From 25687afdd09c4f201eb267235a2c401bec9cb188 Mon Sep 17 00:00:00 2001
From: Anonymous <anon@anon.com>
Date: Fri, 26 Apr 2019 00:04:16 +0000
Subject: [PATCH] Created vondehi (markdown)

---
 explain/vondehi.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 explain/vondehi.md

diff --git a/explain/vondehi.md b/explain/vondehi.md
new file mode 100644
index 0000000..99ad252
--- /dev/null
+++ b/explain/vondehi.md
@@ -0,0 +1,12 @@
+## vondehi
+
+Vondehi is an in-memory unpacker for data compressed with `gzip` or `xz` (or
+`xz` in LZMA1-mode). It basically performs these steps:
+
+1. Set up a memfd using the `memfd_create` syscall. This file descriptor works
+   like a regular file, except the backing storage is RAM.
+2. Fork, pipe the payload data to `zcat` or `xzcat`, which outputs everything
+   to teh memfd from step 1.
+3. Run `execveat` on the memfd.
+
+Of course, the code itself is hand-optimized x86 assembly, and is very crazy.