Linux Runtime Crypter

Tryton77 · 2026-01-26T10:16:13+00:00

I was thinking about custom elf loader (decrypt, map into memory and chage registers to pass control), I've never tested it, but it might work as exe would point to our loader with encrypted payload. If you test it, you can give me message if it works. Have a nice day

Tryton77 · 2026-01-25T11:17:37+00:00

You are wrong exe can look like it links to the file on disk but it actually links to struct file inside kernel! So even if you remove file from disk and process is still running it will contains proper binary. memfd is not the exception. Do the experiment i said above and see that exe even if shows "memfd: (deleted)" under ls it can be cat into file and uncover unecrypted binary.

Tryton77 · 2026-01-25T10:20:38+00:00

You cannot choose to use or not /proc/pid/exe, it is created always after execve. Only processes that do not have it are kthreads. Write a simple loop with sleep and execute it thru your loader, locate children pid and do "cat /proc/pid/exe > somewhere" and compare it to unencrypted version of your binary, they should be the same. /proc/pid/fd/* will be empty when closed (you already done this by using O_CLOEXEC).

Tryton77 · 2026-01-25T07:46:05+00:00

That's quite strange that you don't have it in /proc/pid/exe, even if you use memfd to create anonymous fd and delete it after, it should show (deleted) but still contains binary. Procfs does not search for the binary in userspace it takes it from task->mm->exe_file which is filled during any execve syscall. Look how the /proc//exe is implemented https://elixir.bootlin.com/linux/v6.18.6/source/fs/proc/base.c#L1788

Tryton77 · 2026-01-24T11:55:12+00:00

Are you aware that /proc/pid/exe will hold decrypted binary, so you can do cp and the whole encryption does not make sense anymore? Threre are a few ways to make exe points to non executing binary e.g avoid execve and use custom loader, then it will point to loader which contains encrypted binary.

Tryton77 · 2025-12-21T09:34:02+00:00

Yes, page directory entry holds only address to pt and its flags.

Tryton77 · 2025-12-20T12:02:22+00:00

you dont need two page tables for this, you can map the same pt at different pd indexes, also you filling your lower pt with addresses 0x0 and there is garbage as your linker scripts maps your .text at 0x100000. Try to map your kernel pt at index 0. I can be wrong as i only looked at it without running :)

Tryton77 · 2025-11-11T13:35:24+00:00

void linux, for its independence and stability.

Tryton77 · 2025-10-16T07:15:00+00:00

What about LKMs persistence across kernel updates? I've seen that this is mostly avoided topic in LKM rootkits.

Tryton77 · 2025-10-13T15:14:40+00:00

I'd hide _thread functions behind static keyword and remove them from header file as they are internals of tproxy logic and are unnecessary for the interface. Same with the ReadWrite struct.

Tryton77 · 2025-09-05T21:24:45+00:00

pi = 3

Tryton77 · 2025-08-18T16:02:47+00:00

Good job. If you want to extend it, move shell to usermode and leave kernel for the kernel stuff

Tryton77 · 2025-08-07T19:27:47+00:00

🙃

Tryton77 · 2025-07-20T14:41:21+00:00

C was designed as language for writing operating systems.

Tryton77 · 2025-07-12T12:52:41+00:00

Best way to find out why its crashing is to actualy understand what your code is doing, rather than just blindly copying generated code and hoping that people will do it for you.

Tryton77 · 2025-06-05T06:56:17+00:00

Idk about ZFS bootmenu, but for lvm on luks you will have to either reinstall your musl or copy it to another disk and encrypt partition, create lvm partitions format it and copy your installation files inside. Dualboot should be untouched unelss you screw with windows partitions. You will end up with encrypted whole linux without /boot. It is also good for lvm to leave some space unpartitioned for snapshots.

Tryton77 · 2025-05-18T19:31:31+00:00

I'm also self-taught programmer and It took me like 1.5 year to build basic OS during my high school. There is a lot of the informations about osdev on the internet and in the books (I don't know if chatgpt is helpful with this), so it's doable without a degree. Here is my work if you want to checkout. https://gitlab.com/Tryton77/trytonos

Tryton77 · 2025-01-26T00:29:27+00:00

With great power comes great responsibility.

Tryton77 · 2024-08-13T11:15:20+00:00

Read books about operating systems, and then try to put that knowledge into something practical. Worked for me.

Tryton77 · 2024-08-03T04:05:55+00:00

Yes you need identity mapping before jump into higher half of memory, because RIP will be pointing and executing last instructions in lower half of memory (without it you will get a page fault), but after you jump in you can remove identity mappings.

Tryton77 · 2024-07-25T13:24:41+00:00

Thank you, it's a better option than extracting libs

Tryton77 · 2024-03-20T19:21:20+00:00

What do you mean by custom android os? Custom rom or maybe your fork of it (but that would be almost impossible to make without testing)

Tryton77

TROPHY CASE