tmpout

ELF Research Group

2025-03-21

Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue!

tmpout.sh/4/

table of contents for tmp.0ut volume 4
2025-03-19

tmp.0ut Volume 4 will be out in the coming days!

In the mean time, check out the official tmp.0ut 4 Mixtape!!

~2 hours of beats to relax/study/write viruses to:

soundcloud.com/faultus/tmpout4

tmpout 4 logos in various colors
2024-12-16

We are extending our call for papers to January 1, 2025!

We are now targeting an end of January release.

If you have any Linux/ELF related research, projects, or papers, we would love to publish them!

Huge thank you to everyone who has already submitted!

tmpout boosted:
2024-11-19

Paged Out! Issue #5 is out now!
pagedout.institute/?page=issue
Happy reading!

2024-10-31

tmp.0ut Volume 4 is happening! Our call for papers is now open, and we're excited to see what you've been working on πŸ‘€ read the full announcement here: tmpout.sh/blog/vol4-cfp.html

tmpout boosted:
2024-08-19

The time has come, and with it your reading material for the week.

Phrack #71 is officially released ONLINE! Let us know what you think!

phrack.org/issues/71/1.html

table for contents for Phrack 71
tmpout boosted:
2024-06-21

Binary Golf Grand Prix 5 begins now!

#BGGP5 theme: "Download"

Challenge Announcement: binary.golf/5

BGGP5 flyer
tmpout boosted:
2024-06-14

Attention Golfers, #BGGP5 is starting a week from today!! Get your hex editors ready and update your firewall rules because this one is going to be a lot of fun!

Keep it locked in on binary.golf, revisit old challenges, come chat in Discord, and we'll see you soon!

BGGP Logo with the text "binary.golf" in the center, black on white
tmpout boosted:
2024-04-03

new updates just merged into easylkb (Easy Linux Kernel Builder) - thank you to all the contributors!

github.com/deepseagirl/easylkb

screenshot showing user connecting to a linux image running in qemu after building with easylkb
tmpout boosted:
2024-04-01

I finally wrote down my Binary Golf Grand Prix 4 research!

Chaining the most obscure Windows file formats I could find, finding some easter eggs, top-score irony, and bypassing digital signatures.

BGGP4: PleaseMom, QUANTUM, Rat? #BGGP4

remyhax.xyz/posts/bggp4-quantu

2024-01-20

An End of the Week treat! We are pleased to push the final paper to tmp.0ut Vol. 3: "u used 2 call me on my polymorphic shell phone" by @ic3qu33n

This paper explores historical Linux VX techniques and applies them to modern day, you won't want 2 miss!
tmpout.sh/3/12.html

A screenshot of the paper's header and introduction on the tmpout website
tmpout boosted:
Battle Programmer Yuunetspooky@haunted.computer
2024-01-11

You should write an article for Phrack #71 !! I hear it's coming out by summer time. πŸ‘€

Let's open the windows and get some phresh air back into the scene.

If you've got a story to tell, you should send it in by April 1st and keep the vibe going. :)

phrack.org

2023-12-14

A huge thank you to everyone checking out the daily articles!

We've run out for now, but please do make sure to check out the non-articles that were released!

A huge thank you to all of our contributors, readers, and staff. You make this possible!

tmpout.sh/3/

2023-12-13

tmpout vol3 - article a day #17

isra shows us another proof of concept x64 ELF virus written in Perl!

read here: tmpout.sh/3/30.html

Yet another proof-of-concept x64 ELF virus written in Perl:

 * It works by patching the last byte (return instruction) of the .fini section
   and then injecting a payload in the free space (null bytes) between the
   .fini and .rodata sections. Infection is accomplished only if free space is
   greater than size of payload + size of virus.
2023-12-12

tmpout vol3 - article a day #16

"recap of bggp 4: replicate"

a short recap of the most recent @binarygolf challenge, with a link to all the entries.

read here: tmpout.sh/3/25.html

The fourth annual Binary Golf Grand Prix was this summer. The challenge was to create the
smallest possible self-replicating program that printed, returned, or somehow displayed
the number "4".
2023-12-11

tmpout vol3 - article a day #15

"hvICE - intrusion countermeasure electronics"

wintermute shows us a proof of concept implementation for enforced data integrity

read here: tmpout.sh/3/24.html

hvICE is a proof of concept implementation of hypervisor enforced code/data integrity for the Linux
kernel using xen and libvmi. It requires no modification to the guest OS. hvICE achieves this by 
setting all pages between _text and _etext and all of kernel rodata to not writable in the guests 
EPT, then pausing the VM and logging the violation if an attempted write did not come from within 
kernel text. Writes by code within kernel text are ignored to prevent false positives due to kernel 
self patching.

Example:
    - Kernel self protection is insufficiently secure.
    - Despite recent kernel versions preventing writes to cr0 and setting protected pages as writeable
      via kernel functions, bypassing these protections is as simple as writing to either cr0 or the 
      PTE directly as shown in this snippet.
2023-12-10

tmpout vol3 - article a day #14

"rain king - silent syscall hooking on arm64 linux via patching svc handler"

wintermute shows us an interesting way of hooking syscalls that isn't commonly detected!

read here: tmpout.sh/3/23.html

system call hooking on linux is quite trivial. current common techniques include:
- using the kernel ftrace api
- modifying sys_call_table to point to your own table
- modifying addresses in sys_call_table to point to your own code
- patching the syscall entries themselves

unfortunately, even userland rootkit scanners can detect the first 2 methods-
via periodically checking /proc/kallsyms or system.map.
current kernel mode rootkit scanners will easily detect all of these methods.
2023-12-09

tmpout vol3 - article a day #13

"Cramming a Tiny Program into a Tiny ELF File: A Case Study"

lm978 builds upon prior work golfing ELFs and shows how to create a functional x86-64 ELF in 77 bytes

read here: tmpout.sh/3/22.html

Cramming a Tiny Program into a Tiny ELF File:
A Case Study
~ lm978

Last fall, I was rereading Brian Raiter's article on tiny ELF programs [1], when
I decided to try the challenge myself and create the tiniest x86_64 ELF program
on Linux; I was unaware at the time of others' attempts to answer the question.
To avoid missing any edge cases that could help, I decided to work from first
principles, reading the source of the Linux kernel's ELF loader and deriving
the requirements from that. At first, after ruling out all smaller offsets of
the program header, I concluded that offset 0x18 was the smallest possible,
yielding an 80-byte program that returns 42:

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst