reverse Engineering Ebpfkit Rootkit With BlackBerry's Enhanced IDA Processor Tool\" https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool\n\n#### Research and development\n- \"Understanding Linux Malware\" http://www.s3.eurecom.fr/docs/oakland18_cozzi.pdf (good paper!)\n- binary samples for testing https://github.com/JonathanSalwan\n- \"ELF Eccentricities - Julian Bangert, Sergey Bratus\" https://www.youtube.com/watch?v=4LU6N6THh2U\n- \"ELF-Miner: Using structural knowledge and data mining methods to detect new (Linux) malicious executables\" http://www.genetic-programming.org/hc2011/05-Farooq/Farooq-Paper.pdf\n- \"Fuzzing the ELF file format with Melkor\" https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Hernandez-Melkor-Slides.pdf\n- http://www.bitlackeys.org (all of it)\n- \"Effective file format fuzzing\" https://www.blackhat.com/docs/eu-16/materials/eu-16-Jurczyk-Effective-File-Format-Fuzzing-Thoughts-Techniques-And-Results.pdf (not related to Linux directly, but it's pretty great)\n- \"Linux kernel sanitizers and syscall fuzzer\" https://www.linuxplumbersconf.org/2016/ocw//system/presentations/3471/original/Sanitizers.pdf\n- \"ElfParser blog\" http://www.blog.elfparser.com/ \n- \"ELF vs. Mach-O\" http://timetobleed.com/dynamic-linking-elf-vs-mach-o/\n- \"ELF vs. Mach-O 2\" http://timetobleed.com/dynamic-symbol-table-duel-elf-vs-mach-o-round-2/\n- \"Where did the fork go?\" http://thorstenball.com/blog/2014/06/13/where-did-fork-go/\n- \"Playing with ptrace, part II\" http://www.linuxjournal.com/article/6210\n- \"Write Yourself an Strace in 70 Lines of Code\" https://blog.nelhage.com/2010/08/write-yourself-an-strace-in-70-lines-of-code/\n- \"Writing a Linux Debugger Part 1: Setup\" http://blog.tartanllama.xyz/c++/2017/03/21/writing-a-linux-debugger-setup/\n- \"Writing a Linux Debugger Part 2: Breakpoints\" http://blog.tartanllama.xyz/c++/2017/03/24/writing-a-linux-debugger-breakpoints/\n- \"Writing a Linux Debugger Part 3: Registers and memory\" http://blog.tartanllama.xyz/c++/2017/03/31/writing-a-linux-debugger-registers/\n- \"Writing a Linux Debugger Part 4: Elves and dwarves\" http://blog.tartanllama.xyz/c++/2017/04/05/writing-a-linux-debugger-elf-dwarf/\n- \"How to write a rootkit without really trying\" https://blog.trailofbits.com/2019/01/17/how-to-write-a-rootkit-without-really-trying/\n\n#### Tools\n\n- \"Quickly determine the capabilities of an ELF binary through static analysis\" http://elfparser.com/\n- \"LIEF (Library to Instrument Executable Formats) https://lief.quarkslab.com/\"\n- \"[shmcat] Dumps the contents of a SysV shared memory segment\" https://github.com/niklata/shmcat\n- \"ld-linux code injector\" https://github.com/sduverger/ld-shatner\n- \"Measuring Linux at Runtime\" http://www.unixist.com/security/measuring-linux-at-runtime/index.html coupled with https://github.com/unixist/camb\n- \"Linux Rootkit Scanner\" https://github.com/dgoulet/kjackal\n- \"tool to locally check for signs of a rootkit\" http://www.chkrootkit.org/\n- \"a Unix-based tool that scans for rootkits, backdoors and possible local exploits\" http://rkhunter.sourceforge.net/\n- \"MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs \" http://volatility-labs.blogspot.sk/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html\n- https://github.com/detuxsandbox/detux\n\n#### Other\n\n- \"Building a concrete alternative to IDA - Radare2 to the rescue!\" https://recon.cx/2015/slides/recon2015-04-jeffrey-crowell-julien-voisin-Radare2-building-a-new-IDA.pdf\n- \"Introduction to Reverse Engineering Software in Linux\" http://ouah.org/RevEng/ \n- \"Radare2 book\" http://radare.gitbooks.io/radare2book/content/\n- \"Intro to Radare2\" http://rada.re/get/condret-r2talk.pdf\n- \"Radare2 baby steps\" http://maijin.fr/slides.pdf\n- \"Radare A to Z\" http://radare.org/get/RadareAZ-NN2015.pdf\n- https://github.com/citypw/citypw-SCFE/tree/master/security\n- http://mammon.github.io/\n- https://code.google.com/p/corkami/downloads/list \u0026 https://code.google.com/p/corkami/source/browse/#svn/trunk/wip/elf\n- https://github.com/jbangert/mithril\n- http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html\n- \"Emulating Linux MIPS in Perl\" http://schplog.schmorp.de/2015-06-08-emulating-linux-mips-in-perl-1.html\n- \"Crypto 101\" https://www.crypto101.io/\n- \"REMnux 6\" https://zeltser.com/remnux-v6-release-for-malware-analysis/\n- https://people.debian.org/~aurel32/qemu/\n- \"Why is the ELF execution entry point virtual address of the form 0x80xxxxx and not zero 0x0?\" http://stackoverflow.com/questions/2187484/why-is-the-elf-execution-entry-point-virtual-address-of-the-form-0x80xxxxx-and-n\n- \"Why do virtual memory addresses for linux binaries start at 0x8048000?\" http://stackoverflow.com/questions/2966426/why-do-virtual-memory-addresses-for-linux-binaries-start-at-0x8048000\n- \"Playing with Process Memory Integrity on Linux\" https://redcanary.com/blog/process-memory-integrity-linux/\n\n#### Books\n- \"Malware Forensics Field Guide for Linux Systems\" by Cameron H. Malin, Eoghan Casey, James M. Aquilina\n- \"Linux (Bezpečnosť a exploity)\" by Miroslav Dobšíček and Radim Ballner\n- \"Hacking: The Art of Exploitation\" by Jon Erickson\n- \"The Shellcoder's Handbook: Discovering and Exploiting Security Holes\" by Chris Anley, John Heasman, Felix Lindner\n- \"The Linux Programming Interface\" by Michael Kerrisk\n- \"Learning Linux Binary Analysis\" by Ryan O'Neill\n- \"Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly\" by Dennis Andriesse\n\n","funding_links":[],"categories":["Others","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","Infosec resources"],"sub_categories":["ColdFusion"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmichalmalik%2Flinux-re-101","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmichalmalik%2Flinux-re-101","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmichalmalik%2Flinux-re-101/lists"}