Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ex0dus-0x/ward
Simple ELF runtime packer for creating self-protecting binaries
https://github.com/ex0dus-0x/ward
Last synced: 9 days ago
JSON representation
Simple ELF runtime packer for creating self-protecting binaries
- Host: GitHub
- URL: https://github.com/ex0dus-0x/ward
- Owner: ex0dus-0x
- License: mit
- Created: 2020-07-31T00:13:40.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2023-08-16T22:59:16.000Z (over 1 year ago)
- Last Synced: 2024-11-09T10:39:12.959Z (about 2 months ago)
- Language: Go
- Homepage: https://codemuch.tech/2021/04/28/unpacking-in-memory-malware/
- Size: 109 KB
- Stars: 17
- Watchers: 4
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
- awesome-game-security - Simple ELF runtime packer for creating stealthy droppers
README
# ward
ELF runtime packer for creating self-protecting binaries
## intro
This is a simple implementation of an ELF packer that creates stealthy droppers for loading
malicious ELFs in-memory. Useful for red teamers trying to proliferate a payload while evading
detection.## features
* Stealthy - payload is injected in ELF format, and loaded through `memfd`-based execution
* Zlib compression for packed executables
* Anti-tampering with code injection prevention## how it works
__ward__ compresses a target ELF executable and injects it into a stub program,
which uses a modified `PT_NOTE` infection technique to execute it in-memory with `memfd_create`
and `fexec`.For instance, run __ward__ on a copy of `ls`:
```
$ ward ./ls
2021/04/14 20:26:07 Starting up ward
2021/04/14 20:26:07 Checking if valid ELF binary
2021/04/14 20:26:07 Provisioning stub program for packing
2021/04/14 20:26:07 Packing original executable into stub ./ls
2021/04/14 20:26:07 Finding PT_NOTE segment for injecting metadata
2021/04/14 20:26:07 Offset: 828304 Size: 141936
2021/04/14 20:26:07 Writing (not yet encoded) ELF to stub
2021/04/14 20:26:07 Done! Find the packed application at /home/alan/Code/ward/ls.packed
```When you execute it now, the stub program will read the compressed executable from itself,
and create an anonymous file descriptor for execution. Once executed, the file will disappear
from the disk:```
$ ./ls.packed
example go.mod go.sum injector.go ls ls.packed main.go Makefile README.md stub ward
```## license
[mit](https://github.com/ex0dus-0x/ward/blob/main/LICENSE.md)