Santa is an in-memory ELF loader that implements userland execve functionality. It can load and execute ELF binaries directly from memory without writing them to disk, making it useful for security research, sandboxing, and dynamic analysis.

• Load ELF binaries from files, stdin, or remote URLs
• Execute binaries entirely in memory (userland execve)
• Debug support with jump delays and stack inspection
• Cross-platform compatibility
• Zero disk footprint execution

Clone the repository:

git clone https://github.com/username/santa.git
cd santa

For development and debugging:

cargo build

The debug binary will be located at target/debug/santa.

For optimized performance:

cargo build --release

The release binary will be located at target/release/santa.

To install santa to your system PATH:

cargo install --path .

Or install directly from GitHub:

cargo install --git https://github.com/username/santa.git

In-memory ELF loader (userland execve)

Usage: santa [OPTIONS] <BINARY> [ARGS]...

Arguments:
  <BINARY>   Binary to load (can be a filepath, "-" for stdin, or a URI with --fetch option)
  [ARGS]...  Arguments to the binary

Options:
  -d, --jump-delay <JUMP_DELAY>  Delay jump to loaded ELF for <JUMP_DELAY> seconds for debugging
  -j, --show-jumpbuf             Show jumpbuffer using objdump to a temporary file
  -s, --show-stack               Show stack contents after preparing
  -f, --fetch                    Treat binary as a URI to fetch a binary
  -h, --help                     Print help

Execute a local ELF binary:

santa /bin/ls -la /tmp

Pipe a binary through stdin:

cat /bin/echo | santa - "Hello, World!"

Download and execute a binary from a remote URL:

santa --fetch https://example.com/path/to/binary arg1 arg2

Execute with a 5-second delay for debugger attachment:

santa --jump-delay 5 /bin/ls -la

Show stack contents and jumpbuffer information:

santa --show-stack --show-jumpbuf /bin/echo "test"

Fetch a remote binary with debugging enabled:

santa --fetch --jump-delay 3 --show-stack https://example.com/binary

• Rust 1.70+ (2021 edition)
• Linux/Unix-like system (for ELF support)

# Debug build with full logging
RUST_LOG=debug cargo build

# Run tests
cargo test

# Run with logging
RUST_LOG=info cargo run -- /bin/echo "test"

This project is licensed under the MIT License - see the LICENSE file for details. This project also includes a clause on its use of a BSD-3-Clause project's code.

• Inspired by userland exec research and in-memory loading techniques
• Inspired heavily by the python implementation of ulexecve. Their implementation is heavily inspired by previous userland exec approachs (such as grugq's The Design and Implementation of Userland Exec and Phrack 62). The code is generally modeled after the python version but this implementation is original and written in Rust (except the assembly snippets where credit is given).
• Built with Rust's memory safety guarantees for secure execution
• Thanks to the ELF specification maintainers and reverse engineering community

Disclaimer: This tool is intended for educational and research purposes. Users are responsible for complying with applicable laws and regulations.