#1
  1. not a fan of fascism (n00b)
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Feb 2003
    Location
    ct
    Posts
    2,756
    Rep Power
    95

    duplicating execve() in user space ?


    i've written a program that takes a binary exe and parses all of the tables && headers. with this info i have all that i need to arrange the process in memory ( i think). now, the question is can i replace the current process image like execve() does manually? My first idea was to just do like so:
    Code:
     char *ptr = 0x08048000;
    
     bzero(ptr, 0x1000);
    and then start laying out the process in memory, and then jump to the first instruction. so b4 i attempt this, is this something that's possible or can only the kernel do this? i'm prolly have to RTFS for execve(), but any tips would be appreciated.
  2. #2
  3. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,594
    Rep Power
    4207
    Ah, the good old self modifying program :). Try something like this:
    Code:
    void (*func)();
    
    int main(void) {
       char buf[SOMESIZE];
       
       /* load buf up with the binary code as necessary */
    
      /* Point func to buf and then execute it */
      func = (void *)buf;
      (*func)();
      
      return 0;
    }
    HTH :)
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
  4. #3
  5. not a fan of fascism (n00b)
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Feb 2003
    Location
    ct
    Posts
    2,756
    Rep Power
    95
    yep that other way wouldnt of worked b/c i would of started writing over the variables + file descriptor i was reading from. thanks!
  6. #4
  7. I'm Baaaaaaack!
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Jul 2003
    Location
    Maryland
    Posts
    5,538
    Rep Power
    243
    You have to know if your OS execute protects data space (Linus and Windows both do, I am pretty sure). What that means is that the OS will prevent execution of data and will typically prevent writing to code space. There are, of course, ways around these restrictions. I haven't done this, but have read about it a lot (I intend, one of these days, to write a self-programming program), so you can't count on me for the details. You have to make an API call to flush the instruction cache, which is typically in a different location on the chip and is read only anyway, then you have to notify the OS that you want these data pages to become code pages, then resume execution. The OS will reload your code pages into the instruction cache and you should be off to the races.

    Let me know what works!

    My blog, The Fount of Useless Information http://sol-biotech.com/wordpress/
    Free code: http://sol-biotech.com/code/.
    Secure Programming: http://sol-biotech.com/code/SecProgFAQ.html.
    Performance Programming: http://sol-biotech.com/code/PerformanceProgramming.html.
    LinkedIn Profile: http://www.linkedin.com/in/keithoxenrider

    It is not that old programmers are any smarter or code better, it is just that they have made the same stupid mistake so many times that it is second nature to fix it.
    --Me, I just made it up

    The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man.
    --George Bernard Shaw
  8. #5
  9. not a fan of fascism (n00b)
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Feb 2003
    Location
    ct
    Posts
    2,756
    Rep Power
    95
    damn this is tuff. im a bit confused here as well. i was able to successfully do this with a little crap hello world. the hello world is really basic, its in asm and uses a couple system calls. so it only has 1 segment that i map into the buffer; it's pretty much like when testing shellcode so i was expecting to work, ya know? but for anything that calls library functions it craps out and segfaults. When i run a 'strace <command>', it first execve's w/e command, and then it goes thru a bunch of 'fstats' and mmaps() various .so's into this address: 0x40021000 . do i have to do all that as well? or have i gone completely off the beaten path here? :D

IMN logo majestic logo threadwatch logo seochat tools logo