Click here to register.


Ryan "ElfMaster" O'Neill


24-25 June 2019


20 Seats


2300$ CAD before May 1,
2700$ CAD after.

A 2 day instructor led workshop by the ElfMaster, that navigates the participants through the most fascinating and arcane facets of the ELF binary format. This includes but is not limited to ELF internals, relocation's, dynamic linking, virus infection, anti-forensics, process memory analysis, binary forensics, exploitation, ELF binary mitigation, binary anti-tamper schemes, and more. Why become an ELF expert? It has quickly become the most ubiquitous binary format used today; From Linux, *BSD and other UNIX-like OS's, to the ever more popular IOT devices which often run Linux. To specialize in ELF is to specialize in understanding the depths of program execution and process memory layout, which are key knowledge to creating new security technologies and for advancing the state of reverse engineering and forensics reconstruction.

This workshop takes a sophisticated and sometimes difficult and dry subject, and transforms it into an exciting and motivating experience that delivers something priceless to the reverse engineers, software engineers, and security enthusiasts who attend. You will learn the knowledge to fill in those final gaps that serve as the bridge to new research and progress for each attendee. Whether you are a software engineer who is writing an ELF linker or loader, or a reverse engineer who wants to gain more experience with the ELF format and state of the art forensics reconstruction techniques, this class is for you.

This workshop is very dynamic in it's delivery and comes with a Linux VM environment that contains many custom tools and source code-- combining 2 days of hands-on training with 14 lab exercises. All participants will be given a 100 page book that includes all of the information covered in the workshop. This book will include the solutions to all of the lab exercises, and serves as an excellent reference moving forward after the workshop. This workshop has continually evolved since its conception in 2013. It has been well vetted and has been taught to multiple Government parties, Corporations, and private parties.

Class Outline

Day 1

  • Setup VirtualMachines
  • Discuss color-coding in the book that is included
  • ELF File types
    • Deep dive discussion
    • Exercise 01: Identify program initialization code
  • ELF Program headers
    • Deep dive discussion
    • Exercise 02: Static and dynamic analysis of a text-infected binary
  • ELF Section headers
    • Deep dive discussion
    • Exercise 03: Section header analysis of ET_REL vs. ET_EXEC's with readelf
    • Exercise 04: Design a parser to print the section header table, and program headers
    • Exercise 05: Add custom section headers to ELF objects
    • Exercise 06: String table randomization for section header obfuscation
  • ELF Symbols
    • Deep dive discussion
    • Exercise 07: String table randomization for .symtab obfuscation
    • Exercise 08: Dynamic string table (.dynstr) stripping and obfuscation techniques
  • ELF Relocations
    • Deep dive discussion
    • Exercise 09: Relocatable code injection (ET_REL) into executables (ET_EXEC)
    • Exercise 10: Using GDB to inject relocatable code into process memory (hot-patching)

Day 2

  • ELF Dynamic linking
    • Deep dive discussion
    • Related lab exercises for this topic are explored a bit later on in the workshop.
  • PTRACE(2) and Memory
    • Deep dive discussion
    • Exercise 11: Reconstruct a process image back into an executable
    • Exercise 12: Shared library redirection (PLT/GOT hooks) with GDB
    • Extracting secrets from dumps
  • Linux anti-debugging techniques
    • Deep dive discussion
    • Exercise 13: Defeat crackme serial number program
  • ELF Virus/Malware and Anti-Virus
    • Deep dive discussion
    • Exercise 14: Detecting PLT/GOT poisoning in binaries
    • Exercise 15: Reversing, experimenting and disinfecting a text-segment-padding virus.
  • ELF Software protection
    • Deep dive discussion
    • >
    • Exercise 16: Unpack a UPX protected file with Quenya
    • >Exercise 17: Attempt to reverse engineer a Maya's Veil protected binary

Attendee will receive

1. An OVA file for a 32bit Linux virtual machine containing all of the tools, labs, and source code used in the workshop.

2. A hard-copy 100 page book that covers in-depth every aspect of the workshop material including all of the labs, and their solutions. This book is designed specifically to bring the reader up to speed quickly on ELF internals, Malware infection, Forensics reconstruction tricks, etc.

3. A virtual copy of the slide deck.



  • A working knowledge of the Linux command line
  • Some experience with C and x86 assembly is very helpful
  • Debugging skills with GDB, and common binutils such as readelf, objdump and objcopy will be used often.

Minimum Software to install:

A laptop with the ability to import an OVA file into a VM environment such as VMware, Virtualbox, or Fusion. The entire workshop environment will be within a 32bit Linux VM that contains all of the necessary components, software, and documentation.


The class is taught by Ryan "ElfMaster" O'Neill. Ryan is a prolific researcher who has produced many papers, and technologies related to binary protection, memory forensics, binary forensics, security mitigations, virus design, virus disinfection etc. Ryan is the author of the book "Learning Linux Binary Analysis" and has been published in various journals and hacker zines, including phrack, vxheaven, and POC||GTFO. Ryan has published much of his independent research on, and more recently to date Ryan is currently working as a senior researcher and consultant at Leviathan Security Group.


Click here to register.