2

I saw somewhere mentioned that one can "emulate" execve (primarily with open and mmap) in order to load some other binary (without actual "execve" syscall).

  1. Are there any already implemented examples for it?
  2. Can we load both static and dynamic binaries?
  3. Can it be done portably?

Such feature may be useful for delegating work to arbitrary binaries ignoring filesystem bits or with seccomp policy installed not allowing actual execve.

Community
  • 1
  • 1
Vi.
  • 37,014
  • 18
  • 93
  • 148
  • 1
    I don't think you can really do this without kernel help. If you open the target binary and parse the ELF (or whatever other exectable file format you wish to support), you may be able to map it and do a bunch of other necessary things (such as find and map the interpreter) and then jump into the new binary's code, but you'll have trouble unmapping yourself at the same time and with a few other things like convincing the kernel that the currently running executable has changed. – Celada Mar 16 '13 at 00:27
  • What happen if your just little bit remains mapped? "convincing the kernel that the currently running executable has changed" -> What for? The goal is primarily to execve behind kernel's back. Partial result (i.e. being able to run most binaries) is also OK. – Vi. Mar 16 '13 at 00:28
  • Point taken regarding "convincing the kernel". As for your first point, yes, I suppose you could "almost" do it by leaving only a tiny bit of handoff code mapped in the address space. But by the way, another problem is that I believe the current executable is always mapped at the same virtual address and I really don't know if `mmap()` will let you unmap what's already there and map something else instead. – Celada Mar 16 '13 at 00:34
  • To get around that you could exec a helper binary that's intentionally loaded at a different virtual address that is out of the way, leaving the space that binaries are usually mapped into free. It's an interesting (and ambitious) problem to solve, I'll give you that. – Celada Mar 16 '13 at 00:36
  • 1
    Maybe there's already some simple dlopen/dlsym-like method for only dynamic binaries? – Vi. Mar 16 '13 at 00:48
  • I don't think so. With executables you have to deal with the ELF interpreter which doesn't apply to shared libraries so `dlopen` doesn't handle that. `dlsym` is also going to assume that you want symbols in the target file to link against the currently running binary, which is not what you want in this case. My guess is you'll probably want to use [libelf](http://directory.fsf.org/wiki/Libelf). – Celada Mar 16 '13 at 01:21
  • You probably won't be able to convince the kernel to change `/proc/self/exe` without `execve`. – Basile Starynkevitch Mar 16 '13 at 07:07

0 Answers0