Seattle

Ryan elfmaster O'Neill

Elite
@elfmaster

Computer security researcher, reverse engineer, and ELF connoisseur

libelfmaster. Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools

454

ftrace. POSIX Function tracing

340

skeksi_virus. Devestating and awesome Linux X86_64 ELF Virus

239

ecfs. extended core file snapshot format

229

maya. Highly advanced Linux anti-exploitation and anti-tamper binary protector for ELF.

161

saruman. ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection)

140

dsym_obfuscate. Obfuscates dynamic symbol table

137

kdress. Transform vmlinuz into a fully debuggable vmlinux that can be used with /proc/kcore

131

dt_infect. ELF Shared library injector using DT_NEEDED precedence infection. Acts as a permanent LD_PRELOAD

111

binflow. This is the new ftrace (https://github.com/elfmaster/ftrace) - Much faster, better resolution but not complete yet! :)

111

sherlocked. Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging.

105

linker_preloading_virus. An example of hijacking the dynamic linker with a custom interpreter who loads and executes modular viruses

66

taskverse. A tool like /bin/ps but uses /proc/kcore for walking the tasklist; this finds hidden processes

60

kprobe_rootkit. Linux kernel rootkit using kprobes (From http://phrack.org/issues/67/6.html)

42

libelfmaster_examples. Simple ELF tools written to demonstrate libelfmaster capabilities.

42

ecfs_exec. Be able to execute memory snapshots so they can start running where they left off.

37

shiva. Shiva is a programmable dynamic linker for loading ELF microprograms

36

static_binary_mitigations. relros.c applies RELRO to static binaries, and static_to_dyn.c applies ASLR to static binaries.

34

davinci. Transforms any file into a protected ELF executable

29

scop_virus_paper. ELF Virus infection techniques that work with SCOP (Secure code partitioned) executables

15

fork_trace. C++

11

avu32. anti virus 32bit. my first attempt (in 2008) to write prototype for detecting/disinfecting unix ELF viruses

9

ee-ecfs. A version of ECFS (Extended core file snapshot) technology that was revamped for the DARPA EBOSS program-- ELF core-files with rich ABI enhancements for automated vulnerability research.

9

canaryism. Canaryism will tell you which functions are protected with gcc stack canaries

7

packt_book. C

6

interpx_documentation.

5

unix_virus_anniversary.

3

shiva_blogposts. Multiple blogposts are maintained here.

3

shiva_presentations.

3

veriexec.linux. Veriexec implementation for Linux

3

scripts. Python

3

bcc. BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

2

sentinel. Sentinel is a command line tool able to protect Windows 32 bit programs against exploits targeted by attackers or viruses. It can protect your programs against 0-day attacks or publicly known bugs.

2

binutils-gdb. Unofficial mirror of sourceware binutils-gdb repository. Updated daily.

2

linux. Linux kernel source tree

1

seventh_gate. C

1

poetry. Transcribing my poetry from 19yrs ago

1

unread. .eh_frame unwind information parser

1

openssh-portable. Portable OpenSSH

1
39
Apply