Drow is a command-line utility that is used to inject code and hook the entrypoint of ELF executables (post-build). It takes unmodified ELF executables as input and exports a modified ELF containing an embedded user-supplied payload that executes at runtime.
sh_size and program header’s p_memsz/p_filesz by the size of the user-supplied payloadsh_offset‘s and program headers’ p_offset‘s (move down sections and segments to make room for the payload and a small “stager stub”)e_shoff, e_phoff, etc..)e_entry (ELF entrypoint offset) to point to the injected codeIn addition to injecting the user-supplied payload, drow injects a small code stub that is prepended to the beginning of the payload. This stub is designed to call into the payload. If the payload is written to return to the caller, after the payload returns the stager then tailcalls into _start, restoring execution so the program can run as intended.
Building
Install gcc and scons. Then run scons from the root of the directory.
Other Information
In addition to building drow, this project also builds a Linux x86-64 payload named rappers_delight.bin that simply prints to stdout. This can be used for testing. Currently, drow only works with ELF64 files targetting x86-64.
Other Work
There has been a lot of open source work done in this domain. I encourage you to also check out the following projects and associated publications:
Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…
Docker is an open-source platform that lets you package and run applications inside containers. Each container…
PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…
Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…
Apache Tomcat is an open-source web server and Java servlet container. It is one of the…
Keeping your Ubuntu system updated is one of the best ways to protect it. Security…