fireELF is a opensource fileless linux malware framework thats crossplatform and allows users to easily create and manage payloads.
By default is comes with 'memfd_create' which is a new way to run linux elf executables completely from memory, without having the binary touch the harddrive.
Creating a Payload
By default fireELF comes with 'memfd_create' but users can develop their own payloads. By default the payloads are stored in payloads/ and in order to create a valid payload you simply need to include a dictonary named 'desc' with the parameters 'name', 'description', 'archs', and 'python_vers'. An example desc dictonary is below:
desc = {"name" : "test payload", "description" : "new memory injection or fileless elf payload", "archs" : "all", "python_vers" : ">2.5"}
In addition to the 'desc' dictonary the entry point the plugin engine i built uses requires a main function which will automatically get passed two parameters, one is a boolean that if its true it means its getting passed a url the second parameter it gets passed is the data.
An example of a simple entry point is below:
def main(is_url, url_or_payload):
return
Installation
Download the dependencies by running:
pip3 -U -r dep.txt
fireELF is developed in Python 3.x.x
Usage
usage: main.py [-h] [-s] [-p PAYLOAD_NAME] [-w PAYLOAD_FILENAME]
(-u PAYLOAD_URL | -e EXECUTABLE_PATH)
fireELF, Linux Fileless Malware Generator
Download fireELF
By default is comes with 'memfd_create' which is a new way to run linux elf executables completely from memory, without having the binary touch the harddrive.
Creating a Payload
By default fireELF comes with 'memfd_create' but users can develop their own payloads. By default the payloads are stored in payloads/ and in order to create a valid payload you simply need to include a dictonary named 'desc' with the parameters 'name', 'description', 'archs', and 'python_vers'. An example desc dictonary is below:
desc = {"name" : "test payload", "description" : "new memory injection or fileless elf payload", "archs" : "all", "python_vers" : ">2.5"}
In addition to the 'desc' dictonary the entry point the plugin engine i built uses requires a main function which will automatically get passed two parameters, one is a boolean that if its true it means its getting passed a url the second parameter it gets passed is the data.
An example of a simple entry point is below:
def main(is_url, url_or_payload):
return
Installation
Download the dependencies by running:
pip3 -U -r dep.txt
fireELF is developed in Python 3.x.x
Usage
usage: main.py [-h] [-s] [-p PAYLOAD_NAME] [-w PAYLOAD_FILENAME]
(-u PAYLOAD_URL | -e EXECUTABLE_PATH)
fireELF, Linux Fileless Malware Generator
Download fireELF
0 comments:
Post a Comment