Research proof-of-concept repository for ELF executable embedding, in-memory execution, and obfuscation techniques (academic/defensive purposes only).
This repo implements and documents multiple techniques for embedding and executing ELF binaries stealthily on Linux systems. It accompanies the research Research of Methods for Application Containment: Analysis and Implementation of ELF Executable Embedding and Obfuscation Techniques.
These techniques can be abused. The code and experiments in this repo are for research, defensive, and educational purposes only. By using this repository you agree to:
- Only run experiments on systems you own or where you have explicit permission.
- Use isolated VMs, snapshots, or lab networks.
- Not use results for unauthorized access, persistence, or harm.
The authors are not responsible for misuse.
If you plan to adapt or publish tools derived from this work, follow responsible disclosure.
All the experiments were tested on a Debian-based x86_64 environment.
- Prepare an isolated environment (VM, container, etc).
- Install dependencies.
sudo apt update
sudo apt install -y build-essential xxd libglib2.0-dev gdb binutils hexdump binwalk- See each technique's section below for instructions.
Notes:
memfd_create()/execveat()require a sufficiently recent kernel.- Ptrace injections might be restricted by the YAMA ptrace security configuration; you might need to run tests as the same user or adjust
/proc/sys/kernel/yama/ptrace_scopefor testing in an isolated environment.
This is a proof of concept for embedding and executing an ELF binary in memory without writing it to disk, using memfd_create() and execveat() system calls.
To inject and execute an ELF binary in memory run:
bash script.shTo see the result of the executed binary, run:
bash result_script.shProof of concept for data hiding inside an ELF executable, by using the slack space within the binary. It does not modify its functional behavior or alter its size.
To hide a payload inside an ELF binary, run:
bash script.shTo extract the hidden payload from the ELF binary, run:
extract_payload.shProof of concept for shared libraries injection using the LD_PRELOAD environment variable to intercept function calls. Two hooks are implemented: one for the puts function and another for the write function.
To test the shared library injection, you can follow these steps:
- Compile the shared library and target file with
make. - Set the environment variable
LD_PRELOADto the path of the compiled shared library. - Run the target executable.
Function calls can be verified using strace.
# Compile
make
# Set environment variable
export LD_PRELOAD=./libhook.so
# Run the target program
./target
# Or verify with strace
strace ./target
# Alternative test
strace cat /etc/hostnameThis is a proof of concept for process injection using ptrace. ptrace system call allows to attack, observe and modify the execution of another process. We have implemented two methods of injection: one injects code at the instruction pointer, while the other uses mmap to allocate a writable and executable memory region that is used to execute the shellcode. This second method is more robust as it allows to restore the overwritten instructions and continue the execution of the target process. More information and instructions can be found in the README.md file of the ptrace_process_injection directory.
© 2025 Marta Piedad Huete Martínez & Nicolò Pellegrinelli
All rights reserved.
This repository and its contents are distributed under the terms of the GNU General Public License v3.0 (GPL-3.0).
You are free to use, modify, and redistribute this work under the same license, provided that proper credit is given to the original authors and that any derivative works remain open source under the GPL-3.0.
This repository is intended solely for research and educational purposes.
Commercial use or integration into proprietary software is not permitted without explicit permission from the authors.
If you reuse any part of this project in academic work, please cite:
Huete Martínez, M. P. & Pellegrinelli, N. (2025).
Research of Methods for Application Containment: Analysis and Implementation of ELF Executable Embedding and Obfuscation Techniques.
Vilnius University, Faculty of Mathematics and Informatics.