└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | linux-re-101
  2 | ============
  3 | 
  4 | Work in progress as I am actively collecting these.
  5 | 
  6 | #### Keep these handy
  7 | 
  8 | - Describes how all syscalls for all architectures work (what registers are for input, output, error, ..) http://man7.org/linux/man-pages/man2/syscall.2.html
  9 | - "Executable and Linkable Format (ELF)" http://www.skyfree.org/linux/references/ELF_Format.pdf or http://www.muppetlabs.com/~breadbox/software/ELF.txt (I like .txt more)
 10 | - "Linux Cross Reference" http://lxr.free-electrons.com/
 11 | - "Syscall table reference" https://w3challs.com/syscalls/
 12 | - "System V ABI x86-64 Linux" https://web-beta.archive.org/web/20160801075139/http://www.x86-64.org/documentation/abi.pdf
 13 | - "MIPS documentation" http://www.linux-mips.org/pub/linux/mips/doc/ABI/
 14 | - "ELF for the ARM" http://infocenter.arm.com/help/topic/com.arm.doc.ihi0044e/IHI0044E_aaelf.pdf
 15 | - "ELF for the ARM64" http://infocenter.arm.com/help/topic/com.arm.doc.ihi0056b/IHI0056B_aaelf64.pdf
 16 | - "How to write shared libraries" by Ulrich Drepper http://www.akkadia.org/drepper/dsohowto.pdf    
 17 | 
 18 | #### Must read
 19 | 
 20 | - "The 101 of ELF Binaries on Linux: Understanding and Analysis" https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/
 21 | - ELF101 from Corkami (Ange Albertini) http://imgur.com/a/JEObT
 22 | - "How programs get run: ELF binaries" https://lwn.net/Articles/631631/
 23 | - "How statically linked programs run on Linux" http://eli.thegreenplace.net/2012/08/13/how-statically-linked-programs-run-on-linux
 24 | - "A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux" http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
 25 | - "The Definitive Guide to Linux System Calls" https://blog.packagecloud.io/eng/2016/04/05/the-definitive-guide-to-linux-system-calls/
 26 | - "LINUX ANTI-DEBUGGING TECHNIQUES (FOOLING THE DEBUGGER)" http://www.ouah.org/linux-anti-debugging.txt
 27 | - "UNIX ELF PARASITES AND VIRUS" http://ouah.org/elf-pv.txt
 28 | - "Linux on the Half-ELF" http://mammon.github.io/tales/linux_re.txt
 29 | - "Learning Linux Binary Analysis" by Ryan O'Neill
 30 | - https://www.cs.stevens.edu/~jschauma/631/elf.html
 31 | - "LD_NOT_PRELOADED_FOR_REAL" http://haxelion.eu/article/LD_NOT_PRELOADED_FOR_REAL/
 32 | - "Understanding Linux Malware" http://www.s3.eurecom.fr/docs/oakland18_cozzi.pdf (good paper!)
 33 | 
 34 | #### 101
 35 | 
 36 | - *Optional*: "Guide to x86 assembly" http://www.cs.virginia.edu/~evans/cs216/guides/x86.html
 37 | - *Optional*: "Assembly x86_64 programming for Linux" http://0xax.blogspot.sk/p/assembly-x8664-programming-for-linux.html
 38 | - *Optional*: x64 assembly http://rayseyfarth.com/asm/pdf/index.html
 39 | - *Optional*: "Step by step to MIPS assembly" http://winfred-lu.blogspot.sk/2010/06/step-by-step-to-mips-assembly.html
 40 | - *Optional*: FreeBSD Assembly Language Programming http://www.int80h.org/bsdasm/
 41 | - *Optional*: "Linux MIPS ELF reverse engineering tips" https://www.cr0.org/paper/mips.elf.external.resolution.txt
 42 | - "The dissection of a simple hello world ELF file" https://github.com/mewrev/dissection and "ELF101" http://imgur.com/a/JEObT
 43 | - https://www.cs.stevens.edu/~jschauma/631/elf.html
 44 | - "The 101 of ELF Binaries on Linux: Understanding and Analysis" http://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/
 45 | - "A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux" http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
 46 | - "The definitive guide to linux system calls" http://blog.packagecloud.io/eng/2016/04/05/the-definitive-guide-to-linux-system-calls/
 47 | - "Anatomy of a system call, part 1" http://lwn.net/Articles/604287/
 48 | - "Anatomy of a system call, part 2" http://lwn.net/SubscriberLink/604515
 49 | - "About ELF auxiliary vectors" http://articles.manugarg.com/aboutelfauxiliaryvectors.html
 50 | - "How programs get run: ELF binaries" https://lwn.net/Articles/631631/
 51 | - "Linux x86 Program Start Up" http://dbp-consulting.com/tutorials/debugging/linuxProgramStartup.html
 52 | - "How statically linked programs run on Linux" http://eli.thegreenplace.net/2012/08/13/how-statically-linked-programs-run-on-linux
 53 | - "Startup state of a Linux/i386 ELF binary" http://asm.sourceforge.net/articles/startup.html and http://dbp-consulting.com/tutorials/debugging/linuxProgramStartup.html
 54 | - "Stack frame layout on x86-64" http://eli.thegreenplace.net/2011/09/06/stack-frame-layout-on-x86-64
 55 | - "What is linux-gate.so.1?" http://www.trilithium.com/johan/2005/08/linux-gate/
 56 | - "Understanding ld-linux.so.2 " http://www.cs.virginia.edu/~dww4s/articles/ld_linux.html
 57 | - "Linux process states" https://idea.popcount.org/2012-12-11-linux-process-states/
 58 | 
 59 | #### 201
 60 | 
 61 | - *Optional*: "Linkers - 20 parts" http://www.airs.com/blog/page/4?s=linkers
 62 | - "Static linking (x86) internals" http://sploitfun.blogspot.sk/2013/02/linking-with-static-library-internals.html
 63 | - "Static linking (x86_64) internals" http://sploitfun.blogspot.sk/2013/07/static-linking-x8664-internals.html
 64 | - "Dynamic linking and x86_64 internals" http://sploitfun.blogspot.sk/2013/07/dynamic-linking-x8664-internals.html
 65 | - "Dynamic linking (x86) internals" http://sploitfun.blogspot.sk/2013/06/dynamic-linking-internals.html
 66 | - "PLT and GOT - they key to code sharing and dynamic libraries" https://www.technovelty.org//linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html
 67 | - "Understanding x64 code models" http://eli.thegreenplace.net/2012/01/03/understanding-the-x64-code-models/
 68 | - "Load-time relocation of shared libraries " http://eli.thegreenplace.net/2011/08/25/load-time-relocation-of-shared-libraries
 69 | - "Position Independent Code (PIC) in shared libraries " http://eli.thegreenplace.net/2011/11/03/position-independent-code-pic-in-shared-libraries/
 70 | - "Position Independent Code (PIC) in shared libraries x64" http://eli.thegreenplace.net/2011/11/11/position-independent-code-pic-in-shared-libraries-on-x64/
 71 | - "Relocations, relocations" http://www.mindfruit.co.uk/2012/06/relocations-relocations.html
 72 | -  "DT_GNU_HASH" http://deroko.phearless.org/dt_gnu_hash.txt
 73 | - *Good night reading*: "Linux on the Half-ELF" http://mammon.github.io/tales/linux_re.txt
 74 | 
 75 | #### Packers, obfuscation, and encryption
 76 | 
 77 | - "Runtime binary encryption" http://phrack.org/issues/58/5.html
 78 | - "Next-Gen Runtime Binary Encryption" http://phrack.org/issues/63/13.html
 79 | - "Binary Protection Schemes" http://indra.linuxstudy.pe.kr/study/Binary%20Protection%20Schemes.pdf
 80 | - "Shiva - Advances in ELF Binary Encryption" https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-mehta/bh-us-03-mehta.pdf
 81 | - "Burneye protector" http://packetstormsecurity.com/files/30648/burneye-1.0.1-src.tar.bz2.html
 82 | - "ELF Encrypter" http://elf-encrypter.sourceforge.net/
 83 | - "midgetpack is a multiplatform secure ELF packer" https://github.com/arisada/midgetpack
 84 | - "ELF Binary Code Injection, Loader/'Decrypter'" http://www.pinkstyle.org/elfcrypt.html
 85 | - "Linux ELF Runtime Crypter" https://www.guitmz.com/linux-elf-runtime-crypter/
 86 | - "Linux Based Inter-Process Code Injection Without Ptrace(2)" https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
 87 | - "ELF in-memory execution" https://blog.fbkcs.ru/elf-in-memory-execution/
 88 | - "Super Stealthy Droppers" https://0x00sec.org/t/super-stealthy-droppers/3715
 89 | - "Running ELF executables from memory" https://www.guitmz.com/running-elf-from-memory/
 90 | - "Detecting Linux memfd_create() Fileless Malware with Command Line Forensics" https://www.sandflysecurity.com/blog/detecting-linux-memfd_create-fileless-malware-with-command-line-forensics/
 91 | - "Using eBPF to uncover in-memory loading" https://blog.tofile.dev/2021/02/15/ebpf-01.html
 92 | 
 93 | #### Exploitation
 94 | 
 95 | - "Linux x86 Reverse Engineering - Shellcode Disassembling and XOR decryption" https://www.exploit-db.com/docs/33429.pdf
 96 | - "Shellcoding in Linux" https://www.exploit-db.com/docs/21013.pdf
 97 | - "Linux (x86) Exploit Development Series" https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/
 98 | - "Linux 64-bit Return Oriented Programming" https://crypto.stanford.edu/~blynn/rop/
 99 | - "Introduction to Return Oriented Programming (ROP)" https://ketansingh.net/Introduction-to-Return-Oriented-Programming-ROP/
100 | - "Linux x64 Infection for Lamers (by a Lamer)" http://vxheaven.org/lib/vjp01.html
101 | - "Linux Kernel ROP - Ropping your way to # (Part 1) "https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-1)/
102 | - "Linux Kernel ROP - Ropping your way to # (Part 2)" https://www.trustwave.com/Resources/SpiderLabs-Blog/Linux-Kernel-ROP---Ropping-your-way-to---(Part-2)/
103 | - "Practice and learning in the world of C RE and exploit analysis" https://github.com/211217613/C-Hacking
104 | - "Modern Binary Exploitation" http://security.cs.rpi.edu/courses/binexp-spring2015/ (not strictly related to Linux)
105 | - "Advanced exploitation on Linux: ROP and infoleaks" https://speakerdeck.com/milkmix/advanced-exploitation-on-linux-rop-and-infoleaks
106 | 
107 | #### Anti techniques
108 | 
109 | - "LINUX ANTI-DEBUGGING TECHNIQUES (FOOLING THE DEBUGGER)" http://www.ouah.org/linux-anti-debugging.txt
110 | - "Beginners guide to basic Linux anti anti debugging techniques" http://www.stonedcoder.org/~kd/lib/14-61-1-PB.pdf
111 | - "Kickers of ELF" http://www.muppetlabs.com/~breadbox/software/elfkickers.html
112 | - "ELF header abuse" https://github.com/strazzere/IDAnt-wanna
113 | - "Toolkit to detect/crash/attack GNU debugging-related tools" https://github.com/jvoisin/pangu
114 | - "ELF: dynamic struggles" "http://michalmalik.github.io/elf-dynamic-segment-struggles"
115 | - "ptrace() tutorial" http://mikecvet.wordpress.com/2010/08/14/ptrace-tutorial/
116 | - "ptrace() on 64-bit system" http://theantway.com/2013/01/notes-for-playing-with-ptrace-on-64-bits-ubuntu-12-10/
117 | - "Linux x86 run-time process manipulation" http://hick.org/code/skape/papers/needle.txt
118 | - "Cheating the ELF Subversive Dynamic Linking to Libraries" http://www.ouah.org/subversiveld.pdf
119 | - "LD_NOT_PRELOADED_FOR_REAL" http://haxelion.eu/article/LD_NOT_PRELOADED_FOR_REAL/
120 | - https://github.com/antire-book/dont_panic
121 | - "gdb leaves file descriptors open in debugee" https://silviocesare.wordpress.com/2008/05/13/gdb-leaves-file-descriptors-open-in-debugee/
122 | - "More GDB Anti-Debugging" https://xorl.wordpress.com/2009/01/05/more-gdb-anti-debugging/
123 | - "How to detect virtualization on Linux" http://www.dmo.ca/blog/detecting-virtualization-on-linux/
124 | - "Mechanisms to determine VMWare VM" http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458
125 | 
126 | #### Viruses & infection techniques
127 | 
128 | - "UNIX VIRUSES" http://ouah.org/unix-viruses.txt 
129 | - "UNIX ELF PARASITES AND VIRUS" http://ouah.org/elf-pv.txt
130 | - "Linux viruses - ELF file format" by Marius Van Oers http://www.mcafee.com/us/resources/white-papers/wp-linux-viruses-elf-file-format.pdf
131 | - "Abusing .CTORS and .DTORS for fun 'n profit" http://vxer.org/lib/viz00.html
132 | - "The WIT virus" http://vanilla47.com/PDFs/Viruses In Linux PDFs/The WIT Virus.pdf
133 | - "Caveat virus" http://vxer.org/herm1t/caveat_en.html
134 | - "Reverse of a coin: A short note on segment alignment" http://vxheavens.com/lib/vhe04.html
135 | - "INT 0x80? No, thank you! aka Pilot" http://vxer.org/herm1t/pilot_en.html
136 | - "Infecting ELF-files using function padding for Linux" http://vxer.org/lib/vhe00.html
137 | - "Injected Evil (executable files infection)" http://vxheaven.org/lib/vzo08.html
138 | - "An unofficial analysis of the Retaliation Virus (Authored by JPanic)" http://vxer.org/lib/vrn01.html or http://www.bitlackeys.org/papers/retaliation.txt
139 | - "Skeksi virus" https://github.com/elfmaster/skeksi_virus
140 | - "Modern Day ELF Runtime infection via GOT poisoning" http://vxheaven.org/lib/vrn00.html
141 | - "From position-independent to self-relocatable viral code" http://vxer.org/lib/vhe08.html
142 | - "The Cerberus ELF interface" http://phrack.org/issues/61/8.html#article
143 | - "Malicious Code Injection via /dev/mem" http://www.blackhat.com/presentations/bh-europe-09/Lineberry/BlackHat-Europe-2009-Lineberry-code-injection-via-dev-mem.pdf
144 | - VX Heaven collection of viruses http://vxer.org/vl.php?dir=Virus.Linux
145 | - http://vxer.org/herm1t/
146 | - Source code of infection techniques http://vxer.org/herm1t/examples.tar.gz by herm1t
147 | - "PT_NOTE to PT_LOAD Injection in ELF" https://www.symbolcrash.com/2019/03/27/pt_note-to-pt_load-injection-in-elf/
148 | 
149 | #### Linux kernel, rootkits, and LKM development
150 | 
151 | - *Optional*: "A series of posts about the linux kernel and its insides." http://0xax.gitbooks.io/linux-insides/content/index.html
152 | - *Optional*: "Kernel hacking HOWTO" http://kernelnewbies.org/New_Kernel_Hacking_HOWTO
153 | - "Anatomy of the Linux kernel" http://www.ibm.com/developerworks/linux/library/l-linux-kernel/index.html
154 | - "Linux process management" http://www.ibm.com/developerworks/linux/library/l-linux-process-management/index.html
155 | - "Linux processes" http://www.cs.columbia.edu/~junfeng/10sp-w4118/lectures/l07-proc-linux.pdf
156 | - "Kernel hacking" http://info.fs.tum.de/images/2/21/2011-01-19-kernel-hacking.pdf
157 | - "Be a kernel hacker" http://www.linuxvoice.com/be-a-kernel-hacker/?pk_campaign=hn&pk_kwd=3
158 | - "Day 5: I wrote a kernel module" http://jvns.ca/blog/2013/10/07/day-5-i-wrote-a-kernel-module/
159 | - "Linux Rootkits 101" http://turbochaos.blogspot.sk/2013/09/linux-rootkits-101-1-of-3.html
160 | - "Linux Rootkits 201" http://turbochaos.blogspot.sk/2013/10/writing-linux-rootkits-201-23.html
161 | - "Linux Rootkits 301" http://turbochaos.blogspot.sk/2013/10/writing-linux-rootkits-301_31.html 
162 | - "Handling Interrupt Descriptor Table for fun and profit" http://www.phrack.org/issues.html?issue=59&id=4
163 | - "Intercepting System Calls and Dispatchers – Linux" https://ruinedsec.wordpress.com/2013/04/04/modifying-system-calls-dispatching-linux/
164 | - "Linux Kernel Rootkits" http://www.la-samhna.de/library/rootkits/index.html
165 | - "Linux Kernel Debugging using KGDB/GDB" http://sploitfun.blogspot.sk/2013/06/linux-kernel-debugging-using-kgdbgdb.html
166 | - "Kernel instrumentation using kprobes" http://phrack.org/issues.html?issue=67&id=6#article
167 | - "Infecting loadable kernel modules versions 2.6.x/3.0.x" http://phrack.org/issues/68/11.html#article
168 | - "(nearly) Complete Linux Loadable Kernel Modules" https://www.thc.org/papers/LKM_HACKING.html
169 | - Check the README for more https://github.com/citypw/citypw-SCFE/tree/master/security/rootkit/hide_file
170 | - "UNIX and Linux based rootkits" http://www.kernelhacking.com/rodrigo/docs/StMichael/BuntenSlides.pdf
171 | - "Sample rootkit for linux" https://github.com/ivyl/rootkit/
172 | - "Writing a LKM rootkit that uses LSM hooks" http://vladz.devzero.fr/015_lsm-backdoor.html
173 | - "TCP/UDP symmetric encryption tunnel wrapper" https://github.com/chokepoint/CryptHook
174 | - "Userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit" https://github.com/chokepoint/azazel
175 | - "an experimental linux kernel module (rootkit) with a keylogger and built-in IRC bot" https://github.com/bones-codes/the_colonel
176 | - "An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM" https://github.com/mncoppola/suterusu
177 | - "Linux rootkit adapted for 2.6 and 3.x" https://github.com/trimpsyw/adore-ng
178 | - https://github.com/mfontanini/Programs-Scripts/blob/master/rootkit/rootkit.c
179 | - "Linux: Creating an entry in /proc file system (Part 1: The hello_proc pseudo file)" http://pointer-overloading.blogspot.in/2013/09/linux-creating-entry-in-proc-file.html
180 | - Answer to "Ripping out the hidden kernel module by reading kernel memory directly?" http://stackoverflow.com/a/18464599
181 | - "User space memory access from the Linux kernel" http://www.ibm.com/developerworks/library/l-kernel-memory-access/
182 | - "get_user_pages example" http://krishnamohanlinux.blogspot.sk/2015/02/getuserpages-example.html
183 | - "Horse Pill: A New Type Of Linux Rootkit" https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
184 | - "vlany, Linux (LD_PRELOAD) rootkit" https://github.com/mempodippy/vlany
185 | - "Hacking the wholism of GNU/Linux net*" http://kernelnewbies.org/Networking?action=AttachFile&do=get&target=hacking_the_wholism_of_linux_net.txt
186 | - "Linux Device Drivers" https://lwn.net/Kernel/LDD3/
187 | - "Linux Data Structures" http://tldp.org/LDP/tlk/ds/ds.html
188 | - "Status of the Kernel Self Protection Project" https://outflux.net/slides/2016/lss/kspp.pdf
189 | - "The Proc Connector and Socket Filters" http://netsplit.com/the-proc-connector-and-socket-filters
190 | - "Linux Rootkits: New Methods for Kernel 5.7+" https://xcellerator.github.io/posts/linux_rootkits_11/
191 | 
192 | #### Crackmes and challenges
193 | 
194 | - "Exercises for learning Reverse Engineering and Exploitation." https://github.com/wapiflapi/exrs
195 | - "IOLI crackme" http://dustri.org/b/files/IOLI-crackme.tar.gz
196 | - http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/2/challenges.zip from "Modern Binary Exploitation"
197 | - "Exercises" section in http://beginners.re/Reverse_Engineering_for_Beginners-en.pdf
198 | 
199 | #### Analyzes, "hands-on", analysis techniques
200 | 
201 | - "100 GDB tips" https://github.com/hellogcc/100-gdb-tips/tree/master/src
202 | - "Defeating IOLI with Radare2" http://dustri.org/b/defeating-ioli-with-radare2.html
203 | - "Using radare2 to pwn things" http://radare.today/using-radare2/
204 | - "Pwning With Radare2" http://crowell.github.io/blog/2014/11/23/pwning-with-radare2/
205 | - "At Gunpoint Hacklu 2014 With Radare2" http://crowell.github.io/blog/2014/11/23/at-gunpoint-hacklu-2014-with-radare2/
206 | - "manual binary mangling with radare" http://phrack.org/issues/66/14.html#article
207 | - "Analysis of an unknown binary, for the HoneyNet Reverse Challenge" http://old.honeynet.org/reverse/results/sol/sol-06/analysis.html
208 | - "Reversing GO binaries like a pro" http://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/
209 | - "Reversing Golang" https://2016.zeronights.ru/wp-content/uploads/2016/12/GO_Zaytsev.pdf
210 | - "Reversing Linux Malware" https://github.com/radareorg/r2con/blob/master/2016/talks/11-ReversingLinuxMalware/r2con_SergiMartinez_ReversingLinuxMalware.pdf (includes Golang reversing with radare2)
211 | - https://samsymons.com/blog/reverse-engineering-with-radare2-part-1/
212 | - "Reverse Engineering With Radare2 – Part 2" https://insinuator.net/2016/08/reverse-engineering-with-radare2-part-2/
213 | - "Reverse Engineering With Radare2 – Part 3" https://insinuator.net/2016/10/reverse-engineering-with-radare2-part-3/
214 | - "Reverse Engineering Ebpfkit Rootkit With BlackBerry's Enhanced IDA Processor Tool" https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool
215 | 
216 | #### Research and development
217 | - "Understanding Linux Malware" http://www.s3.eurecom.fr/docs/oakland18_cozzi.pdf (good paper!)
218 | - binary samples for testing https://github.com/JonathanSalwan
219 | - "ELF Eccentricities - Julian Bangert, Sergey Bratus" https://www.youtube.com/watch?v=4LU6N6THh2U
220 | - "ELF-Miner: Using structural knowledge and data mining methods to detect new (Linux) malicious executables" http://www.genetic-programming.org/hc2011/05-Farooq/Farooq-Paper.pdf
221 | - "Fuzzing the ELF file format with Melkor" https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Hernandez-Melkor-Slides.pdf
222 | - http://www.bitlackeys.org (all of it)
223 | - "Effective file format fuzzing" https://www.blackhat.com/docs/eu-16/materials/eu-16-Jurczyk-Effective-File-Format-Fuzzing-Thoughts-Techniques-And-Results.pdf (not related to Linux directly, but it's pretty great)
224 | - "Linux kernel sanitizers and syscall fuzzer" https://www.linuxplumbersconf.org/2016/ocw//system/presentations/3471/original/Sanitizers.pdf
225 | - "ElfParser blog" http://www.blog.elfparser.com/ 
226 | - "ELF vs. Mach-O" http://timetobleed.com/dynamic-linking-elf-vs-mach-o/
227 | - "ELF vs. Mach-O 2" http://timetobleed.com/dynamic-symbol-table-duel-elf-vs-mach-o-round-2/
228 | - "Where did the fork go?" http://thorstenball.com/blog/2014/06/13/where-did-fork-go/
229 | - "Playing with ptrace, part II" http://www.linuxjournal.com/article/6210
230 | - "Write Yourself an Strace in 70 Lines of Code" https://blog.nelhage.com/2010/08/write-yourself-an-strace-in-70-lines-of-code/
231 | - "Writing a Linux Debugger Part 1: Setup" http://blog.tartanllama.xyz/c++/2017/03/21/writing-a-linux-debugger-setup/
232 | - "Writing a Linux Debugger Part 2: Breakpoints" http://blog.tartanllama.xyz/c++/2017/03/24/writing-a-linux-debugger-breakpoints/
233 | - "Writing a Linux Debugger Part 3: Registers and memory" http://blog.tartanllama.xyz/c++/2017/03/31/writing-a-linux-debugger-registers/
234 | - "Writing a Linux Debugger Part 4: Elves and dwarves" http://blog.tartanllama.xyz/c++/2017/04/05/writing-a-linux-debugger-elf-dwarf/
235 | - "How to write a rootkit without really trying" https://blog.trailofbits.com/2019/01/17/how-to-write-a-rootkit-without-really-trying/
236 | 
237 | #### Tools
238 | 
239 | - "Quickly determine the capabilities of an ELF binary through static analysis" http://elfparser.com/
240 | - "LIEF (Library to Instrument Executable Formats) https://lief.quarkslab.com/"
241 | - "[shmcat] Dumps the contents of a SysV shared memory segment" https://github.com/niklata/shmcat
242 | - "ld-linux code injector" https://github.com/sduverger/ld-shatner
243 | - "Measuring Linux at Runtime" http://www.unixist.com/security/measuring-linux-at-runtime/index.html coupled with https://github.com/unixist/camb
244 | - "Linux Rootkit Scanner" https://github.com/dgoulet/kjackal
245 | - "tool to locally check for signs of a rootkit" http://www.chkrootkit.org/
246 | - "a Unix-based tool that scans for rootkits, backdoors and possible local exploits" http://rkhunter.sourceforge.net/
247 | - "MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs " http://volatility-labs.blogspot.sk/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html
248 | - https://github.com/detuxsandbox/detux
249 | 
250 | #### Other
251 | 
252 | - "Building a concrete alternative to IDA - Radare2 to the rescue!" https://recon.cx/2015/slides/recon2015-04-jeffrey-crowell-julien-voisin-Radare2-building-a-new-IDA.pdf
253 | - "Introduction to Reverse Engineering Software in Linux" http://ouah.org/RevEng/ 
254 | - "Radare2 book" http://radare.gitbooks.io/radare2book/content/
255 | - "Intro to Radare2" http://rada.re/get/condret-r2talk.pdf
256 | - "Radare2 baby steps" http://maijin.fr/slides.pdf
257 | - "Radare A to Z" http://radare.org/get/RadareAZ-NN2015.pdf
258 | - https://github.com/citypw/citypw-SCFE/tree/master/security
259 | - http://mammon.github.io/
260 | - https://code.google.com/p/corkami/downloads/list & https://code.google.com/p/corkami/source/browse/#svn/trunk/wip/elf
261 | - https://github.com/jbangert/mithril
262 | - http://0x90909090.blogspot.fr/2015/07/no-one-expect-command-execution.html
263 | - "Emulating Linux MIPS in Perl" http://schplog.schmorp.de/2015-06-08-emulating-linux-mips-in-perl-1.html
264 | - "Crypto 101" https://www.crypto101.io/
265 | - "REMnux 6" https://zeltser.com/remnux-v6-release-for-malware-analysis/
266 | - https://people.debian.org/~aurel32/qemu/
267 | - "Why is the ELF execution entry point virtual address of the form 0x80xxxxx and not zero 0x0?" http://stackoverflow.com/questions/2187484/why-is-the-elf-execution-entry-point-virtual-address-of-the-form-0x80xxxxx-and-n
268 | - "Why do virtual memory addresses for linux binaries start at 0x8048000?" http://stackoverflow.com/questions/2966426/why-do-virtual-memory-addresses-for-linux-binaries-start-at-0x8048000
269 | - "Playing with Process Memory Integrity on Linux" https://redcanary.com/blog/process-memory-integrity-linux/
270 | 
271 | #### Books
272 | - "Malware Forensics Field Guide for Linux Systems" by Cameron H. Malin, Eoghan Casey, James M. Aquilina
273 | - "Linux (Bezpečnosť a exploity)" by Miroslav Dobšíček and Radim Ballner
274 | - "Hacking: The Art of Exploitation" by Jon Erickson
275 | - "The Shellcoder's Handbook: Discovering and Exploiting Security Holes" by Chris Anley, John Heasman, Felix Lindner
276 | - "The Linux Programming Interface" by Michael Kerrisk
277 | - "Learning Linux Binary Analysis" by Ryan O'Neill
278 | - "Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly" by Dennis Andriesse
279 | 
280 | 


--------------------------------------------------------------------------------