1.0 tmp.0ut Issue 1: Introduction
tmp.0ut Volume 1 - April 2021
Intro
~ tmp.0ut Staff
I’ve been waiting to do this for a really long time.
To be honest, I don’t think many elf-lovers really envisioned this ever happening. Traditionally, we elf researchers have been outliers. Even after VLAD and the late 90’s vx scene, silvio’s first paper, the unix virus mailing list, phrack articles, elfmaster; our numbers and gathering places were small and separate.
Six months ago I was introduced to s01den, and we decided to work on some ELF projects together. I invited my old friend TMZ. A month later, there were maybe 5 of us. Then there were 10. 15. Within three months, there were 28 people together in a discord chat, ALL talking about ELF and projects and putting out a zine - It happened so fast I can't even describe very well how it came into being.
We started talking and having meetings and taking on projects - and all agreed it would be a wonderful idea to document our journey; create a series of publications that can be learned from, used as reference guides, and maybe even eventually combine them into a fluent volume of elf modification techniques and technology for the next elf generation. I contend with a fair degree of certainty that this is most likely the largest group of hackers ever joined together at the same time and place who are all actively working on ELF projects.
Infection algorithms with code examples. Custom linker scripts with an entirely new method of loading ELF binaries in memory. Binary golf. Loading kernel modules from remote sources. A disinfector written in python. An interview with a legend. A 39-page re-reverse engineer and analysis of one of the most complex Linux viruses yet seen. I wrote pages and pages of things I wanted to put in this introduction I've been waiting 20 years to write, but now that it's come down to it, I feel like most of that stuff should be left out, or put in its own article, because our amazing crew and our content speaks for itself.
And now without further ado, tmp.out, Thugcrowd, and Symbolcrash productions proudly present the Mental 'elf support group - spuriously sponsored by the society for sanitary shellcodes and the binary bandit backdoorfactory bums
~ sblip
Index
┌───────────────────────┐
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ │
│ █ █ █ █ █ █ │
│ █ █ █ █ █▀▀▀▀ │
│ █ █ █ █ ▄ │
│ ▄▄▄▄▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄ ▄ │
│ █ █ │
│ █ █ │
│ █▄▄▄█ │
│ ▄▄▄▄▄ │
┌───────────────────────────────────────────────────────────│ █ │
│ tmp.0ut Volume 1 - April 2021 │ █ │
│ CONTENTS └───────────────────█ ──┘
│ │
│ 1.0 Intro ....................................................... tmp.0ut Staff │
│ 1.1 Dead Bytes .................................................... xcellerator │
│ 1.2 Implementing the PT_NOTE Infection Method In x64 Assembly ........... sblip │
│ 1.3 PT_NOTE To PT_LOAD ELF Injector In Rust ............................. d3npa │
│ 1.4 PT_NOTE Disinfector In Python .................................... manizzle │
│ 1.5 Fuzzing Radare2 For 0days In About 30 Lines Of Code ..... Architect, s01den │
│ 1.6 The Polymorphic False-Disassembly Technique ........................ s01den │
│ 1.7 Lin64.Eng3ls: Some Anti-RE Techniques In A Linux Virus ...... s01den, sblip │
│ 1.8 Linux.Midrashim.asm ................................................... TMZ │
│ 1.9 In-Memory LKM Loading ........................................... netspooky │
│ 1.10 Linux SHELF Loading .................................... ulexec, Anonymous_ │
│ 1.11 Return To Original Entry Point Despite PIE ......................... s01den │
│ 1.12 Writing Viruses In MIPS Assembly For Fun (And No Profit) ........... s01den │
│ 1.13 Interview: herm1t ........................................... tmp.0ut Staff │
│ 1.14 GONE IN 360 SECONDS - Linux/Retaliation ............................ qkumba │
│ 1.15 Linux.Nasty.asm ....................................................... TMZ │
│ 1.16 Linux.Precinct3.asm ............................................. netspooky │
│ 1.17 Underground Worlds ................................................. s01den │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
>> For the html version of this zine, please visit https://tmpout.sh/1/
