Can I exec an entirely new process without an executable file?
source link: https://unix.stackexchange.com/questions/230472/can-i-exec-an-entirely-new-process-without-an-executable-file
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Can I exec an entirely new process without an executable file?
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It only takes a minute to sign up.
Suppose my non-root 32-bit app runs on a 64-bit system, all filesystems of which are mounted as read-only. The app creates an image of a 64-bit ELF in memory. But due to read-only filesystems it can't dump this image to a file to do an execve
on. Is there still a supported way to launch a process from this image?
Note: the main problem here is to switch from 32-bit mode to 64-bit, not doing any potentially unreliable hacks. If this is solved, then the whole issue becomes trivial — just make a custom loader.
3 Answers
Yes, via memfd_create
and fexecve
:
int fd = memfd_create("foo", MFD_CLOEXEC);
// write your image to fd however you want
fexecve(fd, argv, envp);
You're looking for something like "userland exec". Implementation here. Basically, this involves loading some position-independent code that has no external references into memory, and marking it executable. This position independent code removes the previously-running executable, and reloads. Sounds like you might have to modify the userland exec I wrote at least a little.
The comment by user732 and the link is outdated. But the gist is right; you need a "userland exec" implementation of which there are several. One that is useful in scenario's where you can't write anywhere but can execute Python scripts can be found at https://github.com/anvilsecure/ulexecve/. I wrote this one and you might want some more context via the overview blogpost introducing it to the world: https://www.anvilsecure.com/blog/userland-execution-of-binaries-directly-from-python.html
It should be rather trivial to change the code of ulexecve
above such that it switches as well from 32-bit to 64-bit mode or vice versa. That's an interesting use case I didn't think about nor implement. But the approach sketched by @Ruslan should work.
Rapid7's Mettle also has a utility named noexec
that basically does the same thing: https://github.com/rapid7/mettle. This is a lower-level utility written in C so you would end up with another ELF binary that would then allow you to do a userland execution.
Your Answer
Post as a guest
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK