You explained it better than mines! Cool writeup

Although i still think adding some kernel hooks might have been a little heavyhanded...

Nice writeup.

I was using binja which had a lot more trouble (it seems) following the obfuscated flow. I ended up patching NOPs over anything redundant (or patching in a jump to the true address) to try to clean it up.

To dump the secondary ELF I think I did something clever: The write to the memfd, I just replaced the fd arg with stderr (2) and then just ran the binary, piping 2>secondary.