https://github.com/guitmz/midrashim
PT_NOTE to PT_LOAD x64 ELF infector written in Assembly
https://github.com/guitmz/midrashim
asm assembly elf infector linux malware virus
Last synced: about 2 months ago
JSON representation
PT_NOTE to PT_LOAD x64 ELF infector written in Assembly
- Host: GitHub
- URL: https://github.com/guitmz/midrashim
- Owner: guitmz
- License: mit
- Created: 2020-11-05T18:08:30.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2021-10-16T17:00:51.000Z (over 3 years ago)
- Last Synced: 2025-04-01T22:09:50.019Z (3 months ago)
- Topics: asm, assembly, elf, infector, linux, malware, virus
- Language: Assembly
- Homepage: https://www.guitmz.com/linux-midrashim-elf-virus/
- Size: 36.1 KB
- Stars: 43
- Watchers: 2
- Forks: 6
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Linux.Midrashim
This is my first x64 ELF infector written in full Assembly. It contains a non destructive payload and will infect other ELF ([PIE](https://en.wikipedia.org/wiki/Position-independent_code) is also supported) on current directory only and not recursively. It uses `PT_NOTE to PT_LOAD` infection technique.
# Build
Assemble it with [FASM](https://flatassembler.net) x64.
```
$ fasm Linux.Midrashim.asm
flat assembler version 1.73.25 (16384 kilobytes memory, x64)
3 passes, 2631 bytes.
$ file Linux.Midrashim
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
$ sha256sum Linux.Midrashim
8f1a835ad6f5c58b397109e28409ec0556d6d374085361c6525f73d5ca5785eb Linux.Midrashim
```
# Demo
[](https://asciinema.org/a/383841)
# References:
- https://www.symbolcrash.com/2019/03/27/pt_note-to-pt_load-injection-in-elf
- https://www.wikidata.org/wiki/Q6041496
- https://legacyofkain.fandom.com/wiki/Ozar_Midrashim
- https://en.wikipedia.org/wiki/Don%27t_Be_Afraid_(album)